| blob | a091f0889d20be424da70269daa56eceab47d06e |
1 <?php
2 /**
3 * Capability session information format
4 * 2 x 2 array
5 * [context][capability]
6 * where context is the context id of the table 'context'
7 * and capability is a string defining the capability
8 * e.g.
9 *
10 * [Capabilities] => [26][mod/forum:viewpost] = 1
11 * [26][mod/forum:startdiscussion] = -8990
12 * [26][mod/forum:editallpost] = -1
13 * [273][moodle:blahblah] = 1
14 * [273][moodle:blahblahblah] = 2
15 */
19 // permission definitions
25 // context definitions
35 // capability risks - see http://docs.moodle.org/en/Hardening_new_Roles_system
44 $context_cache = array(); // Cache of all used context objects for performance (by level and instance)
49 //this is really slow!!!! - do not use above course context level!
53 // first emulate the parent context capabilities merging into context
57 if ($capabilities = get_records_select('role_capabilities', "roleid = $roleid AND contextid = $cid")) {
61 }
63 }
64 }
65 }
67 // now go through the contexts bellow given context
70 if ($capabilities = get_records_select('role_capabilities', "roleid = $roleid AND contextid = $cid")) {
74 }
76 }
77 }
78 }
81 }
89 }
91 }
92 }
94 }
99 }
103 }
108 }
112 }
114 }
115 }
117 }
119 /**
120 * Loads the capabilities for the default guest role to the current user in a
121 * specific context.
122 * @return object
123 */
132 }
133 }
141 }
142 }
144 /**
145 * Load default not logged in role capabilities when user is not logged in
146 * @return bool
147 */
153 }
160 }
161 }
169 }
170 }
172 /**
173 * Load default logged in role capabilities for all logged in users
174 * @return bool
175 */
181 }
188 }
189 }
193 // fix the guest user heritage:
194 // If the default role is a guest role, then don't copy legacy:guest,
195 // otherwise this user could get confused with a REAL guest. Also don't copy
196 // course:view, which is a hack that's necessary because guest roles are
197 // not really handled properly (see MDL-7513)
201 }
209 }
210 }
213 /**
214 * Get the default guest role
215 * @return object role
216 */
228 }
233 //somebody is messing with guest roles, remove incorrect setting and try to find a new one
236 }
237 }
238 }
241 /**
242 * This functions get all the course categories in proper order
243 * (!)note this only gets course category contexts, and not the site
244 * context
245 * @param object $context
246 * @param int $type
247 * @return array of contextids
248 */
254 // a category can be the parent of another category
255 // there is no limit of depth in this case
259 }
264 }
267 }
270 // a course always fall into a category, unless it's a site course
271 // this happens when SITEID == $course->id
272 // in this case the parent of the course is site context
276 }
279 }
285 }
286 // Yu: Separating site and site course context
289 }
294 }
297 }
302 }
304 }
308 /**
309 * This function checks for a capability assertion being true. If it isn't
310 * then the page is terminated neatly with a standard error message
311 * @param string $capability - name of the capability
312 * @param object $context - a context object (record from context table)
313 * @param integer $userid - a userid number
314 * @param bool $doanything - if false, ignore do anything
315 * @param string $errorstring - an errorstring
316 * @param string $stringfile - which stringfile to get it from
317 */
323 /// If the current user is not logged in, then make sure they are (if needed)
332 }
337 }
341 }
345 }
346 }
348 /// OK, if they still don't have the capability then print a nice error message
353 }
354 }
357 /**
358 * This function returns whether the current user has the capability of performing a function
359 * For example, we can do has_capability('mod/forum:replypost',$cm) in forum
360 * only one of the 4 (moduleinstance, courseid, site, userid) would be set at 1 time
361 * This is a recursive funciton.
362 * @uses $USER
363 * @param string $capability - name of the capability (or debugcache or clearcache)
364 * @param object $context - a context object (record from context table)
365 * @param integer $userid - a userid number
366 * @param bool $doanything - if false, ignore do anything
367 * @return bool
368 */
376 /// Cache management
381 }
383 /// Some sanity checks
388 }
391 }
393 debugging('Capability parameter "doanything" is wierd ("'.$doanything.'"). This should be fixed in code.');
394 }
396 debugging('Incorrect context parameter "'.$context.'" for has_capability(), object expected! This should be fixed in code.');
397 }
398 }
400 /// Make sure we know the current context
406 }
410 }
411 }
413 /// Check and return cache in case we've processed this one before.
414 $requsteduser = empty($userid) ? $USER->id : $userid; // find out the requested user id, $USER->id might have been changed
419 }
422 /// Load up the capabilities list or item as necessary
426 //caching - helps user switching in cron
433 }
438 }
442 // this is expensive!
446 }
448 }
452 }
457 }
460 }
462 /// We act a little differently when switchroles is active
467 /// First deal with the "doanything" capability
471 /// First make sure that we aren't in a "switched role"
482 }
483 }
484 }
485 }
486 }
488 /// Check the site context for doanything (most common) first
496 }
497 }
498 /// If it's not set at site level, it is possible to be set on other levels
499 /// Though this usage is not common and can cause risks
503 // Check parent cats.
510 }
511 }
515 // Check parent cat.
523 }
524 }
528 // Find course.
538 }
539 }
546 }
551 // Find course.
561 }
562 }
563 }
569 }
574 // not necessarily 1 to 1 to course.
585 }
586 }
592 }
598 }
599 }
603 // CONTEXT_SYSTEM: CONTEXT_PERSONAL: CONTEXT_USER:
604 // Do nothing, because the parents are site context
605 // which has been checked already
607 }
609 // Last: check self.
614 }
615 }
616 // do_anything has not been set, we now look for it the normal way.
621 }
624 /**
625 * In a separate function so that we won't have to deal with do_anything.
626 * again. Used by function has_capability().
627 * @param $capability - capability string
628 * @param $context - the context object
629 * @param $capabilities - either $USER->capability or loaded array (for other users)
630 * @return permission (int)
631 */
638 }
639 // if already set in the array explicitly, no need to look for it in parent
640 // context any longer
643 }
645 /* Then, we check the cache recursively */
670 }
676 // find the course cat, and return its value
682 }
684 }
705 }
712 }
715 }
717 /**
718 * auxillary function for load_user_capabilities()
719 * checks if context c1 is a parent (or itself) of context c2
720 * @param int $c1 - context id of context 1
721 * @param int $c2 - context id of context 2
722 * @return bool
723 */
727 // context can be itself and this is ok
730 }
731 // hit in cache?
734 }
738 }
742 }
746 }
753 }
754 }
757 /**
758 * auxillary function for load_user_capabilities()
759 * handler in usort() to sort contexts according to level
760 * @param object contexta
761 * @param object contextb
762 * @return int
763 */
767 }
769 }
771 /**
772 * It will build an array of all the capabilities at each level
773 * i.e. site/metacourse/course_category/course/moduleinstance
774 * Note we should only load capabilities if they are explicitly assigned already,
775 * we should not load all module's capability!
776 *
777 * [Capabilities] => [26][forum_post] = 1
778 * [26][forum_start] = -8990
779 * [26][forum_edit] = -1
780 * [273][blah blah] = 1
781 * [273][blah blah blah] = 2
782 *
783 * @param $capability string - Only get a specific capability (string)
784 * @param $context object - Only get capabilities for a specific context object
785 * @param $userid integer - the id of the user whose capabilities we want to load
786 * @return array of permissions (or nothing if they get assigned to $USER)
787 */
792 // this flag has not been set!
793 // (not clean install, or upgraded successfully to 1.7 and up)
796 }
802 }
805 check_enrolment_plugins($USER); // Call "enrol" system to ensure that we have the correct picture
813 }
818 }
821 /// First we generate a list of all relevant contexts of the user
833 }
834 }
835 }
836 }
838 /// Set up SQL fragments for searching contexts
845 }
851 }
853 /// Then we use 1 giant SQL to bring out all relevant capabilities.
854 /// The first part gets the capabilities of orginal role.
855 /// The second part gets the capabilities of overriden roles.
860 // SQL for normal capabilities
861 $SQL1 = "SELECT rc.capability, c1.id as id1, c1.id as id2, (c1.contextlevel * 100) AS aggrlevel,
862 SUM(rc.permission) AS sum
863 FROM
867 WHERE
868 ra.contextid=c1.id AND
869 ra.roleid=rc.roleid AND
871 $searchcontexts1
873 $capsearch
874 GROUP BY
875 rc.capability, c1.id, c1.contextlevel * 100
876 HAVING
877 SUM(rc.permission) != 0
879 UNION ALL
881 SELECT rc.capability, c1.id as id1, c2.id as id2, (c1.contextlevel * 100 + c2.contextlevel) AS aggrlevel,
882 SUM(rc.permission) AS sum
883 FROM
889 WHERE
891 $searchcontexts1
893 $capsearch
894 AND cr.c2 = c1.id
895 GROUP BY
896 rc.capability, c1.id, c2.id, c1.contextlevel * 100 + c2.contextlevel
897 HAVING
898 SUM(rc.permission) != 0
899 ORDER BY
904 }
916 }
917 }
919 }
921 }
923 // SQL for overrides
924 // this is take out because we have no way of making sure c1 is indeed related to c2 (parent)
925 // if we do not group by sum, it is possible to have multiple records of rc.capability, c1.id, c2.id, tuple having
926 // different values, we can maually sum it when we go through the list
928 /*
930 $SQL2 = "SELECT rc.capability, c1.id as id1, c2.id as id2, (c1.contextlevel * 100 + c2.contextlevel) AS aggrlevel,
931 rc.permission AS sum
932 FROM
933 {$CFG->prefix}role_assignments ra,
934 {$CFG->prefix}role_capabilities rc,
935 {$CFG->prefix}context c1,
936 {$CFG->prefix}context c2
937 WHERE
938 ra.contextid=c1.id AND
939 ra.roleid=rc.roleid AND
940 ra.userid=$userid AND
941 rc.contextid=c2.id AND
942 $searchcontexts1
943 rc.contextid != $siteinstance->id
944 $capsearch
946 GROUP BY
947 rc.capability, (c1.contextlevel * 100 + c2.contextlevel), c1.id, c2.id, rc.permission
948 ORDER BY
949 aggrlevel ASC
950 ";*/
952 /*
953 if (!$rs = get_recordset_sql($SQL2)) {
954 error("Query failed in load_user_capability.");
955 }
957 if ($rs && $rs->RecordCount() > 0) {
958 while ($caprec = rs_fetch_next_record($rs)) {
959 $array = (array)$caprec;
960 $temprecord = new object;
962 foreach ($array as $key=>$val) {
963 if ($key == 'aggrlevel') {
964 $temprecord->contextlevel = $val;
965 } else {
966 $temprecord->{$key} = $val;
967 }
968 }
969 // for overrides, we have to make sure that context2 is a child of context1
970 // otherwise the combination makes no sense
971 //if (is_parent_context($temprecord->id1, $temprecord->id2)) {
972 $capabilities[] = $temprecord;
973 //} // only write if relevant
974 }
975 rs_close($rs);
976 }
978 // this step sorts capabilities according to the contextlevel
979 // it is very important because the order matters when we
980 // go through each capabilities later. (i.e. higher level contextlevel
981 // will override lower contextlevel settings
982 usort($capabilities, 'roles_context_cmp');
983 */
984 /* so up to this point we should have somethign like this
985 * $capabilities[1] ->contextlevel = 1000
986 ->module = 0 // changed from SITEID in 1.8 (??)
987 ->capability = do_anything
988 ->id = 1 (id is the context id)
989 ->sum = 0
991 * $capabilities[2] ->contextlevel = 1000
992 ->module = 0 // changed from SITEID in 1.8 (??)
993 ->capability = post_messages
994 ->id = 1
995 ->sum = -9000
997 * $capabilittes[3] ->contextlevel = 3000
998 ->module = course
999 ->capability = view_course_activities
1000 ->id = 25
1001 ->sum = 1
1003 * $capabilittes[4] ->contextlevel = 3000
1004 ->module = course
1005 ->capability = view_course_activities
1006 ->id = 26
1007 ->sum = 0 (this is another course)
1009 * $capabilities[5] ->contextlevel = 3050
1010 ->module = course
1011 ->capability = view_course_activities
1012 ->id = 25 (override in course 25)
1013 ->sum = -1
1014 * ....
1015 * now we proceed to write the session array, going from top to bottom
1016 * at anypoint, we need to go up and check parent to look for prohibit
1017 */
1018 // print_object($capabilities);
1020 /* This is where we write to the actualy capabilities array
1021 * what we need to do from here on is
1022 * going down the array from lowest level to highest level
1023 * 1) recursively check for prohibit,
1024 * if any, we write prohibit
1025 * else, we write the value
1026 * 2) at an override level, we overwrite current level
1027 * if it's not set to prohibit already, and if different
1028 * ........ that should be it ........
1029 */
1031 // This is the flag used for detecting the current context level. Since we are going through
1032 // the array in ascending order of context level. For normal capabilities, there should only
1033 // be 1 value per (capability, contextlevel, context), because they are already summed. But,
1034 // for overrides, since we are processing them separate, we need to sum the relevcant entries.
1035 // We set this flag when we hit a new level.
1036 // If the flag is already set, we keep adding (summing), otherwise, we just override previous
1037 // settings (from lower level contexts)
1044 }
1046 if (!empty($otheruserid)) { // we are pulling out other user's capabilities, do not write to session
1051 }
1052 if (isset($usercap[$capability->id2][$capability->capability])) { // use isset because it can be sum 0
1058 }
1062 }
1066 if (capability_prohibits($capability->capability, $context, $capability->sum)) { // if any parent or parent's parent is set to prohibit
1069 }
1071 // if no parental prohibit set
1072 // just write to session, i am not sure this is correct yet
1073 // since 3050 shows up after 3000, and 3070 shows up after 3050,
1074 // it should be ok just to overwrite like this, provided that there's no
1075 // parental prohibits
1076 // we need to write even if it's 0, because it could be an inherit override
1083 }
1087 }
1088 }
1089 }
1091 // now we don't care about the huge array anymore, we can dispose it.
1097 }
1098 }
1101 /**
1102 * A convenience function to completely load all the capabilities
1103 * for the current user. This is what gets called from login, for example.
1104 */
1108 //caching - helps user switching in cron
1119 }
1125 // load only course caqpabilitites - it may not always work as expected
1127 // find all child contexts and unset the rest
1133 }
1134 }
1137 }
1138 }
1145 // first prune context and any child contexts
1149 }
1152 // now merge all switched role caps in context and bellow
1155 }
1156 }
1162 }
1163 }
1166 /**
1167 * Check all the login enrolment information for the given user object
1168 * by querying the enrolment plugins
1169 */
1177 }
1185 }
1189 if (method_exists($enrol, 'setup_enrolments')) { /// Plugin supports Roles (Moodle 1.7 and later)
1194 }
1197 }
1199 /// deal with $user->students and $user->teachers stuff
1202 }
1204 }
1207 }
1210 /**
1211 * This is a recursive function that checks whether the capability in this
1212 * context, or the parent capabilities are set to prohibit.
1213 *
1214 * At this point, we can probably just use the values already set in the
1215 * session variable, since we are going down the level. Any prohit set in
1216 * parents would already reflect in the session.
1217 *
1218 * @param $capability - capability name
1219 * @param $sum - sum of all capabilities values
1220 * @param $context - the context object
1221 * @param $array - when loading another user caps, their caps are not stored in session but an array
1222 */
1226 // caching, mainly to save unnecessary sqls
1230 }
1235 }
1240 }
1243 // If this capability is set to prohibit.
1246 }
1253 }
1255 // Else if set in session.
1260 }
1261 }
1265 // By now it's a definite an inherit.
1282 // Coursecat -> coursecat or site.
1286 }
1288 // return parent value if exist.
1291 // Return site value.
1293 }
1299 // 1 to 1 to course cat.
1300 // Find the course cat, and return its value.
1304 }
1305 // Yu: Separating site and site course context
1310 }
1316 // 1 to 1 to course.
1320 }
1327 // 1 to 1 to course.
1331 }
1338 // 1 to 1 to course.
1342 }
1351 }
1352 }
1355 /**
1356 * A print form function. This should either grab all the capabilities from
1357 * files or a central table for that particular module instance, then present
1358 * them in check boxes. Only relevant capabilities should print for known
1359 * context.
1360 * @param $mod - module id of the mod
1361 */
1368 // We are in a module specific context.
1370 // Get the mod's name.
1371 // Call the function that grabs the file and parse.
1376 // Print all capabilities.
1378 // Prints the check box component.
1379 }
1380 }
1381 }
1384 /**
1385 * Installs the roles system.
1386 * This function runs on a fresh install as well as on an upgrade from the old
1387 * hard-coded student/teacher/admin etc. roles to the new roles system.
1388 */
1393 /// Create a system wide context for assignemnt.
1397 /// Create default/legacy roles and capabilities.
1398 /// (1 legacy capability per legacy role at system level).
1404 $editteacherrole = create_role(addslashes(get_string('defaultcourseteacher')), 'editingteacher',
1415 /// Now is the correct moment to install capabilities - after creation of legacy roles, but before assigning of roles
1419 }
1422 }
1424 /// Look inside user_admin, user_creator, user_teachers, user_students and
1425 /// assign above new roles. If a user has both teacher and student role,
1426 /// only teacher role is assigned. The assignment should be system level.
1430 /// Set up the progress bar
1438 }
1439 }
1443 /// Upgrade the admins.
1444 /// Sort using id ASC, first one is primary admin.
1452 }
1454 }
1456 // This is a fresh install.
1457 }
1460 /// Upgrade course creators.
1467 }
1469 }
1470 }
1473 /// Upgrade editting teachers and non-editting teachers.
1478 // removed code here to ignore site level assignments
1479 // since the contexts are separated now
1481 // populate the user_lastaccess table
1488 // assign the default student role
1490 // hidden teacher
1495 }
1500 role_assign($noneditteacherrole, $teacher->userid, 0, $coursecontext->id, 0, 0, $hiddenteacher);
1501 }
1504 }
1506 }
1507 }
1510 /// Upgrade students.
1515 // populate the user_lastaccess table
1522 // assign the default student role
1527 }
1529 }
1530 }
1533 /// Upgrade guest (only 1 entry).
1536 }
1540 /// Insert the correct records for legacy roles
1557 /// Set up default permissions for overrides
1567 /// Delete the old user tables when we are done
1574 }
1576 /**
1577 * Returns array of all legacy roles.
1578 */
1588 );
1589 }
1599 //choose first selected legacy capability - reset the rest
1604 }
1605 }
1606 }
1609 }
1611 /**
1612 * Assign the defaults found in this capabality definition to roles that have
1613 * the corresponding legacy capabilities assigned to them.
1614 * @param $legacyperms - an array in the format (example):
1615 * 'guest' => CAP_PREVENT,
1616 * 'student' => CAP_ALLOW,
1617 * 'teacher' => CAP_ALLOW,
1618 * 'editingteacher' => CAP_ALLOW,
1619 * 'coursecreator' => CAP_ALLOW,
1620 * 'admin' => CAP_ALLOW
1621 * @return boolean - success or failure.
1622 */
1633 }
1637 // Assign a site level capability.
1640 }
1641 }
1642 }
1643 }
1645 }
1648 /**
1649 * Checks to see if a capability is a legacy capability.
1650 * @param $capabilityname
1651 * @return boolean
1652 */
1658 }
1659 }
1663 /**********************************
1664 * Context Manipulation functions *
1665 **********************************/
1667 /**
1668 * Create a new context record for use by all roles-related stuff
1669 * @param $level
1670 * @param $instanceid
1671 *
1672 * @return object newly created context (or existing one with a debug warning)
1673 */
1677 debugging('Error: Invalid context creation request for level "'.s($contextlevel).'", instance "'.s($instanceid).'".');
1679 }
1683 }
1688 // we need to populate context_rel for every new context inserted
1693 debugging('Error: could not insert new context level "'.s($contextlevel).'", instance "'.s($instanceid).'".');
1695 }
1697 debugging('Warning: Context id "'.s($context->id).'" not created, because it already exists.');
1699 }
1700 }
1702 /**
1703 * This hacky function is needed because we can not change system context instanceid using normal upgrade routine.
1704 */
1707 // we are going to change instanceid of system context to 0 now
1710 //context rel not affected
1718 // we need not to populate context_rel for system context
1723 }
1724 }
1725 }
1726 /**
1727 * Create a new context record for use by all roles-related stuff
1728 * @param $level
1729 * @param $instanceid
1730 *
1731 * @return true if properly deleted
1732 */
1740 }
1742 }
1744 /**
1745 * Validate that object with instanceid really exists in given context level.
1746 *
1747 * return if instanceid object exists
1748 */
1764 }
1771 //return (boolean)count_records('groups_groups', 'id', $instanceid); //TODO:DONOTCOMMIT:
1782 }
1783 }
1785 /**
1786 * Get the context instance as an object. This function will create the
1787 * context instance if it does not exist yet.
1788 * @param $level
1789 * @param $instance
1790 */
1794 static $allowed_contexts = array(CONTEXT_SYSTEM, CONTEXT_PERSONAL, CONTEXT_USER, CONTEXT_COURSECAT, CONTEXT_COURSE, CONTEXT_GROUP, CONTEXT_MODULE, CONTEXT_BLOCK);
1796 // Yu: Separating site and site course context - removed CONTEXT_COURSE override when SITEID
1798 /// If no level is supplied then return the current global context if there is one
1801 //fatal error, code must be fixed
1805 }
1806 }
1808 /// Backwards compatibility with obsoleted (CONTEXT_SYSTEM, SITEID)
1811 }
1813 /// check allowed context levels
1815 // fatal error, code must be fixed - probably typo or switched parameters
1816 error('Error: get_context_instance() called with incorrect context level "'.s($contextlevel).'"');
1817 }
1819 /// Check the cache
1822 }
1824 /// Get it from the database, or create it
1825 if (!$context = get_record('context', 'contextlevel', $contextlevel, 'instanceid', $instance)) {
1828 }
1830 /// Only add to cache if context isn't empty.
1834 }
1837 }
1840 /**
1841 * Get a context instance as an object, from a given id.
1842 * @param $id
1843 */
1850 }
1856 }
1859 }
1862 /**
1863 * Get the local override (if any) for a given capability in a role in a context
1864 * @param $roleid
1865 * @param $contextid
1866 * @param $capability
1867 */
1869 return get_record('role_capabilities', 'roleid', $roleid, 'capability', $capability, 'contextid', $contextid);
1870 }
1874 /************************************
1875 * DB TABLE RELATED FUNCTIONS *
1876 ************************************/
1878 /**
1879 * function that creates a role
1880 * @param name - role name
1881 * @param shortname - role short name
1882 * @param description - role description
1883 * @param legacy - optional legacy capability
1884 * @return id or false
1885 */
1888 // check for duplicate role name
1892 }
1896 }
1903 //find free sortorder number
1907 }
1911 }
1916 }
1918 /// By default, users with role:manage at site level
1919 /// should be able to assign users to this new role, and override this new role's capabilities
1921 // find all admin roles
1923 // foreach admin role
1925 // write allow_assign and allow_overrid
1928 }
1929 }
1934 }
1936 }
1938 /**
1939 * function that deletes a role and cleanups up after it
1940 * @param roleid - id of role to delete
1941 * @return success
1942 */
1946 // first unssign all users
1950 }
1952 // cleanup all references to this role, ignore errors
1960 }
1962 // finally delete the role itself
1966 }
1969 }
1971 /**
1972 * Function to write context specific overrides, or default capabilities.
1973 * @param module - string name
1974 * @param capability - string name
1975 * @param contextid - context id
1976 * @param roleid - role id
1977 * @param permission - int 1,-1 or -1000
1978 * should not be writing if permission is 0
1979 */
1987 }
1989 $existing = get_record('role_capabilities', 'contextid', $contextid, 'roleid', $roleid, 'capability', $capability);
1993 }
2008 }
2009 }
2012 /**
2013 * Unassign a capability from a role.
2014 * @param $roleid - the role id
2015 * @param $capability - the name of the capability
2016 * @return boolean - success or failure
2017 */
2026 }
2028 }
2031 /**
2032 * Get the roles that have a given capability assigned to it. This function
2033 * does not resolve the actual permission of the capability. It just checks
2034 * for assignment only.
2035 * @param $capability - capability name (string)
2036 * @param $permission - optional, the permission defined for this capability
2037 * either CAP_ALLOW, CAP_PREVENT or CAP_PROHIBIT
2038 * @return array or role objects
2039 */
2050 }
2054 }
2064 }
2066 }
2069 /**
2070 * This function makes a role-assignment (a role for a user or group in a particular context)
2071 * @param $roleid - the role of the id
2072 * @param $userid - userid
2073 * @param $groupid - group id
2074 * @param $contextid - id of the context
2075 * @param $timestart - time this assignment becomes effective
2076 * @param $timeend - time this assignemnt ceases to be effective
2077 * @uses $USER
2078 * @return id - new id of the assigment
2079 */
2080 function role_assign($roleid, $userid, $groupid, $contextid, $timestart=0, $timeend=0, $hidden=0, $enrol='manual') {
2085 /// Do some data validation
2090 }
2095 }
2100 }
2105 }
2110 }
2115 }
2118 /// Check for existing entry
2120 $ra = get_record('role_assignments', 'roleid', $roleid, 'contextid', $context->id, 'userid', $userid);
2122 $ra = get_record('role_assignments', 'roleid', $roleid, 'contextid', $context->id, 'groupid', $groupid);
2123 }
2134 /// Always round timestart downto 100 secs to help DBs to use their own caching algorithms
2135 /// by repeating queries with the same exact parameters in a 100 secs time window
2148 /// Always round timestart downto 100 secs to help DBs to use their own caching algorithms
2149 /// by repeating queries with the same exact parameters in a 100 secs time window
2156 }
2160 /// If the user is the current user, then reload the capabilities too.
2163 }
2165 /// Ask all the modules if anything needs to be done for this user
2172 }
2173 }
2174 }
2176 /// Make sure they have an entry in user_lastaccess for courses they can access
2177 // role_add_lastaccess_entries($userid, $context);
2178 }
2180 /// now handle metacourse role assignments if in course context
2185 }
2186 }
2187 }
2190 }
2193 /**
2194 * Deletes one or more role assignments. You must specify at least one parameter.
2195 * @param $roleid
2196 * @param $userid
2197 * @param $groupid
2198 * @param $contextid
2199 * @return boolean - success or failure
2200 */
2212 }
2213 }
2219 /// infinite loop protection when deleting recursively
2222 }
2225 /// If the user is the current user, then reload the capabilities too.
2228 }
2231 /// Ask all the modules if anything needs to be done for this user
2236 $functionname($ra->userid, $context); // watch out, $context might be NULL if something goes wrong
2237 }
2238 }
2240 /// now handle metacourse role unassigment and removing from goups if in course context
2242 //remove from groups when user has no role
2248 }
2249 }
2250 }
2251 //unassign roles in metacourses if needed
2255 }
2256 }
2257 }
2258 }
2259 }
2260 }
2263 }
2265 /**
2266 * A convenience function to take care of the common case where you
2267 * just want to enrol someone using the default role into a course
2268 *
2269 * @param object $course
2270 * @param object $user
2271 * @param string $enrol - the plugin used to do this enrolment
2272 */
2280 }
2288 }
2295 }
2298 }
2300 /**
2301 * Add last access times to user_lastaccess as required
2302 * @param $userid
2303 * @param $context
2304 * @return boolean - success or failure
2305 */
2312 }
2325 }
2326 }
2334 }
2335 }
2340 }
2341 }
2349 }
2351 }
2352 }
2354 /**
2355 * Delete last access times from user_lastaccess as required
2356 * @param $userid
2357 * @param $context
2358 * @return boolean - success or failure
2359 */
2364 }
2367 /**
2368 * Loads the capability definitions for the component (from file). If no
2369 * capabilities are defined for the component, we simply return an empty array.
2370 * @param $component - examples: 'moodle', 'mod/forum', 'block/quiz_results'
2371 * @return array of capabilities
2372 */
2383 // Blocks are an exception. Blocks directory is 'blocks', and not
2384 // 'block'. So we need to jump through hoops.
2389 // Similar to the above, course formats are 'format' while they
2390 // are stored in 'course/format'.
2396 }
2397 }
2403 }
2405 }
2408 /**
2409 * Gets the capabilities that have been cached in the database for this
2410 * component.
2411 * @param $component - examples: 'moodle', 'mod/forum', 'block/quiz_results'
2412 * @return array of capabilities
2413 */
2421 }
2423 }
2425 /**
2426 * Returns default capabilities for given legacy role type.
2427 *
2428 * @param string legacy role name
2429 * @return array
2430 */
2434 }
2442 }
2443 }
2447 }
2448 }
2450 //some exceptions
2454 }
2456 }
2458 /**
2459 * Reset role capabilitites to default according to selected legacy capability.
2460 * If several legacy caps selected, use the first from get_default_capabilities.
2461 * If no legacy selected, removes all capabilities.
2462 *
2463 * @param int @roleid
2464 */
2473 //choose first selected legacy capability
2476 }
2477 }
2483 }
2484 }
2485 }
2487 /**
2488 * Updates the capabilities table with the component capability definitions.
2489 * If no parameters are given, the function updates the core moodle
2490 * capabilities.
2491 *
2492 * Note that the absence of the db/access.php capabilities definition file
2493 * will cause any stored capabilities for the component to be removed from
2494 * the database.
2495 *
2496 * @param $component - examples: 'moodle', 'mod/forum', 'block/quiz_results'
2497 * @return boolean
2498 */
2508 // update risk bitmasks and context levels in existing capabilities if needed
2512 }
2519 }
2520 }
2524 }
2531 }
2532 }
2533 }
2534 }
2535 }
2537 // Are there new capabilities in the file definition?
2545 }
2547 }
2548 }
2549 // Add new capabilities to the stored definition.
2560 }
2562 // Do we need to assign the new capabilities to roles that have the
2563 // legacy capabilities moodle/legacy:* as well?
2567 }
2568 }
2569 // Are there any capabilities that have been removed from the file
2570 // definition that we need to delete from the stored capabilities and
2571 // role assignments?
2575 }
2578 /**
2579 * Deletes cached capabilities that are no longer needed by the component.
2580 * Also unassigns these capabilities from any roles that have them.
2581 * @param $component - examples: 'moodle', 'mod/forum', 'block/quiz_results'
2582 * @param $newcapdef - array of the new capability definitions that will be
2583 * compared with the cached capabilities
2584 * @return int - number of deprecated capabilities that have been removed
2585 */
2595 // Remove from capabilities cache.
2600 }
2601 // Delete from roles.
2607 }
2608 }
2609 }
2611 }
2612 }
2614 }
2618 /****************
2619 * UI FUNCTIONS *
2620 ****************/
2623 /**
2624 * prints human readable context identifier.
2625 */
2642 }
2648 }
2658 }
2659 }
2665 }
2673 }
2674 }
2675 }
2687 }
2688 }
2689 }
2696 }
2698 }
2701 /**
2702 * Extracts the relevant capabilities given a contextid.
2703 * All case based, example an instance of forum context.
2704 * Will fetch all forum related capabilities, while course contexts
2705 * Will fetch all capabilities
2706 * @param object context
2707 * @return array();
2708 *
2709 * capabilities
2710 * `name` varchar(150) NOT NULL,
2711 * `captype` varchar(50) NOT NULL,
2712 * `contextlevel` int(10) NOT NULL,
2713 * `component` varchar(100) NOT NULL,
2714 */
2766 }
2770 }
2772 /// the rest of code is a bit hacky, think twice before modifying it :-(
2774 // special sorting of core system capabiltites and enrollments
2775 if (in_array($context->contextlevel, array(CONTEXT_SYSTEM, CONTEXT_COURSECAT, CONTEXT_COURSE))) {
2783 }
2784 }
2787 }
2791 }
2795 }
2798 /**
2799 * Gets the context-independent capabilities that should be overrridable in
2800 * any context.
2801 * @return array of capability records from the capabilities table.
2802 */
2805 //only CONTEXT_SYSTEM capabilities here or it will break the hack in fetch_context_capabilities()
2807 'moodle/site:accessallgroups'
2808 );
2815 }
2817 }
2820 /**
2821 * This function pulls out all the resolved capabilities (overrides and
2822 * defaults) of a role used in capability overrides in contexts at a given
2823 * context.
2824 * @param obj $context
2825 * @param int $roleid
2826 * @param bool self - if set to true, resolve till this level, else stop at immediate parent level
2827 * @return array
2828 */
2840 }
2848 ORDER BY c.contextlevel DESC,
2854 // We are traversing via reverse order.
2856 // If not set yet (i.e. inherit or not set at all), or currently we have a prohibit
2859 }
2860 }
2861 }
2863 }
2865 /**
2866 * Recursive function which, given a context, find all parent context ids,
2867 * and return the array in reverse order, i.e. parent first, then grand
2868 * parent, etc.
2869 * @param object $context
2870 * @return array()
2871 */
2877 }
2892 }
2902 }
2908 }
2919 }
2925 }
2931 // Yu: Separating site and site course context
2936 }
2942 }
2949 }
2955 }
2962 }
2968 }
2975 }
2981 }
2982 }
2985 /**
2986 * Recursive function which, given a context, find all its children context ids.
2987 * @param object $context.
2988 * @return array of children context ids.
2989 */
2998 // No children.
3003 // No children.
3008 // No children.
3013 // Find all block instances for the course.
3021 }
3022 }
3026 }
3027 }
3028 }
3029 // Find all module instances for the course.
3034 }
3035 }
3036 }
3037 // Find all group instances for the course.
3042 }
3043 }
3044 }
3049 // We need to get the contexts for:
3050 // 1) The subcategories of the given category
3051 // 2) The courses in the given category and all its subcategories
3052 // 3) All the child contexts for these courses
3056 // Add the contexts for all the subcategories.
3060 }
3061 }
3063 // Add the parent category as well so we can find the contexts
3064 // for its courses.
3068 // Find all courses for the category.
3074 }
3075 }
3076 }
3077 }
3082 // No children.
3087 // No children.
3092 // Just get all the contexts except for CONTEXT_SYSTEM level.
3100 }
3107 }
3108 }
3111 /**
3112 * Gets a string for sql calls, searching for stuff in this context or above
3113 * @param object $context
3114 * @return string
3115 */
3121 }
3122 }
3125 /**
3126 * This function gets the capability of a role in a given context.
3127 * It is needed when printing override forms.
3128 * @param int $contextid
3129 * @param string $capability
3130 * @param array $capabilities - array loaded using role_context_capabilities
3131 * @return int (allow, prevent, prohibit, inherit)
3132 */
3136 }
3139 }
3140 }
3143 /**
3144 * Returns the human-readable, translated version of the capability.
3145 * Basically a big switch statement.
3146 * @param $capabilityname - e.g. mod/choice:readresponses
3147 */
3150 // Typical capabilityname is mod/choice:readresponses
3182 }
3184 }
3187 /**
3188 * This gets the mod/block/course/core etc strings.
3189 * @param $component
3190 * @param $contextlevel
3191 */
3205 }
3237 error ('This is an unknown context $contextlevel (' . $contextlevel . ') in get_component_string!');
3240 }
3242 }
3244 /**
3245 * Gets the list of roles assigned to this context and up (parents)
3246 * @param object $context
3247 * @param view - set to true when roles are pulled for display only
3248 * this is so that we can filter roles with no visible
3249 * assignment, for example, you might want to "hide" all
3250 * course creators when browsing the course participants
3251 * list.
3252 * @return array
3253 */
3258 // filter for roles with all hidden assignments
3259 // no need to return when only pulling roles for reviewing
3260 // e.g. participants page.
3261 $hiddensql = ($view && !has_capability('moodle/role:viewhiddenassigns', $context))? ' AND ra.hidden = 0 ':'';
3265 r.name,
3266 r.shortname,
3267 r.sortorder
3270 WHERE r.id = ra.roleid
3272 $hiddensql
3276 }
3278 /** this function is used to print roles column in user profile page.
3279 * @param int userid
3280 * @param int contextid
3281 * @return string
3282 */
3287 $SQL = 'select * from '.$CFG->prefix.'role_assignments ra, '.$CFG->prefix.'role r where ra.userid='.$userid.' and ra.contextid='.$contextid.' and ra.roleid = r.id';
3290 $rolestring .= '<a href="'.$CFG->wwwroot.'/user/index.php?contextid='.$userrole->contextid.'&roleid='.$userrole->roleid.'">'.$userrole->name.'</a>, ';
3291 }
3293 }
3295 }
3298 /**
3299 * Checks if a user can override capabilities of a particular role in this context
3300 * @param object $context
3301 * @param int targetroleid - the id of the role you want to override
3302 * @return boolean
3303 */
3305 // first check if user has override capability
3306 // if not return false;
3309 }
3310 // pull out all active roles of this user from this context(or above)
3313 // if any in the role_allow_override table, then it's ok
3314 if (get_record('role_allow_override', 'roleid', $userrole->roleid, 'allowoverride', $targetroleid)) {
3316 }
3317 }
3318 }
3322 }
3324 /**
3325 * Checks if a user can assign users to a particular role in this context
3326 * @param object $context
3327 * @param int targetroleid - the id of the role you want to assign users to
3328 * @return boolean
3329 */
3332 // first check if user has override capability
3333 // if not return false;
3336 }
3337 // pull out all active roles of this user from this context(or above)
3340 // if any in the role_allow_override table, then it's ok
3341 if (get_record('role_allow_assign', 'roleid', $userrole->roleid, 'allowassign', $targetroleid)) {
3343 }
3344 }
3345 }
3348 }
3350 /** Returns all site roles in correct sort order.
3351 *
3352 */
3355 }
3357 /**
3358 * gets all the user roles assigned in this context, or higher contexts
3359 * this is mainly used when checking if a user can assign a role, or overriding a role
3360 * i.e. we need to know what this user holds, in order to verify against allow_assign and
3361 * allow_override tables
3362 * @param object $context
3363 * @param int $userid
3364 * @param view - set to true when roles are pulled for display only
3365 * this is so that we can filter roles with no visible
3366 * assignment, for example, you might want to "hide" all
3367 * course creators when browsing the course participants
3368 * list.
3369 * @return array
3370 */
3371 function get_user_roles($context, $userid=0, $checkparentcontexts=true, $order='c.contextlevel DESC, r.sortorder ASC', $view=false) {
3378 }
3380 }
3381 // set up hidden sql
3382 $hiddensql = ($view && !has_capability('moodle/role:viewhiddenassigns', $context))? ' AND ra.hidden = 0 ':'';
3388 }
3395 ' AND ra.roleid = r.id
3396 AND ra.contextid = c.id
3399 }
3401 /**
3402 * Creates a record in the allow_override table
3403 * @param int sroleid - source roleid
3404 * @param int troleid - target roleid
3405 * @return int - id or false
3406 */
3412 }
3414 /**
3415 * Creates a record in the allow_assign table
3416 * @param int sroleid - source roleid
3417 * @param int troleid - target roleid
3418 * @return int - id or false
3419 */
3425 }
3427 /**
3428 * Gets a list of roles that this user can assign in this context
3429 * @param object $context
3430 * @return array
3431 */
3440 }
3441 }
3442 }
3444 }
3446 /**
3447 * Gets a list of roles that this user can override in this context
3448 * @param object $context
3449 * @return array
3450 */
3459 }
3460 }
3461 }
3464 }
3466 /**
3467 * Returns a role object that is the default role for new enrolments
3468 * in a given course
3469 *
3470 * @param object $course
3471 * @return object $role
3472 */
3476 /// First let's take the default role the course may have
3480 }
3481 }
3483 /// Otherwise the site setting should tell us
3487 }
3488 }
3490 /// It's unlikely we'll get here, but just in case, try and find a student role
3493 }
3496 }
3499 /**
3500 * who has this capability in this context
3501 * does not handling user level resolving!!!
3502 * (!)pleaes note if $fields is empty this function attempts to get u.*
3503 * which can get rather large.
3504 * i.e 1 person has 2 roles 1 allow, 1 prevent, this will not work properly
3505 * @param $context - object
3506 * @param $capability - string capability
3507 * @param $fields - fields to be pulled
3508 * @param $sort - the sort order
3509 * @param $limitfrom - number of records to skip (offset)
3510 * @param $limitnum - number of records to fetch
3511 * @param $groups - single group or array of groups - group(s) user is in
3512 * @param $exceptions - list of users to exclude
3513 * @param view - set to true when roles are pulled for display only
3514 * this is so that we can filter roles with no visible
3515 * assignment, for example, you might want to "hide" all
3516 * course creators when browsing the course participants
3517 * list.
3518 */
3523 /// Sorting out groups
3531 }
3535 }
3537 /// Sorting out exceptions
3540 /// Set up default fields
3543 }
3545 /// Set up default sort
3548 }
3551 /// Set up hidden sql
3552 $hiddensql = ($view && !has_capability('moodle/role:viewhiddenassigns', $context))? ' AND ra.hidden = 0 ':'';
3554 /// If context is a course, then construct sql for ul
3560 }
3562 /// Sorting out roles with this capability set
3567 }
3568 $doanythingroles = get_roles_with_capability('moodle/site:doanything', CAP_ALLOW, $sitecontext);
3569 }
3576 }
3577 }
3578 if ($caps = role_context_capabilities($possiblerole->id, $context, $capability)) { // resolved list
3581 }
3582 }
3583 }
3586 }
3590 }
3592 /// Construct the main SQL
3600 AND u.deleted = 0
3602 $exceptionsql
3603 $groupsql
3607 }
3609 /**
3610 * gets all the users assigned this role in this context or higher
3611 * @param int roleid
3612 * @param int contextid
3613 * @param bool parent if true, get list of users assigned in higher context too
3614 * @return array()
3615 */
3616 function get_role_users($roleid, $context, $parent=false, $fields='', $sort='u.lastname ASC', $view=false) {
3624 }
3626 // whether this assignment is hidden
3627 $hiddensql = ($view && !has_capability('moodle/role:viewhiddenassigns', $context))? ' AND r.hidden = 0 ':'';
3633 }
3636 }
3642 }
3649 $hiddensql
3654 }
3656 /**
3657 * Counts all the users assigned this role in this context or higher
3658 * @param int roleid
3659 * @param int contextid
3660 * @param bool parent if true, get list of users assigned in higher context too
3661 * @return array()
3662 */
3671 }
3674 }
3682 }
3684 /**
3685 * This function gets the list of courses that this user has a particular capability in
3686 * This is not the most efficient way of doing this
3687 * @param string capability
3688 * @param int $userid
3689 * @return array
3690 */
3699 }
3700 }
3702 }
3705 /** This function finds the roles assigned directly to this context only
3706 * i.e. no parents role
3707 * @param object $context
3708 * @return array
3709 */
3717 WHERE ra.roleid = r.id
3720 }
3722 /**
3723 * Switches the current user to another role for the current session and only
3724 * in the given context. If roleid is not valid (eg 0) or the current user
3725 * doesn't have permissions to be switching roles then the user's session
3726 * is compltely reset to have their normal roles.
3727 * @param integer $roleid
3728 * @param object $context
3729 * @return bool
3730 */
3734 /// If we can't use this or are already using it or no role was specified then bail completely and reset
3741 }
3743 /// We're allowed to switch but can we switch to the specified role? Use assignable roles to check.
3746 }
3748 /// unset default user role - it would not work anyway
3753 }
3755 /// We have a valid roleid that this user can switch to, so let's set up the session
3761 /// Add some permissions we are really going to always need, even if the role doesn't have them!
3767 }
3770 // get any role that has an override on exact context
3778 WHERE rc.roleid = r.id
3780 }
3782 // get all capabilities for this role on this context (overrids)
3791 }
3793 // find out which roles has assignment on this context
3801 WHERE ra.roleid = r.id
3803 }
3807 /**
3808 * Find all user assignemnt of users for this role, on this context
3809 */
3818 }
3820 /**
3821 * Simple function returning a boolean true if roles exist, otherwise false
3822 */
3826 return record_exists('role_assignments', 'userid', $userid, 'roleid', $roleid, 'contextid', $contextid);
3829 }
3830 }
3832 /**
3833 * Inserts all parental context and self into context_rel table
3834 *
3835 * @param object $context-context to be deleted
3836 * @param bool deletechild - deltes child contexts dependencies
3837 */
3839 // removes all parents
3842 }
3846 }
3847 // insert all parents
3855 }
3856 }
3857 }
3860 /**
3861 * rebuild context_rel table without deleting
3862 */
3868 // total number of records
3870 // processed records
3876 // no need to delete because it's all empty
3881 }
3882 }
3885 }
3886 ?>