/** * Adjust permissions of moved objects * - Delete permissions of parent roles that do not exist in new context * - Delete role templates of parent roles that do not exist in new context * - Add permissions for parent roles that did not exist in old context * * @access public * @param int ref id of moved object * @param int ref_id of old parent * */ public function adjustMovedObjectPermissions($a_ref_id, $a_old_parent) { global $rbacreview, $tree, $ilLog; $new_parent = $tree->getParentId($a_ref_id); $old_context_roles = $rbacreview->getParentRoleIds($a_old_parent, false); $new_context_roles = $rbacreview->getParentRoleIds($new_parent, false); $for_addition = $for_deletion = array(); foreach ($new_context_roles as $new_role_id => $new_role) { if (!isset($old_context_roles[$new_role_id])) { $for_addition[$new_role_id] = $new_role; } elseif ($new_role['parent'] != $old_context_roles[$new_role_id]['parent']) { // handle stopped inheritance $for_deletion[$new_role_id] = $new_role; $for_addition[$new_role_id] = $new_role; } } foreach ($old_context_roles as $old_role_id => $old_role) { if (!isset($new_context_roles[$old_role_id])) { $for_deletion[$old_role_id] = $old_role; } } if (!count($for_deletion) and !count($for_addition)) { return true; } include_once "Services/AccessControl/classes/class.ilRbacLog.php"; $rbac_log_active = ilRbacLog::isActive(); if ($rbac_log_active) { $role_ids = array_unique(array_merge(array_keys($for_deletion), array_keys($for_addition))); } foreach ($nodes = $tree->getSubTree($node_data = $tree->getNodeData($a_ref_id), true) as $node_data) { $node_id = $node_data['child']; if ($rbac_log_active) { $log_old = ilRbacLog::gatherFaPa($node_id, $role_ids); } // If $node_data['type'] is not set, this means there is a tree entry without // object_reference and/or object_data entry // Continue in this case if (!$node_data['type']) { $ilLog->write(__METHOD__ . ': No type give. Choosing next tree entry.'); continue; } if (!$node_id) { $ilLog->write(__METHOD__ . ': Missing subtree node_id'); continue; } foreach ($for_deletion as $role_id => $role_data) { $this->deleteLocalRole($role_id, $node_id); $this->revokePermission($node_id, $role_id, false); //var_dump("<pre>",'REVOKE',$role_id,$node_id,$rolf_id,"</pre>"); } foreach ($for_addition as $role_id => $role_data) { $this->grantPermission($role_id, $ops = $rbacreview->getOperationsOfRole($role_id, $node_data['type'], $role_data['parent']), $node_id); //var_dump("<pre>",'GRANT',$role_id,$ops,$role_id,$node_data['type'],$role_data['parent'],"</pre>"); } if ($rbac_log_active) { $log_new = ilRbacLog::gatherFaPa($node_id, $role_ids); $log = ilRbacLog::diffFaPa($log_old, $log_new); ilRbacLog::add(ilRbacLog::MOVE_OBJECT, $node_id, $log); } } }
/** * Adjust permissions * @param int $a_mode * @param array $a_nodes array of nodes * @param array $a_policies array of object ref ids * @param array $a_exclusion_filter of object types. * @return */ protected function adjustPermissions($a_mode, $a_nodes, $a_policies, $a_filter, $a_exclusion_filter = array()) { global $rbacadmin, $rbacreview, $tree; $operation_stack = array(); $policy_stack = array(); #$left_stack = array(); #$right_stack = array(); $node_stack = array(); $start_node = current($a_nodes); #array_push($left_stack, $start_node['lft']); #array_push($right_stack, $start_node['rgt']); array_push($node_stack, $start_node); $this->updatePolicyStack($policy_stack, $start_node['child']); $this->updateOperationStack($operation_stack, $start_node['child'], true); include_once "Services/AccessControl/classes/class.ilRbacLog.php"; $rbac_log_active = ilRbacLog::isActive(); $local_policy = false; foreach ($a_nodes as $node) { #$lft = end($left_stack); #$rgt = end($right_stack); $cmp_node = end($node_stack); while ($relation = $tree->getRelationOfNodes($node, $cmp_node)) { #$GLOBALS['ilLog']->write(__METHOD__.': New relation '. $relation); switch ($relation) { case ilTree::RELATION_NONE: case ilTree::RELATION_SIBLING: #$GLOBALS['ilLog']->write(__METHOD__.': Handling sibling/none '. $relation); #$GLOBALS['ilLog']->write(__METHOD__.': Node a '.print_r($node,true).' '.print_r($cmp_node,true)); break; case ilTree::RELATION_CHILD: case ilTree::RELATION_EQUALS: case ilTree::RELATION_PARENT: default: #$GLOBALS['ilLog']->write(__METHOD__.': Handling child/equals/parent '. $relation); break 2; } #$GLOBALS['ilLog']->write(__METHOD__.': end switch '); #$GLOBALS['ilLog']->write(__METHOD__.': Comparing '. print_r($node,true).' with '. print_r($cmp_node,true).' with result '. $tree->getRelationOfnodes($node,$cmp_node)); array_pop($operation_stack); array_pop($policy_stack); array_pop($node_stack); #array_pop($left_stack); #array_pop($right_stack); $cmp_node = end($node_stack); $local_policy = false; } #$GLOBALS['ilLog']->write(__METHOD__.': End while'); /* while(($node['lft'] < $lft) or ($node['rgt'] > $rgt)) { #echo "LEFT ".$node['child'].'<br>'; array_pop($operation_stack); array_pop($policy_stack); array_pop($left_stack); array_pop($right_stack); $lft = end($left_stack); $rgt = end($right_stack); $local_policy = false; } */ if ($local_policy) { #echo "LOCAL ".$node['child'].' left:'.$node['lft'].' right: '.$node['rgt'].'<br>'; // Continue if inside of local policy continue; } // Start node => set permissions and continue if ($node['child'] == $start_node['child']) { if ($this->isHandledObjectType($a_filter, $a_exclusion_filter, $node['type'])) { if ($rbac_log_active) { $rbac_log_roles = $rbacreview->getParentRoleIds($node['child'], false); $rbac_log_old = ilRbacLog::gatherFaPa($node['child'], array_keys($rbac_log_roles)); } // Set permissions $perms = end($operation_stack); $rbacadmin->grantPermission($this->getId(), (array) $perms[$node['type']], $node['child']); if ($rbac_log_active) { $rbac_log_new = ilRbacLog::gatherFaPa($node['child'], array_keys($rbac_log_roles)); $rbac_log = ilRbacLog::diffFaPa($rbac_log_old, $rbac_log_new); ilRbacLog::add(ilRbacLog::EDIT_TEMPLATE_EXISTING, $node['child'], $rbac_log); } } continue; } // Node has local policies => update permission stack and continue if (in_array($node['child'], $a_policies) and $node['child'] != SYSTEM_FOLDER_ID) { #echo "POLICIES ".$node['child'].' left:'.$node['lft'].' right: '.$node['rgt'].'<br>'; $local_policy = true; $this->updatePolicyStack($policy_stack, $node['child']); $this->updateOperationStack($operation_stack, $node['child']); #array_push($left_stack,$node['lft']); #array_push($right_stack, $node['rgt']); array_push($node_stack, $node); continue; } // Continue if this object type is in filter if (!$this->isHandledObjectType($a_filter, $a_exclusion_filter, $node['type'])) { continue; } if ($rbac_log_active) { $rbac_log_roles = $rbacreview->getParentRoleIds($node['child'], false); $rbac_log_old = ilRbacLog::gatherFaPa($node['child'], array_keys($rbac_log_roles)); } #echo "MODE: ".$a_mode.'TYPE: '.$node['type'].'<br>'; // Node is course => create course permission intersection if (($a_mode == self::MODE_UNPROTECTED_DELETE_LOCAL_POLICIES or $a_mode == self::MODE_UNPROTECTED_KEEP_LOCAL_POLICIES) and $node['type'] == 'crs') { #echo "CRS ".$node['child'].'<br>'; // Copy role permission intersection $perms = end($operation_stack); $this->createPermissionIntersection($policy_stack, $perms['crs'], $node['child'], $node['type']); if ($this->updateOperationStack($operation_stack, $node['child'])) { #echo "CRS SUCCESS ".$node['child'].'<br>'; $this->updatePolicyStack($policy_stack, $node['child']); #array_push($left_stack, $node['lft']); #array_push($right_stack, $node['rgt']); array_push($node_stack, $node); } } // Node is group => create group permission intersection if (($a_mode == self::MODE_UNPROTECTED_DELETE_LOCAL_POLICIES or $a_mode == self::MODE_UNPROTECTED_KEEP_LOCAL_POLICIES) and $node['type'] == 'grp') { #echo "GRP ".$node['child'].'<br>'; // Copy role permission intersection $perms = end($operation_stack); $this->createPermissionIntersection($policy_stack, $perms['grp'], $node['child'], $node['type']); if ($this->updateOperationStack($operation_stack, $node['child'])) { #echo "GRP SUCCESS ".$node['child'].'<br>'; $this->updatePolicyStack($policy_stack, $node['child']); #array_push($left_stack, $node['lft']); #array_push($right_stack, $node['rgt']); array_push($node_stack, $node); } } #echo "GRANTED ".$node['child'].'<br>'; // Set permission $perms = end($operation_stack); $rbacadmin->grantPermission($this->getId(), (array) $perms[$node['type']], $node['child']); #var_dump("ALL INFO ",$this->getId(),$perms[$node['type']]); if ($rbac_log_active) { $rbac_log_new = ilRbacLog::gatherFaPa($node['child'], array_keys($rbac_log_roles)); $rbac_log = ilRbacLog::diffFaPa($rbac_log_old, $rbac_log_new); ilRbacLog::add(ilRbacLog::EDIT_TEMPLATE_EXISTING, $node['child'], $rbac_log); } } }
/** * Save permissions * @return */ protected function savePermissions() { global $rbacreview, $objDefinition, $rbacadmin; include_once './Services/AccessControl/classes/class.ilObjectRolePermissionTableGUI.php'; $table = new ilObjectRolePermissionTableGUI($this, 'perm', $this->getCurrentObject()->getRefId()); $roles = $this->applyRoleFilter($rbacreview->getParentRoleIds($this->getCurrentObject()->getRefId()), $table->getFilterItemByPostVar('role')->getValue()); // Log history include_once "Services/AccessControl/classes/class.ilRbacLog.php"; $log_old = ilRbacLog::gatherFaPa($this->getCurrentObject()->getRefId(), array_keys((array) $roles)); # all possible create permissions $possible_ops_ids = $rbacreview->getOperationsByTypeAndClass($this->getCurrentObject()->getType(), 'create'); # createable (activated) create permissions $create_types = $objDefinition->getCreatableSubObjects($this->getCurrentObject()->getType()); $createable_ops_ids = ilRbacReview::lookupCreateOperationIds(array_keys((array) $create_types)); foreach ((array) $roles as $role => $role_data) { if ($role_data['protected']) { continue; } $new_ops = array_keys((array) $_POST['perm'][$role]); $old_ops = $rbacreview->getRoleOperationsOnObject($role, $this->getCurrentObject()->getRefId()); // Add operations which were enabled and are not activated. foreach ($possible_ops_ids as $create_ops_id) { if (in_array($create_ops_id, $createable_ops_ids)) { continue; } if (in_array($create_ops_id, $old_ops)) { $new_ops[] = $create_ops_id; } } $rbacadmin->revokePermission($this->getCurrentObject()->getRefId(), $role); $rbacadmin->grantPermission($role, array_unique($new_ops), $this->getCurrentObject()->getRefId()); } // Handle local policies. $rolf_id = $this->initRoleFolder(count((array) $_POST['inherit']) ? true : false); $relevant_roles = array_intersect($rbacreview->getRolesOfRoleFolder($rolf_id), array_keys($roles)); if (ilPermissionGUI::hasContainerCommands($this->getCurrentObject()->getType())) { foreach ($roles as $role) { // No action for local roles if ($role['parent'] == $rolf_id and $role['assign'] == 'y') { continue; } // Nothing for protected roles if ($role['protected']) { continue; } // Stop local policy if ($role['parent'] == $rolf_id and !isset($_POST['inherit'][$role['obj_id']])) { $role_obj = ilObjectFactory::getInstanceByObjId($role['obj_id']); $role_obj->setParent($rolf_id); $role_obj->delete(); continue; } // Add local policy if ($role['parent'] != $rolf_id and isset($_POST['inherit'][$role['obj_id']])) { $rbacadmin->copyRoleTemplatePermissions($role['obj_id'], $role['parent'], $rolf_id, $role['obj_id']); $rbacadmin->assignRoleToFolder($role['obj_id'], $rolf_id, 'n'); } } } // Protect permissions if (ilPermissionGUI::hasContainerCommands($this->getCurrentObject()->getType())) { foreach ($roles as $role) { if ($rbacreview->isAssignable($role['obj_id'], $rolf_id)) { if (isset($_POST['protect'][$role['obj_id']]) and !$rbacreview->isProtected($rolf_id, $role['obj_id'])) { $rbacadmin->setProtected($rolf_id, $role['obj_id'], 'y'); } elseif (!isset($_POST['protect'][$role['obj_id']]) and $rbacreview->isProtected($rolf_id, $role['obj_id'])) { $rbacadmin->setProtected($rolf_id, $role['obj_id'], 'n'); } } } } $log_new = ilRbacLog::gatherFaPa($this->getCurrentObject()->getRefId(), array_keys((array) $roles)); $log = ilRbacLog::diffFaPa($log_old, $log_new); ilRbacLog::add(ilRbacLog::EDIT_PERMISSIONS, $this->getCurrentObject()->getRefId(), $log); if (count((array) $_POST['block'])) { return $this->showConfirmBlockRole(array_keys($_POST['block'])); } ilUtil::sendSuccess($this->lng->txt('settings_saved'), true); #$this->ctrl->redirect($this,'perm'); $this->perm(); }
/** * Adjust permissions * @param int $a_mode * @param array $a_nodes array of nodes * @param array $a_policies array of object ref ids * @param array $a_exclusion_filter of object types. * @return */ protected function adjustPermissions($a_mode, $a_nodes, $a_policies, $a_filter, $a_exclusion_filter = array()) { global $rbacadmin, $rbacreview; $operation_stack = array(); $policy_stack = array(); $left_stack = array(); $right_stack = array(); $start_node = current($a_nodes); array_push($left_stack, $start_node['lft']); array_push($right_stack, $start_node['rgt']); $this->updatePolicyStack($policy_stack, $start_node['child']); $this->updateOperationStack($operation_stack, $start_node['child']); include_once "Services/AccessControl/classes/class.ilRbacLog.php"; $rbac_log_active = ilRbacLog::isActive(); $local_policy = false; foreach ($a_nodes as $node) { $lft = end($left_stack); $rgt = end($right_stack); #echo "----STACK---- ".$lft.' - '.$rgt.'<br/>'; while ($node['lft'] < $lft or $node['rgt'] > $rgt) { #echo "LEFT ".$node['child'].'<br>'; array_pop($operation_stack); array_pop($policy_stack); array_pop($left_stack); array_pop($right_stack); $lft = end($left_stack); $rgt = end($right_stack); $local_policy = false; } if ($local_policy) { #echo "LOCAL ".$node['child'].' left:'.$node['lft'].' right: '.$node['rgt'].'<br>'; // Continue if inside of local policy continue; } // Start node => set permissions and continue if ($node['child'] == $start_node['child']) { if ($this->isHandledObjectType($a_filter, $a_exclusion_filter, $node['type'])) { if ($rbac_log_active) { $rbac_log_roles = $rbacreview->getParentRoleIds($node['child'], false); $rbac_log_old = ilRbacLog::gatherFaPa($node['child'], array_keys($rbac_log_roles)); } // Set permissions $perms = end($operation_stack); $rbacadmin->grantPermission($this->getId(), (array) $perms[$node['type']], $node['child']); if ($rbac_log_active) { $rbac_log_new = ilRbacLog::gatherFaPa($node['child'], array_keys($rbac_log_roles)); $rbac_log = ilRbacLog::diffFaPa($rbac_log_old, $rbac_log_new); ilRbacLog::add(ilRbacLog::EDIT_TEMPLATE_EXISTING, $node['child'], $rbac_log); } } continue; } // Node has local policies => update permission stack and continue if (in_array($node['child'], $a_policies) and $node['child'] != SYSTEM_FOLDER_ID) { #echo "POLICIES ".$node['child'].' left:'.$node['lft'].' right: '.$node['rgt'].'<br>'; $local_policy = true; $this->updatePolicyStack($policy_stack, $node['child']); $this->updateOperationStack($operation_stack, $node['child']); array_push($left_stack, $node['lft']); array_push($right_stack, $node['rgt']); continue; } // Continue if this object type is in filter if (!$this->isHandledObjectType($a_filter, $a_exclusion_filter, $node['type'])) { continue; } if ($rbac_log_active) { $rbac_log_roles = $rbacreview->getParentRoleIds($node['child'], false); $rbac_log_old = ilRbacLog::gatherFaPa($node['child'], array_keys($rbac_log_roles)); } #echo "MODE: ".$a_mode.'TYPE: '.$node['type'].'<br>'; // Node is course => create course permission intersection if (($a_mode == self::MODE_UNPROTECTED_DELETE_LOCAL_POLICIES or $a_mode == self::MODE_UNPROTECTED_KEEP_LOCAL_POLICIES) and $node['type'] == 'crs') { #echo "CRS ".$node['child'].'<br>'; // Copy role permission intersection $perms = end($operation_stack); $this->createPermissionIntersection($policy_stack, $perms['crs'], $node['child'], $node['type']); if ($this->updateOperationStack($operation_stack, $node['child'])) { #echo "CRS SUCCESS ".$node['child'].'<br>'; $this->updatePolicyStack($policy_stack, $node['child']); array_push($left_stack, $node['lft']); array_push($right_stack, $node['rgt']); } } // Node is group => create group permission intersection if (($a_mode == self::MODE_UNPROTECTED_DELETE_LOCAL_POLICIES or $a_mode == self::MODE_UNPROTECTED_KEEP_LOCAL_POLICIES) and $node['type'] == 'grp') { #echo "GRP ".$node['child'].'<br>'; // Copy role permission intersection $perms = end($operation_stack); $this->createPermissionIntersection($policy_stack, $perms['grp'], $node['child'], $node['type']); if ($this->updateOperationStack($operation_stack, $node['child'])) { #echo "GRP SUCCESS ".$node['child'].'<br>'; $this->updatePolicyStack($policy_stack, $node['child']); array_push($left_stack, $node['lft']); array_push($right_stack, $node['rgt']); } } #echo "GRANTED ".$node['child'].'<br>'; // Set permission $perms = end($operation_stack); $rbacadmin->grantPermission($this->getId(), (array) $perms[$node['type']], $node['child']); #var_dump("ALL INFO ",$this->getId(),$perms[$node['type']]); if ($rbac_log_active) { $rbac_log_new = ilRbacLog::gatherFaPa($node['child'], array_keys($rbac_log_roles)); $rbac_log = ilRbacLog::diffFaPa($rbac_log_old, $rbac_log_new); ilRbacLog::add(ilRbacLog::EDIT_TEMPLATE_EXISTING, $node['child'], $rbac_log); } } }
/** * save permissions * * @access public */ function permSave() { global $rbacreview, $rbacadmin, $rbacsystem; $this->getRolesData(); include_once "Services/AccessControl/classes/class.ilRbacLog.php"; $log_old = ilRbacLog::gatherFaPa($this->gui_obj->object->getRefId(), array_keys($this->roles)); // only revoke permission of roles that are not filtered foreach ($this->roles as $role_id => $data) { $rbacadmin->revokePermission($this->gui_obj->object->getRefId(), $role_id); } if (is_array($_POST["perm"])) { foreach ($_POST["perm"] as $key => $new_role_perms) { $rbacadmin->grantPermission($key, $new_role_perms, $this->gui_obj->object->getRefId()); } } // update object data entry (to update last modification date) $this->gui_obj->object->update(); // Wenn die Vererbung der Rollen Templates unterbrochen werden soll, // muss folgendes geschehen: // - existiert kein RoleFolder, wird er angelegt und die Rechte aus den Permission Templates ausgelesen // - existiert die Rolle im aktuellen RoleFolder werden die Permission Templates dieser Rolle angezeigt // - existiert die Rolle nicht im aktuellen RoleFolder wird sie dort angelegt // und das Permission Template an den Wert des nihst hher gelegenen Permission Templates angepasst // get rolefolder data if a rolefolder already exists $rolf_data = $rbacreview->getRoleFolderOfObject($this->gui_obj->object->getRefId()); $rolf_id = $rolf_data["child"]; $stop_inherit_roles = $_POST["stop_inherit"] ? $_POST["stop_inherit"] : array(); if ($stop_inherit_roles) { // rolefolder does not exist, so create one if (empty($rolf_id)) { // create a local role folder $rfoldObj = $this->gui_obj->object->createRoleFolder(); // set rolf_id again from new rolefolder object $rolf_id = $rfoldObj->getRefId(); } $roles_of_folder = $rbacreview->getRolesOfRoleFolder($rolf_id); foreach ($stop_inherit_roles as $stop_inherit) { // create role entries for roles with stopped inheritance if (!in_array($stop_inherit, $roles_of_folder)) { $parentRoles = $rbacreview->getParentRoleIds($rolf_id); $rbacadmin->copyRoleTemplatePermissions($stop_inherit, $parentRoles[$stop_inherit]["parent"], $rolf_id, $stop_inherit); $rbacadmin->assignRoleToFolder($stop_inherit, $rolf_id, 'n'); } } // END FOREACH } // END STOP INHERIT if ($rolf_id and $rolf_id != ROLE_FOLDER_ID) { // get roles where inheritance is stopped was cancelled $linked_roles = $rbacreview->getLinkedRolesOfRoleFolder($rolf_id); $linked_roles_to_remove = array_diff($linked_roles, $stop_inherit_roles); // Only delete local policies for filtered roles $linked_roles_to_remove = (array) array_intersect((array) $linked_roles_to_remove, (array) array_keys($this->roles)); // remove roles where stopped inheritance is cancelled and purge rolefolder if empty foreach ($linked_roles_to_remove as $role_id) { if ($rbacreview->isProtected($rolf_id, $role_id)) { continue; } $role_obj = ilObjectFactory::getInstanceByObjId($role_id); $role_obj->setParent($rolf_id); $role_obj->delete(); unset($role_obj); } } $log_new = ilRbacLog::gatherFaPa($this->gui_obj->object->getRefId(), array_keys($this->roles)); $log = ilRbacLog::diffFaPa($log_old, $log_new); ilRbacLog::add(ilRbacLog::EDIT_PERMISSIONS, $this->gui_obj->object->getRefId(), $log); ilUtil::sendSuccess($this->lng->txt("saved_successfully"), true); // redirect to default page if user revokes himself access to the permission panel if (!$rbacsystem->checkAccess("edit_permission", $this->gui_obj->object->getRefId())) { $this->ctrl->redirect($this->gui_obj); } $this->ctrl->redirect($this, 'perm'); }
/** * Adjust permissions * @param int $a_mode * @param array $a_nodes array of nodes * @param array $a_policies array of object ref ids * @param array $a_exclusion_filter of object types. * @return */ protected function adjustPermissions($a_mode, $a_nodes, $a_policies, $a_filter, $a_exclusion_filter = array()) { global $rbacadmin, $rbacreview, $tree; $operation_stack = array(); $policy_stack = array(); $node_stack = array(); $start_node = current($a_nodes); array_push($node_stack, $start_node); $this->updatePolicyStack($policy_stack, $start_node['child']); $this->updateOperationStack($operation_stack, $start_node['child'], true); include_once "Services/AccessControl/classes/class.ilRbacLog.php"; $rbac_log_active = ilRbacLog::isActive(); $local_policy = false; foreach ($a_nodes as $node) { $cmp_node = end($node_stack); while ($relation = $tree->getRelationOfNodes($node, $cmp_node)) { switch ($relation) { case ilTree::RELATION_NONE: case ilTree::RELATION_SIBLING: $GLOBALS['ilLog']->write(__METHOD__ . ': Handling sibling/none relation.'); array_pop($operation_stack); array_pop($policy_stack); array_pop($node_stack); $cmp_node = end($node_stack); $local_policy = false; break; case ilTree::RELATION_CHILD: case ilTree::RELATION_EQUALS: case ilTree::RELATION_PARENT: default: $GLOBALS['ilLog']->write(__METHOD__ . ': Handling child/equals/parent ' . $relation); break 2; } } if ($local_policy) { continue; } // Start node => set permissions and continue if ($node['child'] == $start_node['child']) { if ($this->isHandledObjectType($a_filter, $a_exclusion_filter, $node['type'])) { if ($rbac_log_active) { $rbac_log_roles = $rbacreview->getParentRoleIds($node['child'], false); $rbac_log_old = ilRbacLog::gatherFaPa($node['child'], array_keys($rbac_log_roles)); } // Set permissions $perms = end($operation_stack); $rbacadmin->grantPermission($this->getId(), (array) $perms[$node['type']], $node['child']); if ($rbac_log_active) { $rbac_log_new = ilRbacLog::gatherFaPa($node['child'], array_keys($rbac_log_roles)); $rbac_log = ilRbacLog::diffFaPa($rbac_log_old, $rbac_log_new); ilRbacLog::add(ilRbacLog::EDIT_TEMPLATE_EXISTING, $node['child'], $rbac_log); } } continue; } // Node has local policies => update permission stack and continue if (in_array($node['child'], $a_policies) and $node['child'] != SYSTEM_FOLDER_ID) { $local_policy = true; $this->updatePolicyStack($policy_stack, $node['child']); $this->updateOperationStack($operation_stack, $node['child']); array_push($node_stack, $node); continue; } // Continue if this object type is not in filter if (!$this->isHandledObjectType($a_filter, $a_exclusion_filter, $node['type'])) { continue; } if ($rbac_log_active) { $rbac_log_roles = $rbacreview->getParentRoleIds($node['child'], false); $rbac_log_old = ilRbacLog::gatherFaPa($node['child'], array_keys($rbac_log_roles)); } // Node is course => create course permission intersection if (($a_mode == self::MODE_UNPROTECTED_DELETE_LOCAL_POLICIES or $a_mode == self::MODE_UNPROTECTED_KEEP_LOCAL_POLICIES) and $node['type'] == 'crs') { // Copy role permission intersection $perms = end($operation_stack); $this->createPermissionIntersection($policy_stack, $perms['crs'], $node['child'], $node['type']); if ($this->updateOperationStack($operation_stack, $node['child'])) { $this->updatePolicyStack($policy_stack, $node['child']); array_push($node_stack, $node); } } // Node is group => create group permission intersection if (($a_mode == self::MODE_UNPROTECTED_DELETE_LOCAL_POLICIES or $a_mode == self::MODE_UNPROTECTED_KEEP_LOCAL_POLICIES) and $node['type'] == 'grp') { // Copy role permission intersection $perms = end($operation_stack); $this->createPermissionIntersection($policy_stack, $perms['grp'], $node['child'], $node['type']); if ($this->updateOperationStack($operation_stack, $node['child'])) { $this->updatePolicyStack($policy_stack, $node['child']); array_push($node_stack, $node); } } // Set permission $perms = end($operation_stack); $rbacadmin->grantPermission($this->getId(), (array) $perms[$node['type']], $node['child']); if ($rbac_log_active) { $rbac_log_new = ilRbacLog::gatherFaPa($node['child'], array_keys($rbac_log_roles)); $rbac_log = ilRbacLog::diffFaPa($rbac_log_old, $rbac_log_new); ilRbacLog::add(ilRbacLog::EDIT_TEMPLATE_EXISTING, $node['child'], $rbac_log); } } }