| blob | ec27bf6d2930e5e06320f2042145962fb7da5bd0 |
3 ///////////////////////////////////////////////////////////////////////////
4 // //
5 // NOTICE OF COPYRIGHT //
6 // //
7 // Moodle - Modular Object-Oriented Dynamic Learning Environment //
8 // http://moodle.org //
9 // //
10 // Copyright (C) 1999 onwards Martin Dougiamas http://dougiamas.com //
11 // //
12 // This program is free software; you can redistribute it and/or modify //
13 // it under the terms of the GNU General Public License as published by //
14 // the Free Software Foundation; either version 2 of the License, or //
15 // (at your option) any later version. //
16 // //
17 // This program is distributed in the hope that it will be useful, //
18 // but WITHOUT ANY WARRANTY; without even the implied warranty of //
19 // MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the //
20 // GNU General Public License for more details: //
21 // //
22 // http://www.gnu.org/copyleft/gpl.html //
23 // //
24 ///////////////////////////////////////////////////////////////////////////
26 /**
27 * Public API vs internals
28 * -----------------------
29 *
30 * General users probably only care about
31 *
32 * Context handling
33 * - get_context_instance()
34 * - get_context_instance_by_id()
35 * - get_parent_contexts()
36 * - get_child_contexts()
37 *
38 * Whether the user can do something...
39 * - has_capability()
40 * - require_capability()
41 * - require_login() (from moodlelib)
42 *
43 * What courses has this user access to?
44 * - get_user_courses_bycap()
45 *
46 * What users can do X in this context?
47 * - get_users_by_capability()
48 *
49 * Enrol/unenrol
50 * - enrol_into_course()
51 * - role_assign()/role_unassign()
52 *
53 *
54 * Advanced use
55 * - load_all_capabilities()
56 * - reload_all_capabilities()
57 * - $ACCESS global
58 * - has_capability_in_accessdata()
59 * - is_siteadmin()
60 * - get_user_access_sitewide()
61 * - load_subcontext()
62 * - get_role_access_bycontext()
63 *
64 * Name conventions
65 * ----------------
66 *
67 * - "ctx" means context
68 *
69 * accessdata
70 * ----------
71 *
72 * Access control data is held in the "accessdata" array
73 * which - for the logged-in user, will be in $USER->access
74 *
75 * For other users can be generated and passed around (but see
76 * the $ACCESS global).
77 *
78 * $accessdata is a multidimensional array, holding
79 * role assignments (RAs), role-capabilities-perm sets
80 * (role defs) and a list of courses we have loaded
81 * data for.
82 *
83 * Things are keyed on "contextpaths" (the path field of
84 * the context table) for fast walking up/down the tree.
85 *
86 * $accessdata[ra][$contextpath]= array($roleid)
87 * [$contextpath]= array($roleid)
88 * [$contextpath]= array($roleid)
89 *
90 * Role definitions are stored like this
91 * (no cap merge is done - so it's compact)
92 *
93 * $accessdata[rdef][$contextpath:$roleid][mod/forum:viewpost] = 1
94 * [mod/forum:editallpost] = -1
95 * [mod/forum:startdiscussion] = -1000
96 *
97 * See how has_capability_in_accessdata() walks up/down the tree.
98 *
99 * Normally - specially for the logged-in user, we only load
100 * rdef and ra down to the course level, but not below. This
101 * keeps accessdata small and compact. Below-the-course ra/rdef
102 * are loaded as needed. We keep track of which courses we
103 * have loaded ra/rdef in
104 *
105 * $accessdata[loaded] = array($contextpath, $contextpath)
106 *
107 * Stale accessdata
108 * ----------------
109 *
110 * For the logged-in user, accessdata is long-lived.
111 *
112 * On each pageload we load $DIRTYPATHS which lists
113 * context paths affected by changes. Any check at-or-below
114 * a dirty context will trigger a transparent reload of accessdata.
115 *
116 * Changes at the sytem level will force the reload for everyone.
117 *
118 * Default role caps
119 * -----------------
120 * The default role assignment is not in the DB, so we
121 * add it manually to accessdata.
122 *
123 * This means that functions that work directly off the
124 * DB need to ensure that the default role caps
125 * are dealt with appropriately.
126 *
127 */
131 // permission definitions
137 // context definitions
146 // capability risks - see http://docs.moodle.org/en/Development:Hardening_new_Roles_system
154 // rolename displays
161 $context_cache = array(); // Cache of all used context objects for performance (by level and instance)
165 $ACCESS = array(); // cache of caps for cron user switching and has_capability for other users (==not $USER)
169 //this is really slow!!!! - do not use above course context level!
173 // first emulate the parent context capabilities merging into context
177 if ($capabilities = get_records_select('role_capabilities', "roleid = $roleid AND contextid = $cid")) {
181 }
183 }
184 }
185 }
187 // now go through the contexts bellow given context
190 if ($capabilities = get_records_select('role_capabilities', "roleid = $roleid AND contextid = $cid")) {
194 }
196 }
197 }
198 }
201 }
203 /**
204 * Gets the accessdata for role "sitewide"
205 * (system down to course)
206 *
207 * @return array
208 */
213 /* Get it in 1 cheap DB query...
214 * - relevant role caps at the root and down
215 * to the course level - but not below
216 */
222 }
224 //
225 // Overrides for the role IN ANY CONTEXTS
226 // down to COURSE - not below -
227 //
229 rc.capability, rc.permission
232 ON rc.contextid=ctx.id
237 // we need extra caching in cron only
246 }
248 }
249 }
254 }
261 }
264 }
265 }
268 }
270 /**
271 * Gets the accessdata for role "sitewide"
272 * (system down to course)
273 *
274 * @return array
275 */
283 //
284 // Overrides for the role in any contexts related to the course
285 //
287 rc.capability, rc.permission
290 ON rc.contextid=ctx.id
300 }
303 }
306 }
309 /**
310 * Get the default guest role
311 * @return object role
312 */
324 }
329 //somebody is messing with guest roles, remove incorrect setting and try to find a new one
332 }
333 }
334 }
336 /**
337 * This function returns whether the current user has the capability of performing a function
338 * For example, we can do has_capability('mod/forum:replypost',$context) in forum
339 * @param string $capability - name of the capability (or debugcache or clearcache)
340 * @param object $context - a context object (record from context table)
341 * @param integer $userid - a userid number, empty if current $USER
342 * @param bool $doanything - if false, ignore do anything
343 * @return bool
344 */
348 // the original $CONTEXT here was hiding serious errors
349 // for security reasons do not reuse previous context
353 }
355 /// Some sanity checks
364 }
365 }
366 }
370 }
371 }
373 debugging('Capability parameter "doanything" is wierd ("'.$doanything.'"). This should be fixed in code.');
374 }
375 }
379 }
382 //this should not happen
385 debugging('Context id '.$context->id.' does not have valid path, please use build_context_path()', DEBUG_DEVELOPER);
390 }
393 // In cron, some modules setup a 'fake' $USER,
394 // ensure we load the appropriate accessdata.
400 }
404 // caps not loaded yet - better to load them to keep BC with 1.8
405 // not-logged-in user or $USER object set up manually first time here
409 }
411 // Load dirty contexts list if needed
415 }
418 }
419 }
421 // Careful check for staleness...
423 // reload all capabilities - preserving loginas, roleswitches, etc
424 // and then cleanup any marks of dirtyness... at least from our short
425 // term memory! :-)
436 }
437 }
439 // divulge how many times we are called
440 //// error_log("has_capability: id:{$context->id} path:{$context->path} userid:$userid cap:$capability");
443 //
444 // For the logged in user, we have $USER->access
445 // which will have all RAs and caps preloaded for
446 // course and above contexts.
447 //
448 // Contexts below courses && contexts that do not
449 // hang from courses are loaded into $USER->access
450 // on demand, and listed in $USER->access[loaded]
451 //
453 // Course and above are always preloaded
455 }
456 // Load accessdata for below-the-course contexts
458 // error_log("loading access for context {$context->path} for $capability at {$context->contextlevel} {$context->id}");
459 // $bt = debug_backtrace();
460 // error_log("bt {$bt[0]['file']} {$bt[0]['line']}");
462 }
464 }
468 }
470 // Course and above are always preloaded
472 }
473 // Load accessdata for below-the-course contexts as needed
475 // error_log("loading access for context {$context->path} for $capability at {$context->contextlevel} {$context->id}");
476 // $bt = debug_backtrace();
477 // error_log("bt {$bt[0]['file']} {$bt[0]['line']}");
479 }
481 }
483 /**
484 * This function returns whether the current user has any of the capabilities in the
485 * $capabilities array. This is a simple wrapper around has_capability for convinience.
486 *
487 * There are probably tricks that could be done to improve the performance here, for example,
488 * check the capabilities that are already cached first.
489 *
490 * @param array $capabilities - an array of capability names.
491 * @param object $context - a context object (record from context table)
492 * @param integer $userid - a userid number, empty if current $USER
493 * @param bool $doanything - if false, ignore do anything
494 * @return bool
495 */
500 }
501 }
503 }
505 /**
506 * Uses 1 DB query to answer whether a user is an admin at the sitelevel.
507 * It depends on DB schema >=1.7 but does not depend on the new datastructures
508 * in v1.9 (context.path, or $USER->access)
509 *
510 * Will return true if the userid has any of
511 * - moodle/site:config
512 * - moodle/legacy:admin
513 * - moodle/site:doanything
514 *
515 * @param int $userid
516 * @returns bool $isadmin
517 */
524 ON ctx.id=rc.contextid
526 ON ra.roleid=rc.roleid AND ra.contextid=ctx.id
527 WHERE ctx.contextlevel=10
529 AND rc.capability IN ('moodle/site:config', 'moodle/legacy:admin', 'moodle/site:doanything')
530 GROUP BY rc.capability
535 }
538 // assume that nothing is more than 1 course deep
541 }
543 }
547 // assume that contexts hang from sys or from a course
548 // this will only work well with stuff that hangs from a course
550 // error_log("found it!");
552 }
558 }
561 }
562 }
564 }
566 /**
567 * Walk the accessdata array and return true/false.
568 * Deals with prohibits, roleswitching, aggregating
569 * capabilities, etc.
570 *
571 * The main feature of here is being FAST and with no
572 * side effects.
573 *
574 * Notes:
575 *
576 * Switch Roles exits early
577 * -----------------------
578 * cap checks within a switchrole need to exit early
579 * in our bottom up processing so they don't "see" that
580 * there are real RAs that can do all sorts of things.
581 *
582 * Switch Role merges with default role
583 * ------------------------------------
584 * If you are a teacher in course X, you have at least
585 * teacher-in-X + defaultloggedinuser-sitewide. So in the
586 * course you'll have techer+defaultloggedinuser.
587 * We try to mimic that in switchrole.
588 *
589 * Local-most role definition and role-assignment wins
590 * ---------------------------------------------------
591 * So if the local context has said 'allow', it wins
592 * over a high-level context that says 'deny'.
593 * This is applied when walking rdefs, and RAs.
594 * Only at the same context the values are SUM()med.
595 *
596 * The exception is CAP_PROHIBIT.
597 *
598 * "Guest default role" exception
599 * ------------------------------
600 *
601 * See MDL-7513 and $ignoreguest below for details.
602 *
603 * The rule is that
604 *
605 * IF we are being asked about moodle/legacy:guest
606 * OR moodle/course:view
607 * FOR a real, logged-in user
608 * AND we reached the top of the path in ra and rdef
609 * AND that role has moodle/legacy:guest === 1...
610 * THEN we act as if we hadn't seen it.
611 *
612 *
613 * To Do:
614 *
615 * - Document how it works
616 * - Rewrite in ASM :-)
617 *
618 */
625 // build $contexts as a list of "paths" of the current
626 // contexts and parents with the order top-to-bottom
631 }
637 // At the base, ignore rdefs where moodle/legacy:guest
638 // is set
640 }
642 // Coerce it to an int
650 //
651 // role-switches loop
652 //
654 // check for isset() is fast
655 // empty() is slow...
659 }
660 // From the bottom up...
664 // Found a switchrole assignment
665 // check for that role _plus_ the default user role
669 // Walk the path for capabilities
670 // from the bottom up...
676 // The most local permission (first to set) wins
677 // the only exception is CAP_PROHIBIT
683 }
684 }
685 }
686 }
687 // As we are dealing with a switchrole,
688 // we return _here_, do _not_ walk up
689 // the hierarchy any further
692 // didn't find it as an explicit cap,
693 // but maybe the user candoanything in this context...
697 }
700 }
702 }
703 }
704 }
706 //
707 // Main loop for normal RAs
708 // From the bottom up...
709 //
713 // Found role assignments on this leaf
723 // Walk the path for capabilities
724 // from the bottom up...
727 // ignore some guest caps
728 // at base ra and rdef
735 }
738 // The most local permission (first to set) wins
739 // the only exception is CAP_PROHIBIT
747 }
748 }
749 }
750 // Rules for RAs at the same context...
751 // - prohibits always wins
752 // - permissions at the same ctxlevel & capdepth are added together
753 // - deeper capdepth wins
763 // rolecap ignored
764 }
765 }
766 // The most local RAs with a defined
767 // permission ($ctxcan) win, except
768 // for CAP_PROHIBIT
769 // NOTE: If we want the deepest RDEF to
770 // win regardless of the depth of the RA,
771 // change the elseif below to read
772 // ($can === 0 || $capdepth < $ctxcapdepth) {
779 }
780 }
781 }
785 // didn't find it as an explicit cap,
786 // but maybe the user candoanything in this context...
790 }
793 }
795 }
801 // build $contexts as a list of "paths" of the current
802 // contexts and parents with the order top-to-bottom
807 }
812 // From the bottom up...
816 // Found assignments on this leaf
819 }
820 }
823 }
825 /**
826 * This is an easy to use function, combining has_capability() with require_course_login().
827 * And will call those where needed.
828 *
829 * It checks for a capability assertion being true. If it isn't
830 * then the page is terminated neatly with a standard error message.
831 *
832 * If the user is not logged in, or is using 'guest' access or other special "users,
833 * it provides a logon prompt.
834 *
835 * @param string $capability - name of the capability
836 * @param object $context - a context object (record from context table)
837 * @param integer $userid - a userid number
838 * @param bool $doanything - if false, ignore do anything
839 * @param string $errorstring - an errorstring
840 * @param string $stringfile - which stringfile to get it from
841 */
847 /* Empty $userid means current user, if the current user is not logged in,
848 * then make sure they are (if needed).
849 * Originally there was a check for loaded permissions - it is not needed here.
850 * Context is now required parameter, the cached $CONTEXT was only hiding errors.
851 */
861 }
864 }
871 }
875 }
876 }
878 /// OK, if they still don't have the capability then print a nice error message
883 }
884 }
886 /**
887 * Get an array of courses (with magic extra bits)
888 * where the accessdata and in DB enrolments show
889 * that the cap requested is available.
890 *
891 * The main use is for get_my_courses().
892 *
893 * Notes
894 *
895 * - $fields is an array of fieldnames to ADD
896 * so name the fields you really need, which will
897 * be added and uniq'd
898 *
899 * - the course records have $c->context which is a fully
900 * valid context object. Saves you a query per course!
901 *
902 * - the course records have $c->categorypath to make
903 * category lookups cheap
904 *
905 * - current implementation is split in -
906 *
907 * - if the user has the cap systemwide, stupidly
908 * grab *every* course for a capcheck. This eats
909 * a TON of bandwidth, specially on large sites
910 * with separate DBs...
911 *
912 * - otherwise, fetch "likely" courses with a wide net
913 * that should get us _cheaply_ at least the courses we need, and some
914 * we won't - we get courses that...
915 * - are in a category where user has the cap
916 * - or where use has a role-assignment (any kind)
917 * - or where the course has an override on for this cap
918 *
919 * - walk the courses recordset checking the caps oneach one
920 * the checks are all in memory and quite fast
921 * (though we could implement a specialised variant of the
922 * has_capability_in_accessdata() code to speed it up)
923 *
924 * @param string $capability - name of the capability
925 * @param array $accessdata - accessdata session array
926 * @param bool $doanything - if false, ignore do anything
927 * @param string $sort - sorting fields - prefix each fieldname with "c."
928 * @param array $fields - additional fields you are interested in...
929 * @param int $limit - set if you want to limit the number of courses
930 * @return array $courses - ordered array of course objects - see notes above
931 *
932 */
933 function get_user_courses_bycap($userid, $cap, $accessdata, $doanything, $sort='c.sortorder ASC', $fields=NULL, $limit=0) {
937 // Slim base fields, let callers ask for what they need...
945 }
951 }
955 //
956 // Apparently the user has the cap sitewide, so walk *every* course
957 // (the cap checks are moderately fast, but this moves massive bandwidth w the db)
958 // Yuck.
959 //
961 ctx.id AS ctxid, ctx.path AS ctxpath,
962 ctx.depth AS ctxdepth, ctx.contextlevel AS ctxlevel,
963 cc.path AS categorypath
966 ON c.category=cc.id
972 //
973 // narrow down where we have the caps to a few contexts
974 // this will be a combination of
975 // - categories where we have the rights
976 // - courses where we have an explicit enrolment OR that have an override
977 //
988 }
989 }
996 }
998 }
1004 }
1005 //
1006 // Note here that we *have* to have the compound clauses
1007 // in the LEFT OUTER JOIN condition for them to return NULL
1008 // appropriately and narrow things down...
1009 //
1011 ctx.id AS ctxid, ctx.path AS ctxpath,
1012 ctx.depth AS ctxdepth, ctx.contextlevel AS ctxlevel,
1013 cc.path AS categorypath
1016 ON c.category=cc.id
1023 WHERE ra.id IS NOT NULL
1024 OR rc.id IS NOT NULL
1025 $catclause
1028 }
1032 // build the context obj
1039 }
1040 }
1041 }
1044 }
1047 /**
1048 * It will return a nested array showing role assignments
1049 * all relevant role capabilities for the user at
1050 * site/metacourse/course_category/course levels
1051 *
1052 * We do _not_ delve deeper than courses because the number of
1053 * overrides at the module/block levels is HUGE.
1054 *
1055 * [ra] => [/path/] = array(roleid, roleid)
1056 * [rdef] => [/path/:roleid][capability]=permission
1057 * [loaded] => array('/path', '/path')
1058 *
1059 * @param $userid integer - the id of the user
1060 *
1061 */
1066 // this flag has not been set!
1067 // (not clean install, or upgraded successfully to 1.7 and up)
1070 }
1072 /* Get in 3 cheap DB queries...
1073 * - role assignments - with role_caps
1074 * - relevant role caps
1075 * - above this user's RAs
1076 * - below this user's RAs - limited to course level
1077 */
1087 //
1088 // Role assignments - and any rolecaps directly linked
1089 // because it's cheap to read rolecaps here over many
1090 // RAs
1091 //
1095 ON ra.contextid=ctx.id
1097 ON (rc.roleid=ra.roleid AND rc.contextid=ra.contextid)
1101 //
1102 // raparents collects paths & roles we need to walk up
1103 // the parenthood to build the rdef
1104 //
1105 // the array will bulk up a bit with dups
1106 // which we'll later clear up
1107 //
1112 // RAs leafs are arrays to support multi
1113 // role assignments...
1116 }
1117 // only add if is not a repeat caused
1118 // by capability join...
1119 // (this check is cheaper than in_array())
1132 }
1133 }
1134 // Always add the roleded
1138 }
1139 }
1142 }
1144 // Walk up the tree to grab all the roledefs
1145 // of interest to our user...
1146 // NOTE: we use a series of IN clauses here - which
1147 // might explode on huge sites with very convoluted nesting of
1148 // categories... - extremely unlikely that the number of categories
1149 // and roletypes is so large that we hit the limits of IN()
1155 }
1156 }
1162 ON rc.contextid=ctx.id
1173 }
1176 }
1177 }
1179 //
1180 // Overrides for the role assignments IN SUBCONTEXTS
1181 // (though we still do _not_ go below the course level.
1182 //
1183 // NOTE that the JOIN w sctx is with 3-way triangulation to
1184 // catch overrides to the applicable role in any subcontext, based
1185 // on the path field of the parent.
1186 //
1188 ctx.path AS parentpath,
1189 rco.capability, rco.permission
1192 ON ra.contextid=ctx.id
1196 ON (rco.roleid=ra.roleid AND rco.contextid=sctx.id)
1206 }
1209 }
1211 }
1213 /**
1214 * It add to the access ctrl array the data
1215 * needed by a user for a given context
1216 *
1217 * @param $userid integer - the id of the user
1218 * @param $context context obj - needs path!
1219 * @param $accessdata array accessdata array
1220 */
1227 /* Get the additional RAs and relevant rolecaps
1228 * - role assignments - with role_caps
1229 * - relevant role caps
1230 * - above this user's RAs
1231 * - below this user's RAs - limited to course level
1232 */
1236 //
1237 // Replace $context with the target context we will
1238 // load. Normally, this will be a course context, but
1239 // may be a different top-level context.
1240 //
1241 // We have 3 cases
1242 //
1243 // - Course
1244 // - BLOCK/PERSON/USER/COURSE(sitecourse) hanging from SYSTEM
1245 // - BLOCK/MODULE/GROUP hanging from a course
1246 //
1247 // For course contexts, we _already_ have the RAs
1248 // but the cost of re-fetching is minimal so we don't care.
1249 //
1252 // Case BLOCK/MODULE/GROUP hanging from a course
1253 // Assumption: the course _must_ be our parent
1254 // If we ever see stuff nested further this needs to
1255 // change to do 1 query over the exploded path to
1256 // find out which one is the course
1261 }
1263 //
1264 // Role assignments in the context and below
1265 //
1269 ON ra.contextid=ctx.id
1275 //
1276 // Read in the RAs, preventing duplicates
1277 //
1283 }
1284 // only add if is not a repeat caused
1285 // by capability join...
1286 // (this check is cheaper than in_array())
1291 }
1292 }
1295 //
1296 // Walk up and down the tree to grab all the roledefs
1297 // of interest to our user...
1298 //
1299 // NOTES
1300 // - we use IN() but the number of roles is very limited.
1301 //
1304 // Do we have any interesting "local" roles?
1308 // Role defs for local roles in 'higher' contexts...
1314 }
1316 // We will want overrides for all of them
1320 }
1324 ON rc.contextid=ctx.id
1327 $wherelocalroles
1336 }
1338 }
1342 }
1347 }
1349 // error_log("loaded {$context->path}");
1351 }
1353 /**
1354 * It add to the access ctrl array the data
1355 * needed by a role for a given context.
1356 *
1357 * The data is added in the rdef key.
1358 *
1359 * This role-centric function is useful for role_switching
1360 * and to get an overview of what a role gets under a
1361 * given context and below...
1362 *
1363 * @param $roleid integer - the id of the user
1364 * @param $context context obj - needs path!
1365 * @param $accessdata accessdata array
1366 *
1367 */
1372 /* Get the relevant rolecaps into rdef
1373 * - relevant role caps
1374 * - at ctx and above
1375 * - below this ctx
1376 */
1383 }
1388 //
1389 // Walk up and down the tree to grab all the roledefs
1390 // of interest to our role...
1391 //
1392 // NOTE: we use an IN clauses here - which
1393 // might explode on huge sites with very convoluted nesting of
1394 // categories... - extremely unlikely that the number of nested
1395 // categories is so large that we hit the limits of IN()
1396 //
1400 ON rc.contextid=ctx.id
1410 }
1414 }
1416 /**
1417 * Load accessdata for a user
1418 * into the $ACCESS global
1419 *
1420 * Used by has_capability() - but feel free
1421 * to call it if you are about to run a BIG
1422 * cron run across a bazillion users.
1423 *
1424 */
1432 //
1433 // provide "default role" & set 'dr'
1434 //
1441 }
1443 }
1445 //
1446 // provide "default frontpage role"
1447 //
1455 }
1456 }
1457 // for dirty timestamps in cron
1464 }
1466 /**
1467 * Use shared copy of role definistions stored in $RDEFS;
1468 * @param array $rdefs array of role definitions in contexts
1469 */
1473 /*
1474 * This is a basic sharing only, we could also
1475 * use md5 sums of values. The main purpose is to
1476 * reduce mem in cron jobs - many users in $ACCESS array.
1477 */
1482 }
1484 }
1485 }
1487 /**
1488 * A convenience function to completely load all the capabilities
1489 * for the current user. This is what gets called from complete_user_login()
1490 * for example. Call it only _after_ you've setup $USER and called
1491 * check_enrolment_plugins();
1492 *
1493 */
1502 // Load the rdefs
1504 // Put the ghost enrolment in place...
1512 //
1513 // provide "default role" & set 'dr'
1514 //
1521 }
1523 }
1527 //
1528 // provide "default frontpage role"
1529 //
1537 }
1538 }
1544 }
1546 // Timestamp to read dirty context timestamps later
1550 // Clear to force a refresh
1552 }
1554 /**
1555 * A convenience function to completely reload all the capabilities
1556 * for the current user when roles have been updated in a relevant
1557 * context -- but PRESERVING switchroles and loginas.
1558 *
1559 * That is - completely transparent to the user.
1560 *
1561 * Note: rewrites $USER->access completely.
1562 *
1563 */
1567 // error_log("reloading");
1568 // copy switchroles
1572 // error_log(print_r($sw,1));
1573 }
1583 }
1585 }
1587 /*
1588 * Adds a temp role to an accessdata array.
1589 *
1590 * Useful for the "temporary guest" access
1591 * we grant to logged-in users.
1592 *
1593 * Note - assumes a course context!
1594 *
1595 */
1600 //
1601 // Load rdefs for the role in -
1602 // - this context
1603 // - all the parents
1604 // - and below - IOWs overrides...
1605 //
1607 // turn the path into a list of context ids
1612 rc.capability, rc.permission
1615 ON rc.contextid=ctx.id
1624 }
1627 //
1628 // Say we loaded everything for the course context
1629 // - which we just did - if the user gets a proper
1630 // RA in this session, this data will need to be reloaded,
1631 // but that is handled by the complete accessdata reload
1632 //
1635 //
1636 // Add the ghost RA
1637 //
1642 }
1645 }
1648 /**
1649 * Check all the login enrolment information for the given user object
1650 * by querying the enrolment plugins
1651 */
1659 }
1667 }
1671 if (method_exists($enrol, 'setup_enrolments')) { /// Plugin supports Roles (Moodle 1.7 and later)
1676 }
1679 }
1681 /// deal with $user->students and $user->teachers stuff
1684 }
1686 }
1689 }
1691 /**
1692 * Installs the roles system.
1693 * This function runs on a fresh install as well as on an upgrade from the old
1694 * hard-coded student/teacher/admin etc. roles to the new roles system.
1695 */
1700 /// Create a system wide context for assignemnt.
1704 /// Create default/legacy roles and capabilities.
1705 /// (1 legacy capability per legacy role at system level).
1711 $editteacherrole = create_role(addslashes(get_string('defaultcourseteacher')), 'editingteacher',
1722 /// Now is the correct moment to install capabilities - after creation of legacy roles, but before assigning of roles
1726 }
1729 }
1731 /// Look inside user_admin, user_creator, user_teachers, user_students and
1732 /// assign above new roles. If a user has both teacher and student role,
1733 /// only teacher role is assigned. The assignment should be system level.
1737 /// Set up the progress bar
1745 }
1746 }
1750 /// Upgrade the admins.
1751 /// Sort using id ASC, first one is primary admin.
1759 }
1761 }
1763 // This is a fresh install.
1764 }
1767 /// Upgrade course creators.
1774 }
1776 }
1777 }
1780 /// Upgrade editting teachers and non-editting teachers.
1785 // removed code here to ignore site level assignments
1786 // since the contexts are separated now
1788 // populate the user_lastaccess table
1795 // assign the default student role
1797 // hidden teacher
1802 }
1805 role_assign($editteacherrole, $teacher->userid, 0, $coursecontext->id, $teacher->timestart, $teacher->timeend, $hiddenteacher, $teacher->enrol, $teacher->timemodified);
1807 role_assign($noneditteacherrole, $teacher->userid, 0, $coursecontext->id, $teacher->timestart, $teacher->timeend, $hiddenteacher, $teacher->enrol, $teacher->timemodified);
1808 }
1811 }
1813 }
1814 }
1817 /// Upgrade students.
1822 // populate the user_lastaccess table
1829 // assign the default student role
1831 role_assign($studentrole, $student->userid, 0, $coursecontext->id, $student->timestart, $student->timeend, 0, $student->enrol, $student->time);
1834 }
1836 }
1837 }
1840 /// Upgrade guest (only 1 entry).
1843 }
1847 /// Insert the correct records for legacy roles
1864 /// Set up default allow override matrix
1873 //See MDL-15841
1874 //allow_override($editteacherrole, $noneditteacherrole);
1875 //allow_override($editteacherrole, $studentrole);
1876 //allow_override($editteacherrole, $guestrole);
1879 /// Delete the old user tables when we are done
1886 }
1887 }
1888 }
1890 /**
1891 * Returns array of all legacy roles.
1892 */
1902 );
1903 }
1913 //choose first selected legacy capability - reset the rest
1918 }
1919 }
1920 }
1923 }
1925 /**
1926 * Assign the defaults found in this capabality definition to roles that have
1927 * the corresponding legacy capabilities assigned to them.
1928 * @param $legacyperms - an array in the format (example):
1929 * 'guest' => CAP_PREVENT,
1930 * 'student' => CAP_ALLOW,
1931 * 'teacher' => CAP_ALLOW,
1932 * 'editingteacher' => CAP_ALLOW,
1933 * 'coursecreator' => CAP_ALLOW,
1934 * 'admin' => CAP_ALLOW
1935 * @return boolean - success or failure.
1936 */
1947 }
1951 // Assign a site level capability.
1954 }
1955 }
1956 }
1957 }
1959 }
1962 /**
1963 * Checks to see if a capability is a legacy capability.
1964 * @param $capabilityname
1965 * @return boolean
1966 */
1972 }
1973 }
1977 /**********************************
1978 * Context Manipulation functions *
1979 **********************************/
1981 /**
1982 * Create a new context record for use by all roles-related stuff
1983 * assumes that the caller has done the homework.
1984 *
1985 * @param $level
1986 * @param $instanceid
1987 *
1988 * @return object newly created context
1989 */
1996 }
2002 // Define $context->path based on the parent
2003 // context. In other words... Who is your daddy?
2021 // ok - this is a top category
2026 // wrong parent category - no big deal, this can be fixed later
2029 }
2031 // incorrect category id
2033 }
2047 //ok - no parent category
2052 // wrong parent category of course - no big deal, this can be fixed later
2055 }
2057 // no errors for missing site course during installation
2060 // incorrect course id
2062 }
2079 // course does not exist - modules can not exist without a course
2081 }
2083 // cm does not exist
2085 }
2089 // Only non-pinned & course-page based
2100 // ok - not a course block
2105 // parent course does not exist - course blocks can not exist without a course
2107 }
2109 // block does not exist
2111 }
2114 // default to basepath
2116 }
2118 // if grandparents unknown, maybe rebuild_context_path() will solve it later
2121 }
2124 // can't set the full path till we know the id!
2127 }
2135 }
2136 }
2138 /**
2139 * This hacky function is needed because we can not change system context instanceid using normal upgrade routine.
2140 */
2151 }
2153 }
2163 // better something than nothing - let's hope it will work somehow
2166 }
2171 }
2172 }
2174 if (!isset($context->depth) or $context->depth != 1 or $context->instanceid != 0 or $context->path != '/'.$context->id) {
2179 }
2183 }
2187 }
2189 /**
2190 * Remove a context record and any dependent entries,
2191 * removes context from static context cache too
2192 * @param $level
2193 * @param $instanceid
2194 *
2195 * @return bool properly deleted
2196 */
2200 // do not use get_context_instance(), because the related object might not exist,
2201 // or the context does not exist yet and it would be created now
2202 if ($context = get_record('context', 'contextlevel', $contextlevel, 'instanceid', $instanceid)) {
2207 // do not mark dirty contexts if parents unknown
2210 }
2212 // purge static context cache if entry present
2220 }
2221 }
2223 /**
2224 * Precreates all contexts including all parents
2225 * @param int $contextlevel, empty means all
2226 * @param bool $buildpaths update paths and depths
2227 * @param bool $feedback show sql feedback
2228 * @return void
2229 */
2233 //make sure system context exists
2243 WHERE NOT EXISTS (SELECT 'x'
2248 }
2256 WHERE NOT EXISTS (SELECT 'x'
2261 }
2267 WHERE NOT EXISTS (SELECT 'x'
2271 }
2277 WHERE NOT EXISTS (SELECT 'x'
2281 }
2287 WHERE u.deleted=0
2288 AND NOT EXISTS (SELECT 'x'
2293 }
2297 }
2298 }
2300 /**
2301 * Remove stale context records
2302 *
2303 * @return bool
2304 */
2309 c.instanceid AS instanceid
2312 ON c.instanceid = t.id
2314 UNION
2315 SELECT c.contextlevel,
2316 c.instanceid
2319 ON c.instanceid = t.id
2321 UNION
2322 SELECT c.contextlevel,
2323 c.instanceid
2326 ON c.instanceid = t.id
2328 UNION
2329 SELECT c.contextlevel,
2330 c.instanceid
2333 ON c.instanceid = t.id
2335 UNION
2336 SELECT c.contextlevel,
2337 c.instanceid
2340 ON c.instanceid = t.id
2342 UNION
2343 SELECT c.contextlevel,
2344 c.instanceid
2347 ON c.instanceid = t.id
2355 }
2360 }
2364 }
2366 }
2368 /**
2369 * Get the context instance as an object. This function will create the
2370 * context instance if it does not exist yet.
2371 * @param integer $level The context level, for example CONTEXT_COURSE, or CONTEXT_MODULE.
2372 * @param integer $instance The instance id. For $level = CONTEXT_COURSE, this would be $course->id,
2373 * for $level = CONTEXT_MODULE, this would be $cm->id. And so on.
2374 * @return object The context object.
2375 */
2379 static $allowed_contexts = array(CONTEXT_SYSTEM, CONTEXT_USER, CONTEXT_COURSECAT, CONTEXT_COURSE, CONTEXT_GROUP, CONTEXT_MODULE, CONTEXT_BLOCK);
2382 // TODO: Remove for v2.0
2383 // No longer needed, but we'll catch it to avoid erroring out on custom code.
2384 // This used to be a fix for MDL-9016
2385 // "Restoring into existing course, deleting first
2386 // deletes context and doesn't recreate it"
2388 }
2390 /// System context has special cache
2393 }
2395 /// check allowed context levels
2397 // fatal error, code must be fixed - probably typo or switched parameters
2398 error('Error: get_context_instance() called with incorrect context level "'.s($contextlevel).'"');
2399 }
2402 /// Check the cache
2405 }
2407 /// Get it from the database, or create it
2408 if (!$context = get_record('context', 'contextlevel', $contextlevel, 'instanceid', $instance)) {
2410 }
2412 /// Only add to cache if context isn't empty.
2416 }
2419 }
2422 /// ok, somebody wants to load several contexts to save some db queries ;-)
2427 /// Check the cache first
2432 }
2433 }
2442 }
2448 }
2455 }
2460 }
2463 }
2464 }
2467 }
2470 /**
2471 * Get a context instance as an object, from a given context id.
2472 * @param mixed $id a context id or array of ids.
2473 * @return mixed object or array of the context object.
2474 */
2481 }
2485 }
2491 }
2494 }
2497 /**
2498 * Get the local override (if any) for a given capability in a role in a context
2499 * @param $roleid
2500 * @param $contextid
2501 * @param $capability
2502 */
2504 return get_record('role_capabilities', 'roleid', $roleid, 'capability', $capability, 'contextid', $contextid);
2505 }
2509 /************************************
2510 * DB TABLE RELATED FUNCTIONS *
2511 ************************************/
2513 /**
2514 * function that creates a role
2515 * @param name - role name
2516 * @param shortname - role short name
2517 * @param description - role description
2518 * @param legacy - optional legacy capability
2519 * @return id or false
2520 */
2523 // check for duplicate role name
2527 }
2531 }
2538 //find free sortorder number
2542 }
2546 }
2551 }
2553 /// By default, users with role:manage at site level
2554 /// should be able to assign users to this new role, and override this new role's capabilities
2556 // find all admin roles
2558 // foreach admin role
2560 // write allow_assign and allow_overrid
2563 }
2564 }
2569 }
2571 }
2573 /**
2574 * function that deletes a role and cleanups up after it
2575 * @param roleid - id of role to delete
2576 * @return success
2577 */
2582 // mdl 10149, check if this is the last active admin role
2583 // if we make the admin role not deletable then this part can go
2588 if (record_exists('role_capabilities', 'contextid', $systemcontext->id, 'roleid', $roleid, 'capability', 'moodle/site:doanything')) {
2589 // deleting an admin role
2591 if ($adminroles = get_roles_with_capability('moodle/site:doanything', CAP_ALLOW, $systemcontext)) {
2594 // some other admin role
2595 if (record_exists('role_assignments', 'roleid', $adminrole->id, 'contextid', $systemcontext->id)) {
2596 // found another admin role with at least 1 user assigned
2599 }
2600 }
2601 }
2602 }
2604 error ('You can not delete this role because there is no other admin roles with users assigned');
2605 }
2606 }
2607 }
2609 // first unssign all users
2613 }
2615 // cleanup all references to this role, ignore errors
2618 // MDL-10679 find all contexts where this role has an override
2630 }
2632 // finally delete the role itself
2633 // get this before the name is gone for logging
2639 }
2642 add_to_log(SITEID, 'role', 'delete', 'admin/roles/action=delete&roleid='.$roleid, $rolename, '', $USER->id);
2643 }
2646 }
2648 /**
2649 * Function to write context specific overrides, or default capabilities.
2650 * @param module - string name
2651 * @param capability - string name
2652 * @param contextid - context id
2653 * @param roleid - role id
2654 * @param permission - int 1,-1 or -1000
2655 * should not be writing if permission is 0
2656 */
2664 }
2666 $existing = get_record('role_capabilities', 'contextid', $contextid, 'roleid', $roleid, 'capability', $capability);
2670 }
2686 }
2687 }
2689 /**
2690 * Unassign a capability from a role.
2691 * @param $roleid - the role id
2692 * @param $capability - the name of the capability
2693 * @return boolean - success or failure
2694 */
2698 // delete from context rel, if this is the last override in this context
2704 }
2706 }
2709 /**
2710 * Get the roles that have a given capability assigned to it. This function
2711 * does not resolve the actual permission of the capability. It just checks
2712 * for assignment only.
2713 * @param $capability - capability name (string)
2714 * @param $permission - optional, the permission defined for this capability
2715 * either CAP_ALLOW, CAP_PREVENT or CAP_PROHIBIT
2716 * @return array or role objects
2717 */
2728 }
2732 }
2742 }
2744 }
2747 /**
2748 * This function makes a role-assignment (a role for a user or group in a particular context)
2749 * @param $roleid - the role of the id
2750 * @param $userid - userid
2751 * @param $groupid - group id
2752 * @param $contextid - id of the context
2753 * @param $timestart - time this assignment becomes effective
2754 * @param $timeend - time this assignemnt ceases to be effective
2755 * @uses $USER
2756 * @return id - new id of the assigment
2757 */
2758 function role_assign($roleid, $userid, $groupid, $contextid, $timestart=0, $timeend=0, $hidden=0, $enrol='manual',$timemodified='') {
2761 /// Do some data validation
2766 }
2771 }
2776 }
2781 }
2786 }
2791 }
2795 }
2797 /// Check for existing entry
2799 $ra = get_record('role_assignments', 'roleid', $roleid, 'contextid', $context->id, 'userid', $userid);
2801 $ra = get_record('role_assignments', 'roleid', $roleid, 'contextid', $context->id, 'groupid', $groupid);
2802 }
2811 /// Always round timestart downto 100 secs to help DBs to use their own caching algorithms
2812 /// by repeating queries with the same exact parameters in a 100 secs time window
2820 }
2826 /// Always round timestart downto 100 secs to help DBs to use their own caching algorithms
2827 /// by repeating queries with the same exact parameters in a 100 secs time window
2835 }
2836 }
2838 /// mark context as dirty - modules might use has_capability() in xxx_role_assing()
2839 /// again expensive, but needed
2843 /// If the user is the current user, then do full reload of capabilities too.
2845 }
2847 /// Ask all the modules if anything needs to be done for this user
2854 }
2855 }
2856 }
2858 /// now handle metacourse role assignments if in course context
2863 }
2864 }
2865 }
2870 }
2873 /**
2874 * Deletes one or more role assignments. You must specify at least one parameter.
2875 * @param $roleid
2876 * @param $userid
2877 * @param $groupid
2878 * @param $contextid
2879 * @param $enrol unassign only if enrolment type matches, NULL means anything
2880 * @return boolean - success or failure
2881 */
2893 }
2894 }
2897 }
2904 /// infinite loop protection when deleting recursively
2907 }
2912 }
2915 // strange error, not much to do
2917 }
2919 /* mark contexts as dirty here, because we need the refreshed
2920 * caps bellow to delete group membership and user_lastaccess!
2921 * and yes, this is very expensive for bulk operations :-(
2922 */
2925 /// If the user is the current user, then do full reload of capabilities too.
2928 }
2930 /// Ask all the modules if anything needs to be done for this user
2935 $functionname($ra->userid, $context); // watch out, $context might be NULL if something goes wrong
2936 }
2937 }
2939 /// now handle metacourse role unassigment and removing from goups if in course context
2942 // cleanup leftover course groups/subscriptions etc when user has
2943 // no capability to view course
2944 // this may be slow, but this is the proper way of doing it
2946 // remove from groups
2949 // delete lastaccess records
2951 }
2953 //unassign roles in metacourses if needed
2957 }
2958 }
2959 }
2963 }
2964 }
2965 }
2966 }
2969 }
2971 /**
2972 * A convenience function to take care of the common case where you
2973 * just want to enrol someone using the default role into a course
2974 *
2975 * @param object $course
2976 * @param object $user
2977 * @param string $enrol - the plugin used to do this enrolment
2978 */
2982 // remove time part from the timestamp and keep only the date part
2983 $timestart = make_timestamp(date('Y', $timestart), date('m', $timestart), date('d', $timestart), 0, 0, 0);
2988 }
2996 }
2998 // force accessdata refresh for users visiting this context...
3007 }
3010 }
3012 /**
3013 * Loads the capability definitions for the component (from file). If no
3014 * capabilities are defined for the component, we simply return an empty array.
3015 * @param $component - examples: 'moodle', 'mod/forum', 'block/quiz_results'
3016 * @return array of capabilities
3017 */
3028 // Blocks are an exception. Blocks directory is 'blocks', and not
3029 // 'block'. So we need to jump through hoops.
3035 // Similar to the above, course formats are 'format' while they
3036 // are stored in 'course/format'.
3055 }
3056 }
3062 }
3064 }
3067 /**
3068 * Gets the capabilities that have been cached in the database for this
3069 * component.
3070 * @param $component - examples: 'moodle', 'mod/forum', 'block/quiz_results'
3071 * @return array of capabilities
3072 */
3083 }
3085 }
3087 /**
3088 * Returns default capabilities for given legacy role type.
3089 *
3090 * @param string legacy role name
3091 * @return array
3092 */
3096 }
3104 }
3105 }
3109 }
3110 }
3112 //some exceptions
3116 }
3118 }
3120 /**
3121 * Reset role capabilitites to default according to selected legacy capability.
3122 * If several legacy caps selected, use the first from get_default_capabilities.
3123 * If no legacy selected, removes all capabilities.
3124 *
3125 * @param int @roleid
3126 */
3135 //choose first selected legacy capability
3138 }
3139 }
3145 }
3146 }
3147 }
3149 /**
3150 * Updates the capabilities table with the component capability definitions.
3151 * If no parameters are given, the function updates the core moodle
3152 * capabilities.
3153 *
3154 * Note that the absence of the db/access.php capabilities definition file
3155 * will cause any stored capabilities for the component to be removed from
3156 * the database.
3157 *
3158 * @param $component - examples: 'moodle', 'mod/forum', 'block/quiz_results'
3159 * @return boolean
3160 */
3170 // update risk bitmasks and context levels in existing capabilities if needed
3174 }
3181 }
3182 }
3186 }
3193 }
3194 }
3195 }
3196 }
3197 }
3199 // Are there new capabilities in the file definition?
3207 }
3209 }
3210 }
3211 // Add new capabilities to the stored definition.
3222 }
3225 if (isset($capdef['clonepermissionsfrom']) && in_array($capdef['clonepermissionsfrom'], $storedcaps)){
3226 if ($rolecapabilities = get_records('role_capabilities', 'capability', $capdef['clonepermissionsfrom'])){
3228 //assign_capability will update rather than insert if capability exists
3232 }
3233 }
3234 }
3235 // Do we need to assign the new capabilities to roles that have the
3236 // legacy capabilities moodle/legacy:* as well?
3237 // we ignore legacy key if we have cloned permissions
3241 }
3242 }
3243 // Are there any capabilities that have been removed from the file
3244 // definition that we need to delete from the stored capabilities and
3245 // role assignments?
3249 }
3252 /**
3253 * Deletes cached capabilities that are no longer needed by the component.
3254 * Also unassigns these capabilities from any roles that have them.
3255 * @param $component - examples: 'moodle', 'mod/forum', 'block/quiz_results'
3256 * @param $newcapdef - array of the new capability definitions that will be
3257 * compared with the cached capabilities
3258 * @return int - number of deprecated capabilities that have been removed
3259 */
3269 // Remove from capabilities cache.
3274 }
3275 // Delete from roles.
3281 }
3282 }
3283 }
3285 }
3286 }
3288 }
3292 /****************
3293 * UI FUNCTIONS *
3294 ****************/
3297 /**
3298 * prints human readable context identifier.
3299 */
3313 }
3315 }
3322 }
3324 }
3334 }
3335 }
3340 }
3342 }
3349 }
3350 }
3359 }
3361 }
3362 }
3363 }
3376 }
3378 }
3379 }
3380 }
3387 }
3389 }
3392 /**
3393 * Extracts the relevant capabilities given a contextid.
3394 * All case based, example an instance of forum context.
3395 * Will fetch all forum related capabilities, while course contexts
3396 * Will fetch all capabilities
3397 * @param object context
3398 * @return array();
3399 *
3400 * capabilities
3401 * `name` varchar(150) NOT NULL,
3402 * `captype` varchar(50) NOT NULL,
3403 * `contextlevel` int(10) NOT NULL,
3404 * `component` varchar(100) NOT NULL,
3405 */
3423 }
3434 WHERE contextlevel IN (".CONTEXT_COURSECAT.",".CONTEXT_COURSE.",".CONTEXT_MODULE.",".CONTEXT_BLOCK.")";
3456 }
3459 }
3460 }
3461 }
3479 }
3482 }
3483 }
3494 }
3498 }
3501 }
3504 /**
3505 * This function pulls out all the resolved capabilities (overrides and
3506 * defaults) of a role used in capability overrides in contexts at a given
3507 * context.
3508 * @param obj $context
3509 * @param int $roleid
3510 * @param bool self - if set to true, resolve till this level, else stop at immediate parent level
3511 * @return array
3512 */
3524 }
3532 ORDER BY c.contextlevel DESC,
3538 // We are traversing via reverse order.
3540 // If not set yet (i.e. inherit or not set at all), or currently we have a prohibit
3543 }
3544 }
3545 }
3547 }
3549 /**
3550 * Recursive function which, given a context, find all parent context ids,
3551 * and return the array in reverse order, i.e. parent first, then grand
3552 * parent, etc.
3553 *
3554 * @param object $context
3555 * @return array()
3556 */
3561 }
3568 }
3570 /**
3571 * Return the id of the parent of this context, or false if there is no parent (only happens if this
3572 * is the site context.)
3573 *
3574 * @param object $context
3575 * @return integer the id of the parent context.
3576 */
3581 }
3583 }
3585 /**
3586 * Recursive function which, given a context, find all its children context ids.
3587 *
3588 * When called for a course context, it will return the modules and blocks
3589 * displayed in the course page.
3590 *
3591 * For course category contexts it will return categories and courses. It will
3592 * NOT recurse into courses - if you want to do that, call it on the returned
3593 * courses.
3594 *
3595 * If called on a course context it _will_ populate the cache with the appropriate
3596 * contexts ;-)
3597 *
3598 * @param object $context.
3599 * @return array of child records
3600 */
3605 // We *MUST* populate the context_cache as the callers
3606 // will probably ask for the full record anyway soon after
3607 // soon after calling us ;-)
3612 // No children.
3617 // No children.
3622 // No children.
3627 // Find
3628 // - module instances - easy
3629 // - groups
3630 // - blocks assigned to the course-view page explicitly - easy
3631 // - blocks pinned (note! we get all of them here, regardless of vis)
3636 UNION
3637 SELECT ctx.*
3642 UNION
3643 SELECT ctx.*
3647 WHERE b.pagetype='course-view'
3654 }
3660 // Find
3661 // - categories
3662 // - courses
3673 }
3679 // No children.
3684 // Just get all the contexts except for CONTEXT_SYSTEM level
3685 // and hope we don't OOM in the process - don't cache
3696 }
3697 }
3700 /**
3701 * Gets a string for sql calls, searching for stuff in this context or above
3702 * @param object $context
3703 * @return string
3704 */
3710 }
3711 }
3713 /**
3714 * Returns the human-readable, translated version of the capability.
3715 * Basically a big switch statement.
3716 * @param $capabilityname - e.g. mod/choice:readresponses
3717 */
3720 // Typical capabilityname is mod/choice:readresponses
3741 }
3768 }
3770 }
3773 /**
3774 * This gets the mod/block/course/core etc strings.
3775 * @param $component
3776 * @param $contextlevel
3777 */
3794 }
3812 }
3828 }
3832 error ('This is an unknown context $contextlevel (' . $contextlevel . ') in get_component_string!');
3835 }
3837 }
3839 /**
3840 * Gets the list of roles assigned to this context and up (parents)
3841 * @param object $context
3842 * @param view - set to true when roles are pulled for display only
3843 * this is so that we can filter roles with no visible
3844 * assignment, for example, you might want to "hide" all
3845 * course creators when browsing the course participants
3846 * list.
3847 * @return array
3848 */
3853 // filter for roles with all hidden assignments
3854 // no need to return when only pulling roles for reviewing
3855 // e.g. participants page.
3856 $hiddensql = ($view && !has_capability('moodle/role:viewhiddenassigns', $context))? ' AND ra.hidden = 0 ':'';
3860 r.name,
3861 r.shortname,
3862 r.sortorder
3865 WHERE r.id = ra.roleid
3867 $hiddensql
3871 }
3873 /**
3874 * This function is used to print roles column in user profile page.
3875 * @param int userid
3876 * @param object context
3877 * @return string
3878 */
3883 $SQL = 'select * from '.$CFG->prefix.'role_assignments ra, '.$CFG->prefix.'role r where ra.userid='.$userid.' and ra.contextid='.$context->id.' and ra.roleid = r.id';
3887 // MDL-12544, if we are in view mode and current user has no capability to view hidden assignment, skip it
3888 if ($userrole->hidden && $view && !has_capability('moodle/role:viewhiddenassigns', $context)) {
3890 }
3892 }
3897 $rolenames[$roleid] = '<a href="'.$CFG->wwwroot.'/user/index.php?contextid='.$context->id.'&roleid='.$roleid.'">'.$rolename.'</a>';
3898 }
3900 }
3902 }
3905 /**
3906 * Checks if a user can override capabilities of a particular role in this context
3907 * @param object $context
3908 * @param int targetroleid - the id of the role you want to override
3909 * @return boolean
3910 */
3913 // TODO: not needed anymore, remove in 2.0
3915 // first check if user has override capability
3916 // if not return false;
3919 }
3920 // pull out all active roles of this user from this context(or above)
3923 // if any in the role_allow_override table, then it's ok
3924 if (get_record('role_allow_override', 'roleid', $userrole->roleid, 'allowoverride', $targetroleid)) {
3926 }
3927 }
3928 }
3932 }
3934 /**
3935 * Checks if a user can assign users to a particular role in this context
3936 * @param object $context
3937 * @param int targetroleid - the id of the role you want to assign users to
3938 * @return boolean
3939 */
3942 // first check if user has override capability
3943 // if not return false;
3946 }
3947 // pull out all active roles of this user from this context(or above)
3950 // if any in the role_allow_override table, then it's ok
3951 if (get_record('role_allow_assign', 'roleid', $userrole->roleid, 'allowassign', $targetroleid)) {
3953 }
3954 }
3955 }
3958 }
3960 /** Returns all site roles in correct sort order.
3961 *
3962 */
3965 }
3967 /**
3968 * gets all the user roles assigned in this context, or higher contexts
3969 * this is mainly used when checking if a user can assign a role, or overriding a role
3970 * i.e. we need to know what this user holds, in order to verify against allow_assign and
3971 * allow_override tables
3972 * @param object $context
3973 * @param int $userid
3974 * @param view - set to true when roles are pulled for display only
3975 * this is so that we can filter roles with no visible
3976 * assignment, for example, you might want to "hide" all
3977 * course creators when browsing the course participants
3978 * list.
3979 * @return array
3980 */
3981 function get_user_roles($context, $userid=0, $checkparentcontexts=true, $order='c.contextlevel DESC, r.sortorder ASC', $view=false) {
3988 }
3990 }
3991 // set up hidden sql
3992 $hiddensql = ($view && !has_capability('moodle/role:viewhiddenassigns', $context))? ' AND ra.hidden = 0 ':'';
3998 }
4005 AND ra.roleid = r.id
4006 AND ra.contextid = c.id
4010 }
4013 }
4015 /**
4016 * Creates a record in the allow_override table
4017 * @param int sroleid - source roleid
4018 * @param int troleid - target roleid
4019 * @return int - id or false
4020 */
4026 }
4028 /**
4029 * Creates a record in the allow_assign table
4030 * @param int sroleid - source roleid
4031 * @param int troleid - target roleid
4032 * @return int - id or false
4033 */
4039 }
4041 /**
4042 * Gets a list of roles that this user can assign in this context
4043 * @param object $context
4044 * @param string $field
4045 * @param int $rolenamedisplay
4046 * @return array
4047 */
4053 }
4061 (
4062 SELECT DISTINCT r.id
4067 AND raa.roleid = ra.roleid AND r.id = raa.allowassign
4068 ) inline_view
4069 WHERE ro.id = inline_view.id
4072 }
4076 }
4079 }
4081 /**
4082 * Gets a list of roles that this user can assign in this context, for the switchrole menu
4083 *
4084 * @param object $context
4085 * @param string $field
4086 * @param int $rolenamedisplay
4087 * @return array
4088 */
4089 function get_assignable_roles_for_switchrole($context, $field='name', $rolenamedisplay=ROLENAME_ALIAS) {
4094 }
4102 (
4103 SELECT DISTINCT r.id
4109 AND raa.roleid = ra.roleid AND r.id = raa.allowassign
4110 AND r.id = rc.roleid AND rc.capability = 'moodle/course:view' AND rc.capability != 'moodle/site:doanything'
4111 ) inline_view
4112 WHERE ro.id = inline_view.id
4115 }
4119 }
4122 }
4124 /**
4125 * Gets a list of roles that this user can override or safeoverride in this context
4126 * @param object $context
4127 * @param string $field
4128 * @param int $rolenamedisplay
4129 * @return array
4130 */
4134 if (!has_capability('moodle/role:override', $context) and !has_capability('moodle/role:safeoverride', $context)) {
4136 }
4144 (
4145 SELECT DISTINCT r.id
4150 AND rao.roleid = ra.roleid AND r.id = rao.allowoverride
4151 ) inline_view
4152 WHERE ro.id = inline_view.id
4155 }
4159 }
4162 }
4164 /**
4165 * Returns a role object that is the default role for new enrolments
4166 * in a given course
4167 *
4168 * @param object $course
4169 * @return object $role
4170 */
4174 /// First let's take the default role the course may have
4178 }
4179 }
4181 /// Otherwise the site setting should tell us
4185 }
4186 }
4188 /// It's unlikely we'll get here, but just in case, try and find a student role
4191 }
4194 }
4197 /**
4198 * Who has this capability in this context?
4199 *
4200 * This can be a very expensive call - use sparingly and keep
4201 * the results if you are going to need them again soon.
4202 *
4203 * Note if $fields is empty this function attempts to get u.*
4204 * which can get rather large - and has a serious perf impact
4205 * on some DBs.
4206 *
4207 * @param $context - object
4208 * @param $capability - string capability
4209 * @param $fields - fields to be pulled
4210 * @param $sort - the sort order
4211 * @param $limitfrom - number of records to skip (offset)
4212 * @param $limitnum - number of records to fetch
4213 * @param $groups - single group or array of groups - only return
4214 * users who are in one of these group(s).
4215 * @param $exceptions - list of users to exclude
4216 * @param view - set to true when roles are pulled for display only
4217 * this is so that we can filter roles with no visible
4218 * assignment, for example, you might want to "hide" all
4219 * course creators when browsing the course participants
4220 * list.
4221 * @param boolean $useviewallgroups if $groups is set the return users who
4222 * have capability both $capability and moodle/site:accessallgroups
4223 * in this context, as well as users who have $capability and who are
4224 * in $groups.
4225 */
4234 // Context is the frontpage
4242 }
4243 }
4245 // What roles/rolecaps are interesting?
4252 // This is an outer join against
4253 // admin-ish roleids. Any row that succeeds
4254 // in JOINing here ends up removed from
4255 // the resultset. This means we remove
4256 // rolecaps from roles that also have
4257 // 'doanything' capabilities.
4259 SELECT DISTINCT rc.roleid
4261 WHERE rc.capability='moodle/site:doanything'
4264 ) dar
4267 }
4269 // fetch all capability records - we'll walk several
4270 // times over them, and should be a small set
4276 ctx.depth AS ctxdepth, ctx.contextlevel AS ctxlevel
4279 $doanything_join
4281 $doanything_cond
4288 }
4289 }
4290 }
4296 }
4298 // is the default role interesting? does it have
4299 // a relevant rolecap? (we use this a lot later)
4304 }
4306 //
4307 // Prepare query clauses
4308 //
4310 /// Groups
4316 }
4327 }
4328 }
4330 /// User exceptions
4333 }
4335 /// Set up hidden role-assignments sql
4342 }
4344 // Collect WHERE conditions
4348 }
4350 /// Set up default fields
4356 }
4357 }
4359 /// Set up default sort
4365 }
4366 }
4369 // User lastaccess JOIN
4370 if ((strpos($sort, 'ul.timeaccess') === FALSE) and (strpos($fields, 'ul.timeaccess') === FALSE)) { // user_lastaccess is not required MDL-13810
4375 }
4377 //
4378 // Simple cases - No negative permissions means we can take shortcuts
4379 //
4382 // at the frontpage, and all site users have it - easy!
4390 }
4392 // all site users have it, anyway
4393 // TODO: NOT ALWAYS! Check this case because this gets run for cases like this:
4394 // 1) Default role has the permission for a module thing like mod/choice:choose
4395 // 2) We are checking for an activity module context in a course
4396 // 3) Thus all users are returned even though course:view is also required
4400 $uljoin
4401 $where
4404 }
4406 /// Simple SQL assuming no negative rolecaps.
4407 /// We use a subselect to grab the role assignments
4408 /// ensuring only one row per user -- even if they
4409 /// have many "relevant" role assignments.
4412 JOIN (SELECT DISTINCT ssra.userid
4416 $sscondhiddenra
4417 ) ra ON ra.userid = u.id
4422 }
4424 }
4426 //
4427 // If there are any negative rolecaps, we need to
4428 // work through a subselect that will bring several rows
4429 // per user (one per RA).
4430 // Since we cannot do the job in pure SQL (not without SQL stored
4431 // procedures anyway), we end up tied to processing the data in PHP
4432 // all the way down to pagination.
4433 //
4434 // In some cases, this will mean bringing across a ton of data --
4435 // when paginating, we have to walk the permisisons of all the rows
4436 // in the _previous_ pages to get the pagination correct in the case
4437 // of users that end up not having the permission - this removed.
4438 //
4440 // Prepare the role permissions datastructure for fast lookups
4453 }
4454 // override - as we are going
4455 // from general to local perms
4456 // (as per the ORDER BY...depth ASC above)
4457 // and local perms win...
4460 }
4462 }
4465 || $isfrontpage
4468 // Handle system / sitecourse / defaultrole-with-perhaps-neg-overrides
4469 // with a SELECT FROM user LEFT OUTER JOIN against ra -
4470 // This is expensive on the SQL and PHP sides -
4471 // moves a ton of data across the wire.
4473 ctx.depth
4476 ON (ra.userid = u.id
4481 ON ra.contextid=ctx.id
4484 // "Normal complex case" - the rolecaps we are after will
4485 // be defined in a role assignment somewhere.
4487 ctx.depth
4490 ON ra.contextid=ctx.id
4492 $condhiddenra
4494 }
4499 ON ra.userid=u.id
4504 }
4506 // Each user's entries MUST come clustered together
4507 // and RAs ordered in depth DESC - the role/cap resolution
4508 // code depends on this.
4514 //
4515 // Process the user accounts+RAs, folding repeats together...
4516 //
4517 // The processing for this recordset is tricky - to fold
4518 // the role/perms of users with multiple role-assignments
4519 // correctly while still processing one-row-at-a-time
4520 // we need to add a few additional 'private' fields to
4521 // the results array - so we can treat the rows as a
4522 // state machine to track the cap/perms and at what RA-depth
4523 // and RC-depth they were defined.
4524 //
4525 // So what we do here is:
4526 // - loop over rows, checking pagination limits
4527 // - when we find a new user, if we are in the page add it to the
4528 // $results, and start building $ras array with its role-assignments
4529 // - when we are dealing with the next user, or are at the end of the userlist
4530 // (last rec or last in page), trigger the check-permission idiom
4531 // - the check permission idiom will
4532 // - add the default enrolment if needed
4533 // - call has_capability_from_rarc(), which based on RAs and RCs will return a bool
4534 // (should be fairly tight code ;-) )
4535 // - if the user has permission, all is good, just $c++ (counter)
4536 // - ...else, decrease the counter - so pagination is kept straight,
4537 // and (if we are in the page) remove from the results
4538 //
4541 // pagination controls
4546 //
4547 // Track our last user id so we know when we are dealing
4548 // with a new user...
4549 //
4551 //
4552 // In this loop, we
4553 // $ras: role assignments, multidimensional array
4554 // treat as a stack - going from local to general
4555 // $ras = (( roleid=> x, $depth=>y) , ( roleid=> x, $depth=>y))
4556 //
4559 //error_log(" Record: " . print_r($user,1));
4561 //
4562 // Pagination controls
4563 // Note that we might end up removing a user
4564 // that ends up _not_ having the rights,
4565 // therefore rolling back $c
4566 //
4569 // Did the last user end up with a positive permission?
4572 // add the role at the end of $ras
4575 }
4579 // remove the user from the result set,
4580 // only if we are 'in the page'
4583 }
4584 }
4585 }
4587 // Did we hit pagination limit?
4590 }
4592 // New user setup, and $ras reset
4598 }
4600 // if we are 'in the page', also add the rec
4601 // to the results...
4604 }
4606 // Additional RA for $lastuserid
4609 }
4613 // Prune last entry if necessary
4616 // add the role at the end of $ras
4619 }
4621 // remove the user from the result set,
4622 // only if we are 'in the page'
4626 }
4627 }
4628 }
4629 }
4632 }
4634 /*
4635 * Fast (fast!) utility function to resolve if a capability is granted,
4636 * based on Role Assignments and Role Capabilities.
4637 *
4638 * Used (at least) by get_users_by_capability().
4639 *
4640 * If PHP had fast built-in memoize functions, we could
4641 * add a $contextid parameter and memoize the return values.
4642 *
4643 * @param array $ras - role assignments
4644 * @param array $roleperms - role permissions
4645 * @param string $capability - name of the capability
4646 * @param bool $doanything
4647 * @return boolean
4648 *
4649 */
4651 // Mini-state machine, using $hascap
4652 // $hascap[ 'moodle/foo:bar' ]->perm = CAP_SOMETHING (numeric constant)
4653 // $hascap[ 'moodle/foo:bar' ]->radepth = depth of the role assignment that set it
4654 // $hascap[ 'moodle/foo:bar' ]->rcdepth = depth of the rolecap that set it
4655 // -- when resolving conflicts, we need to look into radepth first, if unresolved
4660 }
4664 //
4665 // Compute which permission/roleassignment/rolecap
4666 // wins for each capability we are walking
4667 //
4671 // nothing set for this cap - skip
4673 }
4674 // We explicitly clone here as we
4675 // add more properties to it
4676 // that must stay separate from the
4677 // original roleperm data structure
4681 // Trivial case, we are the first to set
4684 }
4686 //
4687 // Resolve who prevails, in order of precendence
4688 // - Prohibits always wins
4689 // - Locality of RA
4690 // - Locality of RC
4691 //
4692 //// Prohibits...
4696 }
4699 }
4701 // Locality of RA - the look is ordered by depth DESC
4702 // so from local to general -
4703 // Higher RA loses to local RA... unless perm===0
4704 /// Thanks to the order of the records, $rp->radepth <= $hascap[$cap]->radepth
4707 }
4710 // Wider RA loses to local RAs...
4713 // "Higher RA resolves conflict" case,
4714 // local RAs had cancelled eachother
4717 }
4718 }
4719 // Same ralevel - locality of RC wins
4723 }
4726 }
4727 // We match depth - add them
4729 }
4730 }
4735 }
4737 }
4739 /**
4740 * Will re-sort a $users results array (from get_users_by_capability(), usually)
4741 * based on a sorting policy. This is to support the odd practice of
4742 * sorting teachers by 'authority', where authority was "lowest id of the role
4743 * assignment".
4744 *
4745 * Will execute 1 database query. Only suitable for small numbers of users, as it
4746 * uses an u.id IN() clause.
4747 *
4748 * Notes about the sorting criteria.
4749 *
4750 * As a default, we cannot rely on role.sortorder because then
4751 * admins/coursecreators will always win. That is why the sane
4752 * rule "is locality matters most", with sortorder as 2nd
4753 * consideration.
4754 *
4755 * If you want role.sortorder, use the 'sortorder' policy, and
4756 * name explicitly what roles you want to cover. It's probably
4757 * a good idea to see what roles have the capabilities you want
4758 * (array_diff() them against roiles that have 'can-do-anything'
4759 * to weed out admin-ish roles. Or fetch a list of roles from
4760 * variables like $CFG->coursemanagers .
4761 *
4762 * @param array users Users' array, keyed on userid
4763 * @param object context
4764 * @param array roles - ids of the roles to include, optional
4765 * @param string policy - defaults to locality, more about
4766 * @return array - sorted copy of the array
4767 */
4768 function sort_by_roleassignment_authority($users, $context, $roles=array(), $sortpolicy='locality') {
4777 }
4782 ON ra.roleid=r.id
4784 ON ra.contextid=ctx.id
4785 WHERE
4786 $userswhere
4788 $roleswhere
4791 // Default 'locality' policy -- read PHPDoc notes
4792 // about sort policies...
4794 ctx.depth DESC, /* locality wins */
4795 r.sortorder ASC, /* rolesorting 2nd criteria */
4799 r.sortorder ASC, /* rolesorting 2nd criteria */
4801 }
4808 // Avoid duplicates
4811 }
4814 // assign
4816 }
4818 }
4820 /**
4821 * gets all the users assigned this role in this context or higher
4822 * @param int roleid (can also be an array of ints!)
4823 * @param int contextid
4824 * @param bool parent if true, get list of users assigned in higher context too
4825 * @param string fields - fields from user (u.) , role assignment (ra) or role (r.)
4826 * @param string sort - sort from user (u.) , role assignment (ra) or role (r.)
4827 * @param bool gethidden - whether to fetch hidden enrolments too
4828 * @return array()
4829 */
4830 function get_role_users($roleid, $context, $parent=false, $fields='', $sort='u.lastname ASC', $gethidden=true, $group='', $limitfrom='', $limitnum='') {
4838 }
4840 // whether this assignment is hidden
4849 }
4850 }
4858 }
4867 }
4872 ON u.id = ra.userid
4874 ON ra.roleid = r.id
4875 $groupjoin
4877 $roleselect
4878 $groupselect
4879 $hiddensql
4884 }
4886 /**
4887 * Counts all the users assigned this role in this context or higher
4888 * @param int roleid
4889 * @param int contextid
4890 * @param bool parent if true, get list of users assigned in higher context too
4891 * @return array()
4892 */
4901 }
4904 }
4909 ON u.id = r.userid
4915 }
4917 /**
4918 * This function gets the list of courses that this user has a particular capability in.
4919 * It is still not very efficient.
4920 * @param string $capability Capability in question
4921 * @param int $userid User ID or null for current user
4922 * @param bool $doanything True if 'doanything' is permitted (default)
4923 * @param string $fieldsexceptid Leave blank if you only need 'id' in the course records;
4924 * otherwise use a comma-separated list of the fields you require, not including id
4925 * @param string $orderby If set, use a comma-separated list of fields from course
4926 * table with sql modifiers (DESC) if needed
4927 * @return array Array of courses, may have zero entries. Or false if query failed.
4928 */
4929 function get_user_capability_course($capability, $userid=NULL,$doanything=true,$fieldsexceptid='',$orderby='') {
4930 // Convert fields list and ordering
4936 }
4937 }
4944 }
4946 }
4948 }
4950 // Obtain a list of everything relevant about all courses including context.
4951 // Note the result can be used directly as a context (we are going to), the course
4952 // fields are just appended.
4955 SELECT
4957 FROM
4960 $orderby
4964 }
4966 // Check capability for each course in turn
4970 // We've got the capability. Make the record look like a course record
4971 // and store it
4977 }
4978 }
4980 }
4982 /** This function finds the roles assigned directly to this context only
4983 * i.e. no parents role
4984 * @param object $context
4985 * @return array
4986 */
4994 WHERE ra.roleid = r.id
4997 }
4999 /**
5000 * Switches the current user to another role for the current session and only
5001 * in the given context.
5002 *
5003 * The caller *must* check
5004 * - that this op is allowed
5005 * - that the requested role can be assigned in this ctx
5006 * (hint, use get_assignable_roles_for_switchrole())
5007 * - that the requested role is NOT $CFG->defaultuserroleid
5008 *
5009 * To "unswitch" pass 0 as the roleid.
5010 *
5011 * This function *will* modify $USER->access - beware
5012 *
5013 * @param integer $roleid
5014 * @param object $context
5015 * @return bool
5016 */
5020 //
5021 // Plan of action
5022 //
5023 // - Add the ghost RA to $USER->access
5024 // as $USER->access['rsw'][$path] = $roleid
5025 //
5026 // - Make sure $USER->access['rdef'] has the roledefs
5027 // it needs to honour the switcheroo
5028 //
5029 // Roledefs will get loaded "deep" here - down to the last child
5030 // context. Note that
5031 //
5032 // - When visiting subcontexts, our selective accessdata loading
5033 // will still work fine - though those ra/rdefs will be ignored
5034 // appropriately while the switch is in place
5035 //
5036 // - If a switcheroo happens at a category with tons of courses
5037 // (that have many overrides for switched-to role), the session
5038 // will get... quite large. Sometimes you just can't win.
5039 //
5040 // To un-switch just unset($USER->access['rsw'][$path])
5041 //
5043 // Add the switch RA
5046 }
5052 }
5054 }
5058 // Load roledefs
5062 /* DO WE NEED THIS AT ALL???
5063 // Add some permissions we are really going
5064 // to always need, even if the role doesn't have them!
5066 $USER->capabilities[$context->id]['moodle/course:view'] = CAP_ALLOW;
5067 */
5070 }
5073 // get any role that has an override on exact context
5081 WHERE rc.roleid = r.id
5083 }
5085 // get all capabilities for this role on this context (overrids)
5094 }
5096 // find out which roles has assignment on this context
5104 WHERE ra.roleid = r.id
5106 }
5110 /**
5111 * Find all user assignemnt of users for this role, on this context
5112 */
5121 }
5123 /**
5124 * Simple function returning a boolean true if roles exist, otherwise false
5125 */
5129 return record_exists('role_assignments', 'userid', $userid, 'roleid', $roleid, 'contextid', $contextid);
5132 }
5133 }
5135 /**
5136 * Get role name or alias if exists and format the text.
5137 * @param object $role role object
5138 * @param object $coursecontext
5139 * @return $string name of role in course context
5140 */
5146 }
5147 }
5149 /**
5150 * Prepare list of roles for display, apply aliases and format text
5151 * @param array $roleoptions array roleid=>rolename
5152 * @param object $context
5153 * @return array of role names
5154 */
5157 if ($context->contextlevel == CONTEXT_MODULE || $context->contextlevel == CONTEXT_BLOCK) { // find the parent course context
5160 }
5161 }
5167 }
5168 }
5172 $roleoptions[$alias->roleid] = format_string($alias->name).' ('.format_string($roleoptions[$alias->roleid]).')';
5173 }
5174 }
5175 }
5176 }
5177 }
5180 }
5182 }
5184 /**
5185 * This function helps admin/roles/manage.php etc to detect if a new line should be printed
5186 * when we read in a new capability
5187 * most of the time, if the 2 components are different we should print a new line, (e.g. course system->rss client)
5188 * but when we are in grade, all reports/import/export capabilites should be together
5189 * @param string a - component string a
5190 * @param string b - component string b
5191 * @return bool - whether 2 component are in different "sections"
5192 */
5197 }
5205 // we are in gradebook, still
5206 if (($compsa[0] == 'gradeexport' || $compsa[0] == 'gradeimport' || $compsa[0] == 'gradereport') &&
5209 }
5210 }
5213 }
5215 /**
5216 * Populate context.path and context.depth where missing.
5217 * @param bool $force force a complete rebuild of the path and depth fields.
5218 * @param bool $feedback display feedback (during upgrade usually)
5219 * @return void
5220 */
5225 // System context
5229 // Sitecourse
5241 }
5249 }
5251 /* MDL-11347:
5252 * - mysql does not allow to use FROM in UPDATE statements
5253 * - using two tables after UPDATE works in mysql, but might give unexpected
5254 * results in pg 8 (depends on configuration)
5255 * - using table alias in UPDATE does not work in pg < 8.2
5256 */
5259 SET ct.path = temp.path,
5260 ct.depth = temp.depth
5264 SET (ct.path, ct.depth) =
5265 (SELECT temp.path, temp.depth
5267 WHERE temp.id=ct.id)
5268 WHERE EXISTS (SELECT 'x'
5273 SET path = temp.path,
5274 depth = temp.depth
5277 }
5281 // Top level categories
5285 AND EXISTS (SELECT 'x'
5288 AND cc.depth=1)
5295 // Deeper categories - one query per depthlevel
5307 AND NOT EXISTS (SELECT 'x'
5309 WHERE temp.id = ctx.id)
5313 // this is needed after every loop
5314 // MDL-11532
5317 }
5319 // Courses -- except sitecourse
5328 AND NOT EXISTS (SELECT 'x'
5330 WHERE temp.id = ctx.id)
5337 // Module instances
5345 AND NOT EXISTS (SELECT 'x'
5347 WHERE temp.id = ctx.id)
5354 // Blocks - non-pinned course-view only
5362 AND bi.pagetype='course-view'
5363 AND NOT EXISTS (SELECT 'x'
5365 WHERE temp.id = ctx.id)
5372 // Blocks - others
5376 AND EXISTS (SELECT 'x'
5379 AND bi.pagetype!='course-view')
5383 // User
5387 AND EXISTS (SELECT 'x'
5393 // Personal TODO
5395 //TODO: fix group contexts
5397 // reset static course cache - it might have incorrect cached data
5402 }
5404 /**
5405 * Update the path field of the context and
5406 * all the dependent subcontexts that follow
5407 * the move.
5408 *
5409 * The most important thing here is to be as
5410 * DB efficient as possible. This op can have a
5411 * massive impact in the DB.
5412 *
5413 * @param obj current context obj
5414 * @param obj newparent new parent obj
5415 *
5416 */
5426 }
5429 $setdepth
5436 $setdepth
5442 }
5445 /**
5446 * Turn the ctx* fields in an objectlike record
5447 * into a context subobject. This allows
5448 * us to SELECT from major tables JOINing with
5449 * context at no cost, saving a ton of context
5450 * lookups...
5451 */
5462 }
5464 /**
5465 * Fetch recent dirty contexts to know cheaply whether our $USER->access
5466 * is stale and needs to be reloaded.
5467 *
5468 * Uses cache_flags
5469 * @param int $time
5470 * @return array of dirty contexts
5471 */
5474 }
5476 /**
5477 * Mark a context as dirty (with timestamp)
5478 * so as to force reloading of the context.
5479 * @param string $path context path
5480 */
5483 // only if it is a non-empty string
5488 }
5489 }
5490 }
5492 /**
5493 * Will walk the contextpath to answer whether
5494 * the contextpath is dirty
5495 *
5496 * @param array $contexts array of strings
5497 * @param obj/array dirty contexts from get_dirty_contexts()
5498 * @return bool
5499 */
5506 }
5507 }
5509 }
5511 /**
5512 *
5513 * switch role order (used in admin/roles/manage.php)
5514 *
5515 * @param int $first id of role to move down
5516 * @param int $second id of role to move up
5517 *
5518 * @return bool success or failure
5519 */
5522 //first find temorary sortorder number
5526 }
5538 }
5543 }
5549 }
5552 }
5554 /**
5555 * duplicates all the base definitions of a role
5556 *
5557 * @param object $sourcerole role to copy from
5558 * @param int $targetrole id of role to copy to
5559 *
5560 * @return void
5561 */
5568 // adding capabilities
5573 }