/**
* get only 'global' roles (with flag 'assign_users')
* @access public
* @return array Array with rol_ids
* @todo refactor rolf => DONE
*/
public function getGlobalAssignableRoles()
{
include_once './Services/AccessControl/classes/class.ilObjRole.php';
foreach ($this->getGlobalRoles() as $role_id) {
if (ilObjRole::_getAssignUsersStatus($role_id)) {
$ga[] = array('obj_id' => $role_id, 'role_type' => 'global');
}
}
return $ga ? $ga : array();
}
/**
* check if assignment is allowed
*
* @access protected
* @param
* @return
*/
protected function isPermittedRole($a_folder, $a_role)
{
static $checked_roles = array();
static $global_roles = null;
if (isset($checked_roles[$a_role])) {
return $checked_roles[$a_role];
}
global $rbacsystem, $rbacreview, $ilUser, $tree, $ilLog;
$locations = $rbacreview->getFoldersAssignedToRole($a_role, true);
$location = $locations[0];
// global role
if ($location == ROLE_FOLDER_ID) {
$ilLog->write(__METHOD__ . ': Check global role');
// check assignment permission if called from local admin
if ($a_folder != USER_FOLDER_ID and $a_folder != 0) {
$ilLog->write(__METHOD__ . ': ' . $a_folder);
include_once './Services/AccessControl/classes/class.ilObjRole.php';
if (!ilObjRole::_getAssignUsersStatus($a_role)) {
$ilLog->write(__METHOD__ . ': No assignment allowed');
$checked_roles[$a_role] = false;
return false;
}
}
// exclude anonymous role from list
if ($a_role == ANONYMOUS_ROLE_ID) {
$ilLog->write(__METHOD__ . ': Anonymous role chosen.');
$checked_roles[$a_role] = false;
return false;
}
// do not allow to assign users to administrator role if current user does not has SYSTEM_ROLE_ID
if ($a_role == SYSTEM_ROLE_ID and !in_array(SYSTEM_ROLE_ID, $rbacreview->assignedRoles($ilUser->getId()))) {
$ilLog->write(__METHOD__ . ': System role assignment forbidden.');
$checked_roles[$a_role] = false;
return false;
}
// Global role assignment ok
$ilLog->write(__METHOD__ . ': Assignment allowed.');
$checked_roles[$a_role] = true;
return true;
} elseif ($location) {
$ilLog->write(__METHOD__ . ': Check local role.');
// It's a local role
$rolfs = $rbacreview->getFoldersAssignedToRole($a_role, true);
$rolf = $rolfs[0];
// only process role folders that are not set to status "deleted"
// and for which the user has write permissions.
// We also don't show the roles which are in the ROLE_FOLDER_ID folder.
// (The ROLE_FOLDER_ID folder contains the global roles).
if ($rbacreview->isDeleted($rolf) || !$rbacsystem->checkAccess('edit_permission', $tree->getParentId($rolf))) {
$ilLog->write(__METHOD__ . ': Role deleted or no permission.');
$checked_roles[$a_role] = false;
return false;
}
// A local role is only displayed, if it is contained in the subtree of
// the localy administrated category. If the import function has been
// invoked from the user folder object, we show all local roles, because
// the user folder object is considered the parent of all local roles.
// Thus, if we start from the user folder object, we initializ$isInSubtree = $folder_id == USER_FOLDER_ID || $folder_id == 0;e the
// isInSubtree variable with true. In all other cases it is initialized
// with false, and only set to true if we find the object id of the
// locally administrated category in the tree path to the local role.
if ($a_folder != USER_FOLDER_ID and $a_folder != 0 and !$tree->isGrandChild($a_folder, $rolf)) {
$ilLog->write(__METHOD__ . ': Not in path of category.');
$checked_roles[$a_role] = false;
return false;
}
$ilLog->write(__METHOD__ . ': Assignment allowed.');
$checked_roles[$a_role] = true;
return true;
}
}
/**
* import users
*/
function importUsersObject()
{
global $rbacreview, $ilUser;
// Blind out tabs for local user import
if ($_GET["baseClass"] == 'ilRepositoryGUI') {
$this->tabs_gui->clearTargets();
}
include_once './Services/AccessControl/classes/class.ilObjRole.php';
include_once './Services/User/classes/class.ilUserImportParser.php';
global $rbacreview, $rbacsystem, $tree, $lng;
switch ($_POST["conflict_handling_choice"]) {
case "update_on_conflict":
$rule = IL_UPDATE_ON_CONFLICT;
break;
case "ignore_on_conflict":
default:
$rule = IL_IGNORE_ON_CONFLICT;
break;
}
$importParser = new ilUserImportParser($_POST["xml_file"], IL_USER_IMPORT, $rule);
$importParser->setFolderId($this->getUserOwnerId());
$import_dir = $this->getImportDir();
// Catch hack attempts
// We check here again, if the role folders are in the tree, and if the
// user has permission on the roles.
if ($_POST["role_assign"]) {
$global_roles = $rbacreview->getGlobalRoles();
$roles_of_user = $rbacreview->assignedRoles($ilUser->getId());
foreach ($_POST["role_assign"] as $role_id) {
if ($role_id != "") {
if (in_array($role_id, $global_roles)) {
if (!in_array(SYSTEM_ROLE_ID, $roles_of_user)) {
if ($role_id == SYSTEM_ROLE_ID && !in_array(SYSTEM_ROLE_ID, $roles_of_user) || $this->object->getRefId() != USER_FOLDER_ID && !ilObjRole::_getAssignUsersStatus($role_id)) {
ilUtil::delDir($import_dir);
$this->ilias->raiseError($this->lng->txt("usrimport_with_specified_role_not_permitted"), $this->ilias->error_obj->MESSAGE);
}
}
} else {
$rolf = $rbacreview->getFoldersAssignedToRole($role_id, true);
if ($rbacreview->isDeleted($rolf[0]) || !$rbacsystem->checkAccess('write', $tree->getParentId($rolf[0]))) {
ilUtil::delDir($import_dir);
$this->ilias->raiseError($this->lng->txt("usrimport_with_specified_role_not_permitted"), $this->ilias->error_obj->MESSAGE);
return;
}
}
}
}
}
$importParser->setRoleAssignment($_POST["role_assign"]);
$importParser->startParsing();
// purge user import directory
ilUtil::delDir($import_dir);
switch ($importParser->getErrorLevel()) {
case IL_IMPORT_SUCCESS:
ilUtil::sendSuccess($this->lng->txt("user_imported"), true);
break;
case IL_IMPORT_WARNING:
ilUtil::sendInfo($this->lng->txt("user_imported_with_warnings") . $importParser->getProtocolAsHTML($lng->txt("import_warning_log")), true);
break;
case IL_IMPORT_FAILURE:
$this->ilias->raiseError($this->lng->txt("user_import_failed") . $importParser->getProtocolAsHTML($lng->txt("import_failure_log")), $this->ilias->error_obj->MESSAGE);
break;
}
if (strtolower($_GET["baseClass"]) == "iladministrationgui") {
$this->ctrl->redirect($this, "view");
//ilUtil::redirect($this->ctrl->getLinkTarget($this));
} else {
$this->ctrl->redirectByClass('ilobjcategorygui', 'listUsers');
}
}
function initCreate()
{
global $tpl, $rbacsystem, $rbacreview, $ilUser;
if ($this->usrf_ref_id != USER_FOLDER_ID) {
$this->tabs_gui->clearTargets();
}
// role selection
$obj_list = $rbacreview->getRoleListByObject(ROLE_FOLDER_ID);
$rol = array();
foreach ($obj_list as $obj_data) {
// allow only 'assign_users' marked roles if called from category
if ($this->object->getRefId() != USER_FOLDER_ID and !in_array(SYSTEM_ROLE_ID, $rbacreview->assignedRoles($ilUser->getId()))) {
include_once './Services/AccessControl/classes/class.ilObjRole.php';
if (!ilObjRole::_getAssignUsersStatus($obj_data['obj_id'])) {
continue;
}
}
// exclude anonymous role from list
if ($obj_data["obj_id"] != ANONYMOUS_ROLE_ID) {
// do not allow to assign users to administrator role if current user does not has SYSTEM_ROLE_ID
if ($obj_data["obj_id"] != SYSTEM_ROLE_ID or in_array(SYSTEM_ROLE_ID, $rbacreview->assignedRoles($ilUser->getId()))) {
$rol[$obj_data["obj_id"]] = $obj_data["title"];
}
}
}
// raise error if there is no global role user can be assigned to
if (!count($rol)) {
$this->ilias->raiseError($this->lng->txt("msg_no_roles_users_can_be_assigned_to"), $this->ilias->error_obj->MESSAGE);
}
$keys = array_keys($rol);
// set pre defined user role to default
if (in_array(4, $keys)) {
$this->default_role = 4;
} else {
if (count($keys) > 1 and in_array(2, $keys)) {
// remove admin role as preselectable role
foreach ($keys as $key => $val) {
if ($val == 2) {
unset($keys[$key]);
break;
}
}
}
$this->default_role = array_shift($keys);
}
$this->selectable_roles = $rol;
}
