/**
* Adjust permissions of moved objects
* - Delete permissions of parent roles that do not exist in new context
* - Delete role templates of parent roles that do not exist in new context
* - Add permissions for parent roles that did not exist in old context
*
* @access public
* @param int ref id of moved object
* @param int ref_id of old parent
*
*/
public function adjustMovedObjectPermissions($a_ref_id, $a_old_parent)
{
global $rbacreview, $tree, $ilLog;
$new_parent = $tree->getParentId($a_ref_id);
$old_context_roles = $rbacreview->getParentRoleIds($a_old_parent, false);
$new_context_roles = $rbacreview->getParentRoleIds($new_parent, false);
$for_addition = $for_deletion = array();
foreach ($new_context_roles as $new_role_id => $new_role) {
if (!isset($old_context_roles[$new_role_id])) {
$for_addition[$new_role_id] = $new_role;
} elseif ($new_role['parent'] != $old_context_roles[$new_role_id]['parent']) {
// handle stopped inheritance
$for_deletion[$new_role_id] = $new_role;
$for_addition[$new_role_id] = $new_role;
}
}
foreach ($old_context_roles as $old_role_id => $old_role) {
if (!isset($new_context_roles[$old_role_id])) {
$for_deletion[$old_role_id] = $old_role;
}
}
if (!count($for_deletion) and !count($for_addition)) {
return true;
}
include_once "Services/AccessControl/classes/class.ilRbacLog.php";
$rbac_log_active = ilRbacLog::isActive();
if ($rbac_log_active) {
$role_ids = array_unique(array_merge(array_keys($for_deletion), array_keys($for_addition)));
}
foreach ($nodes = $tree->getSubTree($node_data = $tree->getNodeData($a_ref_id), true) as $node_data) {
$node_id = $node_data['child'];
if ($rbac_log_active) {
$log_old = ilRbacLog::gatherFaPa($node_id, $role_ids);
}
// If $node_data['type'] is not set, this means there is a tree entry without
// object_reference and/or object_data entry
// Continue in this case
if (!$node_data['type']) {
$ilLog->write(__METHOD__ . ': No type give. Choosing next tree entry.');
continue;
}
if (!$node_id) {
$ilLog->write(__METHOD__ . ': Missing subtree node_id');
continue;
}
foreach ($for_deletion as $role_id => $role_data) {
$this->deleteLocalRole($role_id, $node_id);
$this->revokePermission($node_id, $role_id, false);
//var_dump("<pre>",'REVOKE',$role_id,$node_id,$rolf_id,"</pre>");
}
foreach ($for_addition as $role_id => $role_data) {
$this->grantPermission($role_id, $ops = $rbacreview->getOperationsOfRole($role_id, $node_data['type'], $role_data['parent']), $node_id);
//var_dump("<pre>",'GRANT',$role_id,$ops,$role_id,$node_data['type'],$role_data['parent'],"</pre>");
}
if ($rbac_log_active) {
$log_new = ilRbacLog::gatherFaPa($node_id, $role_ids);
$log = ilRbacLog::diffFaPa($log_old, $log_new);
ilRbacLog::add(ilRbacLog::MOVE_OBJECT, $node_id, $log);
}
}
}
/**
* Adjust permissions
* @param int $a_mode
* @param array $a_nodes array of nodes
* @param array $a_policies array of object ref ids
* @param array $a_exclusion_filter of object types.
* @return
*/
protected function adjustPermissions($a_mode, $a_nodes, $a_policies, $a_filter, $a_exclusion_filter = array())
{
global $rbacadmin, $rbacreview, $tree;
$operation_stack = array();
$policy_stack = array();
#$left_stack = array();
#$right_stack = array();
$node_stack = array();
$start_node = current($a_nodes);
#array_push($left_stack, $start_node['lft']);
#array_push($right_stack, $start_node['rgt']);
array_push($node_stack, $start_node);
$this->updatePolicyStack($policy_stack, $start_node['child']);
$this->updateOperationStack($operation_stack, $start_node['child'], true);
include_once "Services/AccessControl/classes/class.ilRbacLog.php";
$rbac_log_active = ilRbacLog::isActive();
$local_policy = false;
foreach ($a_nodes as $node) {
#$lft = end($left_stack);
#$rgt = end($right_stack);
$cmp_node = end($node_stack);
while ($relation = $tree->getRelationOfNodes($node, $cmp_node)) {
#$GLOBALS['ilLog']->write(__METHOD__.': New relation '. $relation);
switch ($relation) {
case ilTree::RELATION_NONE:
case ilTree::RELATION_SIBLING:
#$GLOBALS['ilLog']->write(__METHOD__.': Handling sibling/none '. $relation);
#$GLOBALS['ilLog']->write(__METHOD__.': Node a '.print_r($node,true).' '.print_r($cmp_node,true));
break;
case ilTree::RELATION_CHILD:
case ilTree::RELATION_EQUALS:
case ilTree::RELATION_PARENT:
default:
#$GLOBALS['ilLog']->write(__METHOD__.': Handling child/equals/parent '. $relation);
break 2;
}
#$GLOBALS['ilLog']->write(__METHOD__.': end switch ');
#$GLOBALS['ilLog']->write(__METHOD__.': Comparing '. print_r($node,true).' with '. print_r($cmp_node,true).' with result '. $tree->getRelationOfnodes($node,$cmp_node));
array_pop($operation_stack);
array_pop($policy_stack);
array_pop($node_stack);
#array_pop($left_stack);
#array_pop($right_stack);
$cmp_node = end($node_stack);
$local_policy = false;
}
#$GLOBALS['ilLog']->write(__METHOD__.': End while');
/*
while(($node['lft'] < $lft) or ($node['rgt'] > $rgt))
{
#echo "LEFT ".$node['child'].'<br>';
array_pop($operation_stack);
array_pop($policy_stack);
array_pop($left_stack);
array_pop($right_stack);
$lft = end($left_stack);
$rgt = end($right_stack);
$local_policy = false;
}
*/
if ($local_policy) {
#echo "LOCAL ".$node['child'].' left:'.$node['lft'].' right: '.$node['rgt'].'<br>';
// Continue if inside of local policy
continue;
}
// Start node => set permissions and continue
if ($node['child'] == $start_node['child']) {
if ($this->isHandledObjectType($a_filter, $a_exclusion_filter, $node['type'])) {
if ($rbac_log_active) {
$rbac_log_roles = $rbacreview->getParentRoleIds($node['child'], false);
$rbac_log_old = ilRbacLog::gatherFaPa($node['child'], array_keys($rbac_log_roles));
}
// Set permissions
$perms = end($operation_stack);
$rbacadmin->grantPermission($this->getId(), (array) $perms[$node['type']], $node['child']);
if ($rbac_log_active) {
$rbac_log_new = ilRbacLog::gatherFaPa($node['child'], array_keys($rbac_log_roles));
$rbac_log = ilRbacLog::diffFaPa($rbac_log_old, $rbac_log_new);
ilRbacLog::add(ilRbacLog::EDIT_TEMPLATE_EXISTING, $node['child'], $rbac_log);
}
}
continue;
}
// Node has local policies => update permission stack and continue
if (in_array($node['child'], $a_policies) and $node['child'] != SYSTEM_FOLDER_ID) {
#echo "POLICIES ".$node['child'].' left:'.$node['lft'].' right: '.$node['rgt'].'<br>';
$local_policy = true;
$this->updatePolicyStack($policy_stack, $node['child']);
$this->updateOperationStack($operation_stack, $node['child']);
#array_push($left_stack,$node['lft']);
#array_push($right_stack, $node['rgt']);
array_push($node_stack, $node);
continue;
}
// Continue if this object type is in filter
if (!$this->isHandledObjectType($a_filter, $a_exclusion_filter, $node['type'])) {
continue;
}
if ($rbac_log_active) {
$rbac_log_roles = $rbacreview->getParentRoleIds($node['child'], false);
$rbac_log_old = ilRbacLog::gatherFaPa($node['child'], array_keys($rbac_log_roles));
}
#echo "MODE: ".$a_mode.'TYPE: '.$node['type'].'<br>';
// Node is course => create course permission intersection
if (($a_mode == self::MODE_UNPROTECTED_DELETE_LOCAL_POLICIES or $a_mode == self::MODE_UNPROTECTED_KEEP_LOCAL_POLICIES) and $node['type'] == 'crs') {
#echo "CRS ".$node['child'].'<br>';
// Copy role permission intersection
$perms = end($operation_stack);
$this->createPermissionIntersection($policy_stack, $perms['crs'], $node['child'], $node['type']);
if ($this->updateOperationStack($operation_stack, $node['child'])) {
#echo "CRS SUCCESS ".$node['child'].'<br>';
$this->updatePolicyStack($policy_stack, $node['child']);
#array_push($left_stack, $node['lft']);
#array_push($right_stack, $node['rgt']);
array_push($node_stack, $node);
}
}
// Node is group => create group permission intersection
if (($a_mode == self::MODE_UNPROTECTED_DELETE_LOCAL_POLICIES or $a_mode == self::MODE_UNPROTECTED_KEEP_LOCAL_POLICIES) and $node['type'] == 'grp') {
#echo "GRP ".$node['child'].'<br>';
// Copy role permission intersection
$perms = end($operation_stack);
$this->createPermissionIntersection($policy_stack, $perms['grp'], $node['child'], $node['type']);
if ($this->updateOperationStack($operation_stack, $node['child'])) {
#echo "GRP SUCCESS ".$node['child'].'<br>';
$this->updatePolicyStack($policy_stack, $node['child']);
#array_push($left_stack, $node['lft']);
#array_push($right_stack, $node['rgt']);
array_push($node_stack, $node);
}
}
#echo "GRANTED ".$node['child'].'<br>';
// Set permission
$perms = end($operation_stack);
$rbacadmin->grantPermission($this->getId(), (array) $perms[$node['type']], $node['child']);
#var_dump("ALL INFO ",$this->getId(),$perms[$node['type']]);
if ($rbac_log_active) {
$rbac_log_new = ilRbacLog::gatherFaPa($node['child'], array_keys($rbac_log_roles));
$rbac_log = ilRbacLog::diffFaPa($rbac_log_old, $rbac_log_new);
ilRbacLog::add(ilRbacLog::EDIT_TEMPLATE_EXISTING, $node['child'], $rbac_log);
}
}
}
/**
* Save permissions
* @return
*/
protected function savePermissions()
{
global $rbacreview, $objDefinition, $rbacadmin;
include_once './Services/AccessControl/classes/class.ilObjectRolePermissionTableGUI.php';
$table = new ilObjectRolePermissionTableGUI($this, 'perm', $this->getCurrentObject()->getRefId());
$roles = $this->applyRoleFilter($rbacreview->getParentRoleIds($this->getCurrentObject()->getRefId()), $table->getFilterItemByPostVar('role')->getValue());
// Log history
include_once "Services/AccessControl/classes/class.ilRbacLog.php";
$log_old = ilRbacLog::gatherFaPa($this->getCurrentObject()->getRefId(), array_keys((array) $roles));
# all possible create permissions
$possible_ops_ids = $rbacreview->getOperationsByTypeAndClass($this->getCurrentObject()->getType(), 'create');
# createable (activated) create permissions
$create_types = $objDefinition->getCreatableSubObjects($this->getCurrentObject()->getType());
$createable_ops_ids = ilRbacReview::lookupCreateOperationIds(array_keys((array) $create_types));
foreach ((array) $roles as $role => $role_data) {
if ($role_data['protected']) {
continue;
}
$new_ops = array_keys((array) $_POST['perm'][$role]);
$old_ops = $rbacreview->getRoleOperationsOnObject($role, $this->getCurrentObject()->getRefId());
// Add operations which were enabled and are not activated.
foreach ($possible_ops_ids as $create_ops_id) {
if (in_array($create_ops_id, $createable_ops_ids)) {
continue;
}
if (in_array($create_ops_id, $old_ops)) {
$new_ops[] = $create_ops_id;
}
}
$rbacadmin->revokePermission($this->getCurrentObject()->getRefId(), $role);
$rbacadmin->grantPermission($role, array_unique($new_ops), $this->getCurrentObject()->getRefId());
}
// Handle local policies.
$rolf_id = $this->initRoleFolder(count((array) $_POST['inherit']) ? true : false);
$relevant_roles = array_intersect($rbacreview->getRolesOfRoleFolder($rolf_id), array_keys($roles));
if (ilPermissionGUI::hasContainerCommands($this->getCurrentObject()->getType())) {
foreach ($roles as $role) {
// No action for local roles
if ($role['parent'] == $rolf_id and $role['assign'] == 'y') {
continue;
}
// Nothing for protected roles
if ($role['protected']) {
continue;
}
// Stop local policy
if ($role['parent'] == $rolf_id and !isset($_POST['inherit'][$role['obj_id']])) {
$role_obj = ilObjectFactory::getInstanceByObjId($role['obj_id']);
$role_obj->setParent($rolf_id);
$role_obj->delete();
continue;
}
// Add local policy
if ($role['parent'] != $rolf_id and isset($_POST['inherit'][$role['obj_id']])) {
$rbacadmin->copyRoleTemplatePermissions($role['obj_id'], $role['parent'], $rolf_id, $role['obj_id']);
$rbacadmin->assignRoleToFolder($role['obj_id'], $rolf_id, 'n');
}
}
}
// Protect permissions
if (ilPermissionGUI::hasContainerCommands($this->getCurrentObject()->getType())) {
foreach ($roles as $role) {
if ($rbacreview->isAssignable($role['obj_id'], $rolf_id)) {
if (isset($_POST['protect'][$role['obj_id']]) and !$rbacreview->isProtected($rolf_id, $role['obj_id'])) {
$rbacadmin->setProtected($rolf_id, $role['obj_id'], 'y');
} elseif (!isset($_POST['protect'][$role['obj_id']]) and $rbacreview->isProtected($rolf_id, $role['obj_id'])) {
$rbacadmin->setProtected($rolf_id, $role['obj_id'], 'n');
}
}
}
}
$log_new = ilRbacLog::gatherFaPa($this->getCurrentObject()->getRefId(), array_keys((array) $roles));
$log = ilRbacLog::diffFaPa($log_old, $log_new);
ilRbacLog::add(ilRbacLog::EDIT_PERMISSIONS, $this->getCurrentObject()->getRefId(), $log);
if (count((array) $_POST['block'])) {
return $this->showConfirmBlockRole(array_keys($_POST['block']));
}
ilUtil::sendSuccess($this->lng->txt('settings_saved'), true);
#$this->ctrl->redirect($this,'perm');
$this->perm();
}
/**
* Adjust permissions
* @param int $a_mode
* @param array $a_nodes array of nodes
* @param array $a_policies array of object ref ids
* @param array $a_exclusion_filter of object types.
* @return
*/
protected function adjustPermissions($a_mode, $a_nodes, $a_policies, $a_filter, $a_exclusion_filter = array())
{
global $rbacadmin, $rbacreview;
$operation_stack = array();
$policy_stack = array();
$left_stack = array();
$right_stack = array();
$start_node = current($a_nodes);
array_push($left_stack, $start_node['lft']);
array_push($right_stack, $start_node['rgt']);
$this->updatePolicyStack($policy_stack, $start_node['child']);
$this->updateOperationStack($operation_stack, $start_node['child']);
include_once "Services/AccessControl/classes/class.ilRbacLog.php";
$rbac_log_active = ilRbacLog::isActive();
$local_policy = false;
foreach ($a_nodes as $node) {
$lft = end($left_stack);
$rgt = end($right_stack);
#echo "----STACK---- ".$lft.' - '.$rgt.'<br/>';
while ($node['lft'] < $lft or $node['rgt'] > $rgt) {
#echo "LEFT ".$node['child'].'<br>';
array_pop($operation_stack);
array_pop($policy_stack);
array_pop($left_stack);
array_pop($right_stack);
$lft = end($left_stack);
$rgt = end($right_stack);
$local_policy = false;
}
if ($local_policy) {
#echo "LOCAL ".$node['child'].' left:'.$node['lft'].' right: '.$node['rgt'].'<br>';
// Continue if inside of local policy
continue;
}
// Start node => set permissions and continue
if ($node['child'] == $start_node['child']) {
if ($this->isHandledObjectType($a_filter, $a_exclusion_filter, $node['type'])) {
if ($rbac_log_active) {
$rbac_log_roles = $rbacreview->getParentRoleIds($node['child'], false);
$rbac_log_old = ilRbacLog::gatherFaPa($node['child'], array_keys($rbac_log_roles));
}
// Set permissions
$perms = end($operation_stack);
$rbacadmin->grantPermission($this->getId(), (array) $perms[$node['type']], $node['child']);
if ($rbac_log_active) {
$rbac_log_new = ilRbacLog::gatherFaPa($node['child'], array_keys($rbac_log_roles));
$rbac_log = ilRbacLog::diffFaPa($rbac_log_old, $rbac_log_new);
ilRbacLog::add(ilRbacLog::EDIT_TEMPLATE_EXISTING, $node['child'], $rbac_log);
}
}
continue;
}
// Node has local policies => update permission stack and continue
if (in_array($node['child'], $a_policies) and $node['child'] != SYSTEM_FOLDER_ID) {
#echo "POLICIES ".$node['child'].' left:'.$node['lft'].' right: '.$node['rgt'].'<br>';
$local_policy = true;
$this->updatePolicyStack($policy_stack, $node['child']);
$this->updateOperationStack($operation_stack, $node['child']);
array_push($left_stack, $node['lft']);
array_push($right_stack, $node['rgt']);
continue;
}
// Continue if this object type is in filter
if (!$this->isHandledObjectType($a_filter, $a_exclusion_filter, $node['type'])) {
continue;
}
if ($rbac_log_active) {
$rbac_log_roles = $rbacreview->getParentRoleIds($node['child'], false);
$rbac_log_old = ilRbacLog::gatherFaPa($node['child'], array_keys($rbac_log_roles));
}
#echo "MODE: ".$a_mode.'TYPE: '.$node['type'].'<br>';
// Node is course => create course permission intersection
if (($a_mode == self::MODE_UNPROTECTED_DELETE_LOCAL_POLICIES or $a_mode == self::MODE_UNPROTECTED_KEEP_LOCAL_POLICIES) and $node['type'] == 'crs') {
#echo "CRS ".$node['child'].'<br>';
// Copy role permission intersection
$perms = end($operation_stack);
$this->createPermissionIntersection($policy_stack, $perms['crs'], $node['child'], $node['type']);
if ($this->updateOperationStack($operation_stack, $node['child'])) {
#echo "CRS SUCCESS ".$node['child'].'<br>';
$this->updatePolicyStack($policy_stack, $node['child']);
array_push($left_stack, $node['lft']);
array_push($right_stack, $node['rgt']);
}
}
// Node is group => create group permission intersection
if (($a_mode == self::MODE_UNPROTECTED_DELETE_LOCAL_POLICIES or $a_mode == self::MODE_UNPROTECTED_KEEP_LOCAL_POLICIES) and $node['type'] == 'grp') {
#echo "GRP ".$node['child'].'<br>';
// Copy role permission intersection
$perms = end($operation_stack);
$this->createPermissionIntersection($policy_stack, $perms['grp'], $node['child'], $node['type']);
if ($this->updateOperationStack($operation_stack, $node['child'])) {
#echo "GRP SUCCESS ".$node['child'].'<br>';
$this->updatePolicyStack($policy_stack, $node['child']);
array_push($left_stack, $node['lft']);
array_push($right_stack, $node['rgt']);
}
}
#echo "GRANTED ".$node['child'].'<br>';
// Set permission
$perms = end($operation_stack);
$rbacadmin->grantPermission($this->getId(), (array) $perms[$node['type']], $node['child']);
#var_dump("ALL INFO ",$this->getId(),$perms[$node['type']]);
if ($rbac_log_active) {
$rbac_log_new = ilRbacLog::gatherFaPa($node['child'], array_keys($rbac_log_roles));
$rbac_log = ilRbacLog::diffFaPa($rbac_log_old, $rbac_log_new);
ilRbacLog::add(ilRbacLog::EDIT_TEMPLATE_EXISTING, $node['child'], $rbac_log);
}
}
}
/**
* save permissions
*
* @access public
*/
function permSave()
{
global $rbacreview, $rbacadmin, $rbacsystem;
$this->getRolesData();
include_once "Services/AccessControl/classes/class.ilRbacLog.php";
$log_old = ilRbacLog::gatherFaPa($this->gui_obj->object->getRefId(), array_keys($this->roles));
// only revoke permission of roles that are not filtered
foreach ($this->roles as $role_id => $data) {
$rbacadmin->revokePermission($this->gui_obj->object->getRefId(), $role_id);
}
if (is_array($_POST["perm"])) {
foreach ($_POST["perm"] as $key => $new_role_perms) {
$rbacadmin->grantPermission($key, $new_role_perms, $this->gui_obj->object->getRefId());
}
}
// update object data entry (to update last modification date)
$this->gui_obj->object->update();
// Wenn die Vererbung der Rollen Templates unterbrochen werden soll,
// muss folgendes geschehen:
// - existiert kein RoleFolder, wird er angelegt und die Rechte aus den Permission Templates ausgelesen
// - existiert die Rolle im aktuellen RoleFolder werden die Permission Templates dieser Rolle angezeigt
// - existiert die Rolle nicht im aktuellen RoleFolder wird sie dort angelegt
// und das Permission Template an den Wert des nihst hher gelegenen Permission Templates angepasst
// get rolefolder data if a rolefolder already exists
$rolf_data = $rbacreview->getRoleFolderOfObject($this->gui_obj->object->getRefId());
$rolf_id = $rolf_data["child"];
$stop_inherit_roles = $_POST["stop_inherit"] ? $_POST["stop_inherit"] : array();
if ($stop_inherit_roles) {
// rolefolder does not exist, so create one
if (empty($rolf_id)) {
// create a local role folder
$rfoldObj = $this->gui_obj->object->createRoleFolder();
// set rolf_id again from new rolefolder object
$rolf_id = $rfoldObj->getRefId();
}
$roles_of_folder = $rbacreview->getRolesOfRoleFolder($rolf_id);
foreach ($stop_inherit_roles as $stop_inherit) {
// create role entries for roles with stopped inheritance
if (!in_array($stop_inherit, $roles_of_folder)) {
$parentRoles = $rbacreview->getParentRoleIds($rolf_id);
$rbacadmin->copyRoleTemplatePermissions($stop_inherit, $parentRoles[$stop_inherit]["parent"], $rolf_id, $stop_inherit);
$rbacadmin->assignRoleToFolder($stop_inherit, $rolf_id, 'n');
}
}
// END FOREACH
}
// END STOP INHERIT
if ($rolf_id and $rolf_id != ROLE_FOLDER_ID) {
// get roles where inheritance is stopped was cancelled
$linked_roles = $rbacreview->getLinkedRolesOfRoleFolder($rolf_id);
$linked_roles_to_remove = array_diff($linked_roles, $stop_inherit_roles);
// Only delete local policies for filtered roles
$linked_roles_to_remove = (array) array_intersect((array) $linked_roles_to_remove, (array) array_keys($this->roles));
// remove roles where stopped inheritance is cancelled and purge rolefolder if empty
foreach ($linked_roles_to_remove as $role_id) {
if ($rbacreview->isProtected($rolf_id, $role_id)) {
continue;
}
$role_obj = ilObjectFactory::getInstanceByObjId($role_id);
$role_obj->setParent($rolf_id);
$role_obj->delete();
unset($role_obj);
}
}
$log_new = ilRbacLog::gatherFaPa($this->gui_obj->object->getRefId(), array_keys($this->roles));
$log = ilRbacLog::diffFaPa($log_old, $log_new);
ilRbacLog::add(ilRbacLog::EDIT_PERMISSIONS, $this->gui_obj->object->getRefId(), $log);
ilUtil::sendSuccess($this->lng->txt("saved_successfully"), true);
// redirect to default page if user revokes himself access to the permission panel
if (!$rbacsystem->checkAccess("edit_permission", $this->gui_obj->object->getRefId())) {
$this->ctrl->redirect($this->gui_obj);
}
$this->ctrl->redirect($this, 'perm');
}
/**
* Adjust permissions
* @param int $a_mode
* @param array $a_nodes array of nodes
* @param array $a_policies array of object ref ids
* @param array $a_exclusion_filter of object types.
* @return
*/
protected function adjustPermissions($a_mode, $a_nodes, $a_policies, $a_filter, $a_exclusion_filter = array())
{
global $rbacadmin, $rbacreview, $tree;
$operation_stack = array();
$policy_stack = array();
$node_stack = array();
$start_node = current($a_nodes);
array_push($node_stack, $start_node);
$this->updatePolicyStack($policy_stack, $start_node['child']);
$this->updateOperationStack($operation_stack, $start_node['child'], true);
include_once "Services/AccessControl/classes/class.ilRbacLog.php";
$rbac_log_active = ilRbacLog::isActive();
$local_policy = false;
foreach ($a_nodes as $node) {
$cmp_node = end($node_stack);
while ($relation = $tree->getRelationOfNodes($node, $cmp_node)) {
switch ($relation) {
case ilTree::RELATION_NONE:
case ilTree::RELATION_SIBLING:
$GLOBALS['ilLog']->write(__METHOD__ . ': Handling sibling/none relation.');
array_pop($operation_stack);
array_pop($policy_stack);
array_pop($node_stack);
$cmp_node = end($node_stack);
$local_policy = false;
break;
case ilTree::RELATION_CHILD:
case ilTree::RELATION_EQUALS:
case ilTree::RELATION_PARENT:
default:
$GLOBALS['ilLog']->write(__METHOD__ . ': Handling child/equals/parent ' . $relation);
break 2;
}
}
if ($local_policy) {
continue;
}
// Start node => set permissions and continue
if ($node['child'] == $start_node['child']) {
if ($this->isHandledObjectType($a_filter, $a_exclusion_filter, $node['type'])) {
if ($rbac_log_active) {
$rbac_log_roles = $rbacreview->getParentRoleIds($node['child'], false);
$rbac_log_old = ilRbacLog::gatherFaPa($node['child'], array_keys($rbac_log_roles));
}
// Set permissions
$perms = end($operation_stack);
$rbacadmin->grantPermission($this->getId(), (array) $perms[$node['type']], $node['child']);
if ($rbac_log_active) {
$rbac_log_new = ilRbacLog::gatherFaPa($node['child'], array_keys($rbac_log_roles));
$rbac_log = ilRbacLog::diffFaPa($rbac_log_old, $rbac_log_new);
ilRbacLog::add(ilRbacLog::EDIT_TEMPLATE_EXISTING, $node['child'], $rbac_log);
}
}
continue;
}
// Node has local policies => update permission stack and continue
if (in_array($node['child'], $a_policies) and $node['child'] != SYSTEM_FOLDER_ID) {
$local_policy = true;
$this->updatePolicyStack($policy_stack, $node['child']);
$this->updateOperationStack($operation_stack, $node['child']);
array_push($node_stack, $node);
continue;
}
// Continue if this object type is not in filter
if (!$this->isHandledObjectType($a_filter, $a_exclusion_filter, $node['type'])) {
continue;
}
if ($rbac_log_active) {
$rbac_log_roles = $rbacreview->getParentRoleIds($node['child'], false);
$rbac_log_old = ilRbacLog::gatherFaPa($node['child'], array_keys($rbac_log_roles));
}
// Node is course => create course permission intersection
if (($a_mode == self::MODE_UNPROTECTED_DELETE_LOCAL_POLICIES or $a_mode == self::MODE_UNPROTECTED_KEEP_LOCAL_POLICIES) and $node['type'] == 'crs') {
// Copy role permission intersection
$perms = end($operation_stack);
$this->createPermissionIntersection($policy_stack, $perms['crs'], $node['child'], $node['type']);
if ($this->updateOperationStack($operation_stack, $node['child'])) {
$this->updatePolicyStack($policy_stack, $node['child']);
array_push($node_stack, $node);
}
}
// Node is group => create group permission intersection
if (($a_mode == self::MODE_UNPROTECTED_DELETE_LOCAL_POLICIES or $a_mode == self::MODE_UNPROTECTED_KEEP_LOCAL_POLICIES) and $node['type'] == 'grp') {
// Copy role permission intersection
$perms = end($operation_stack);
$this->createPermissionIntersection($policy_stack, $perms['grp'], $node['child'], $node['type']);
if ($this->updateOperationStack($operation_stack, $node['child'])) {
$this->updatePolicyStack($policy_stack, $node['child']);
array_push($node_stack, $node);
}
}
// Set permission
$perms = end($operation_stack);
$rbacadmin->grantPermission($this->getId(), (array) $perms[$node['type']], $node['child']);
if ($rbac_log_active) {
$rbac_log_new = ilRbacLog::gatherFaPa($node['child'], array_keys($rbac_log_roles));
$rbac_log = ilRbacLog::diffFaPa($rbac_log_old, $rbac_log_new);
ilRbacLog::add(ilRbacLog::EDIT_TEMPLATE_EXISTING, $node['child'], $rbac_log);
}
}
}
