/** * get only 'global' roles (with flag 'assign_users') * @access public * @return array Array with rol_ids * @todo refactor rolf => DONE */ public function getGlobalAssignableRoles() { include_once './Services/AccessControl/classes/class.ilObjRole.php'; foreach ($this->getGlobalRoles() as $role_id) { if (ilObjRole::_getAssignUsersStatus($role_id)) { $ga[] = array('obj_id' => $role_id, 'role_type' => 'global'); } } return $ga ? $ga : array(); }
/** * check if assignment is allowed * * @access protected * @param * @return */ protected function isPermittedRole($a_folder, $a_role) { static $checked_roles = array(); static $global_roles = null; if (isset($checked_roles[$a_role])) { return $checked_roles[$a_role]; } global $rbacsystem, $rbacreview, $ilUser, $tree, $ilLog; $locations = $rbacreview->getFoldersAssignedToRole($a_role, true); $location = $locations[0]; // global role if ($location == ROLE_FOLDER_ID) { $ilLog->write(__METHOD__ . ': Check global role'); // check assignment permission if called from local admin if ($a_folder != USER_FOLDER_ID and $a_folder != 0) { $ilLog->write(__METHOD__ . ': ' . $a_folder); include_once './Services/AccessControl/classes/class.ilObjRole.php'; if (!ilObjRole::_getAssignUsersStatus($a_role)) { $ilLog->write(__METHOD__ . ': No assignment allowed'); $checked_roles[$a_role] = false; return false; } } // exclude anonymous role from list if ($a_role == ANONYMOUS_ROLE_ID) { $ilLog->write(__METHOD__ . ': Anonymous role chosen.'); $checked_roles[$a_role] = false; return false; } // do not allow to assign users to administrator role if current user does not has SYSTEM_ROLE_ID if ($a_role == SYSTEM_ROLE_ID and !in_array(SYSTEM_ROLE_ID, $rbacreview->assignedRoles($ilUser->getId()))) { $ilLog->write(__METHOD__ . ': System role assignment forbidden.'); $checked_roles[$a_role] = false; return false; } // Global role assignment ok $ilLog->write(__METHOD__ . ': Assignment allowed.'); $checked_roles[$a_role] = true; return true; } elseif ($location) { $ilLog->write(__METHOD__ . ': Check local role.'); // It's a local role $rolfs = $rbacreview->getFoldersAssignedToRole($a_role, true); $rolf = $rolfs[0]; // only process role folders that are not set to status "deleted" // and for which the user has write permissions. // We also don't show the roles which are in the ROLE_FOLDER_ID folder. // (The ROLE_FOLDER_ID folder contains the global roles). if ($rbacreview->isDeleted($rolf) || !$rbacsystem->checkAccess('edit_permission', $tree->getParentId($rolf))) { $ilLog->write(__METHOD__ . ': Role deleted or no permission.'); $checked_roles[$a_role] = false; return false; } // A local role is only displayed, if it is contained in the subtree of // the localy administrated category. If the import function has been // invoked from the user folder object, we show all local roles, because // the user folder object is considered the parent of all local roles. // Thus, if we start from the user folder object, we initializ$isInSubtree = $folder_id == USER_FOLDER_ID || $folder_id == 0;e the // isInSubtree variable with true. In all other cases it is initialized // with false, and only set to true if we find the object id of the // locally administrated category in the tree path to the local role. if ($a_folder != USER_FOLDER_ID and $a_folder != 0 and !$tree->isGrandChild($a_folder, $rolf)) { $ilLog->write(__METHOD__ . ': Not in path of category.'); $checked_roles[$a_role] = false; return false; } $ilLog->write(__METHOD__ . ': Assignment allowed.'); $checked_roles[$a_role] = true; return true; } }
/** * import users */ function importUsersObject() { global $rbacreview, $ilUser; // Blind out tabs for local user import if ($_GET["baseClass"] == 'ilRepositoryGUI') { $this->tabs_gui->clearTargets(); } include_once './Services/AccessControl/classes/class.ilObjRole.php'; include_once './Services/User/classes/class.ilUserImportParser.php'; global $rbacreview, $rbacsystem, $tree, $lng; switch ($_POST["conflict_handling_choice"]) { case "update_on_conflict": $rule = IL_UPDATE_ON_CONFLICT; break; case "ignore_on_conflict": default: $rule = IL_IGNORE_ON_CONFLICT; break; } $importParser = new ilUserImportParser($_POST["xml_file"], IL_USER_IMPORT, $rule); $importParser->setFolderId($this->getUserOwnerId()); $import_dir = $this->getImportDir(); // Catch hack attempts // We check here again, if the role folders are in the tree, and if the // user has permission on the roles. if ($_POST["role_assign"]) { $global_roles = $rbacreview->getGlobalRoles(); $roles_of_user = $rbacreview->assignedRoles($ilUser->getId()); foreach ($_POST["role_assign"] as $role_id) { if ($role_id != "") { if (in_array($role_id, $global_roles)) { if (!in_array(SYSTEM_ROLE_ID, $roles_of_user)) { if ($role_id == SYSTEM_ROLE_ID && !in_array(SYSTEM_ROLE_ID, $roles_of_user) || $this->object->getRefId() != USER_FOLDER_ID && !ilObjRole::_getAssignUsersStatus($role_id)) { ilUtil::delDir($import_dir); $this->ilias->raiseError($this->lng->txt("usrimport_with_specified_role_not_permitted"), $this->ilias->error_obj->MESSAGE); } } } else { $rolf = $rbacreview->getFoldersAssignedToRole($role_id, true); if ($rbacreview->isDeleted($rolf[0]) || !$rbacsystem->checkAccess('write', $tree->getParentId($rolf[0]))) { ilUtil::delDir($import_dir); $this->ilias->raiseError($this->lng->txt("usrimport_with_specified_role_not_permitted"), $this->ilias->error_obj->MESSAGE); return; } } } } } $importParser->setRoleAssignment($_POST["role_assign"]); $importParser->startParsing(); // purge user import directory ilUtil::delDir($import_dir); switch ($importParser->getErrorLevel()) { case IL_IMPORT_SUCCESS: ilUtil::sendSuccess($this->lng->txt("user_imported"), true); break; case IL_IMPORT_WARNING: ilUtil::sendInfo($this->lng->txt("user_imported_with_warnings") . $importParser->getProtocolAsHTML($lng->txt("import_warning_log")), true); break; case IL_IMPORT_FAILURE: $this->ilias->raiseError($this->lng->txt("user_import_failed") . $importParser->getProtocolAsHTML($lng->txt("import_failure_log")), $this->ilias->error_obj->MESSAGE); break; } if (strtolower($_GET["baseClass"]) == "iladministrationgui") { $this->ctrl->redirect($this, "view"); //ilUtil::redirect($this->ctrl->getLinkTarget($this)); } else { $this->ctrl->redirectByClass('ilobjcategorygui', 'listUsers'); } }
function initCreate() { global $tpl, $rbacsystem, $rbacreview, $ilUser; if ($this->usrf_ref_id != USER_FOLDER_ID) { $this->tabs_gui->clearTargets(); } // role selection $obj_list = $rbacreview->getRoleListByObject(ROLE_FOLDER_ID); $rol = array(); foreach ($obj_list as $obj_data) { // allow only 'assign_users' marked roles if called from category if ($this->object->getRefId() != USER_FOLDER_ID and !in_array(SYSTEM_ROLE_ID, $rbacreview->assignedRoles($ilUser->getId()))) { include_once './Services/AccessControl/classes/class.ilObjRole.php'; if (!ilObjRole::_getAssignUsersStatus($obj_data['obj_id'])) { continue; } } // exclude anonymous role from list if ($obj_data["obj_id"] != ANONYMOUS_ROLE_ID) { // do not allow to assign users to administrator role if current user does not has SYSTEM_ROLE_ID if ($obj_data["obj_id"] != SYSTEM_ROLE_ID or in_array(SYSTEM_ROLE_ID, $rbacreview->assignedRoles($ilUser->getId()))) { $rol[$obj_data["obj_id"]] = $obj_data["title"]; } } } // raise error if there is no global role user can be assigned to if (!count($rol)) { $this->ilias->raiseError($this->lng->txt("msg_no_roles_users_can_be_assigned_to"), $this->ilias->error_obj->MESSAGE); } $keys = array_keys($rol); // set pre defined user role to default if (in_array(4, $keys)) { $this->default_role = 4; } else { if (count($keys) > 1 and in_array(2, $keys)) { // remove admin role as preselectable role foreach ($keys as $key => $val) { if ($val == 2) { unset($keys[$key]); break; } } } $this->default_role = array_shift($keys); } $this->selectable_roles = $rol; }