More capability name typos.
[moodle.git] / lib / accesslib.php
CommitLineData
bbbf2d40 1<?php
cee0901c 2 /**
3 * Capability session information format
bbbf2d40 4 * 2 x 2 array
5 * [context][capability]
6 * where context is the context id of the table 'context'
7 * and capability is a string defining the capability
8 * e.g.
9 *
10 * [Capabilities] => [26][mod/forum:viewpost] = 1
11 * [26][mod/forum:startdiscussion] = -8990
12 * [26][mod/forum:editallpost] = -1
13 * [273][moodle:blahblah] = 1
14 * [273][moodle:blahblahblah] = 2
15 */
bbbf2d40 16
17// permission definitions
e49e61bf 18define('CAP_INHERIT', 0);
bbbf2d40 19define('CAP_ALLOW', 1);
20define('CAP_PREVENT', -1);
21define('CAP_PROHIBIT', -1000);
22
bbbf2d40 23// context definitions
24define('CONTEXT_SYSTEM', 10);
25define('CONTEXT_PERSONAL', 20);
4b10f08b 26define('CONTEXT_USER', 30);
bbbf2d40 27define('CONTEXT_COURSECAT', 40);
28define('CONTEXT_COURSE', 50);
29define('CONTEXT_GROUP', 60);
30define('CONTEXT_MODULE', 70);
31define('CONTEXT_BLOCK', 80);
32
21b6db6e 33// capability risks - see http://docs.moodle.org/en/Hardening_new_Roles_system
34define('RISK_MANAGETRUST', 0x0001);
a6b02b65 35define('RISK_CONFIG', 0x0002);
21b6db6e 36define('RISK_XSS', 0x0004);
37define('RISK_PERSONAL', 0x0008);
38define('RISK_SPAM', 0x0010);
39
40
340ea4e8 41$context_cache = array(); // Cache of all used context objects for performance (by level and instance)
42$context_cache_id = array(); // Index to above cache by id
bbbf2d40 43
7700027f 44
e7876c1e 45/**
46 * Loads the capabilities for the default guest role to the current user in a specific context
47 * @return object
48 */
49function load_guest_role($context=NULL) {
50 global $USER;
51
52 static $guestrole;
53
54 if (!isloggedin()) {
55 return false;
56 }
57
58 if (!$sitecontext = get_context_instance(CONTEXT_SYSTEM, SITEID)) {
59 return false;
60 }
61
62 if (empty($context)) {
63 $context = $sitecontext;
64 }
65
66 if (empty($guestrole)) {
8f8ed475 67 if (!$guestrole = get_guest_role()) {
e7876c1e 68 return false;
69 }
70 }
71
72 if ($capabilities = get_records_select('role_capabilities',
73 "roleid = $guestrole->id AND contextid = $sitecontext->id")) {
74 foreach ($capabilities as $capability) {
75 $USER->capabilities[$context->id][$capability->capability] = $capability->permission;
76 }
77 }
78
79 return true;
80}
81
7700027f 82/**
83 * Load default not logged in role capabilities when user is not logged in
84 * @return bool
85 */
20aeb4b8 86function load_notloggedin_role() {
87 global $CFG, $USER;
88
7700027f 89 if (!$sitecontext = get_context_instance(CONTEXT_SYSTEM, SITEID)) {
90 return false;
35a518c5 91 }
92
7700027f 93 if (empty($CFG->notloggedinroleid)) { // Let's set the default to the guest role
8f8ed475 94 if ($role = get_guest_role()) {
7700027f 95 set_config('notloggedinroleid', $role->id);
96 } else {
97 return false;
98 }
99 }
20aeb4b8 100
7700027f 101 if ($capabilities = get_records_select('role_capabilities',
102 "roleid = $CFG->notloggedinroleid AND contextid = $sitecontext->id")) {
103 foreach ($capabilities as $capability) {
104 $USER->capabilities[$sitecontext->id][$capability->capability] = $capability->permission;
105 }
20aeb4b8 106 }
107
108 return true;
109}
cee0901c 110
8f8ed475 111/**
112 * Load default not logged in role capabilities when user is not logged in
113 * @return bool
114 */
115function load_defaultuser_role() {
116 global $CFG, $USER;
117
118 if (!$sitecontext = get_context_instance(CONTEXT_SYSTEM, SITEID)) {
119 return false;
120 }
121
122 if (empty($CFG->defaultuserroleid)) { // Let's set the default to the guest role
123 if ($role = get_guest_role()) {
124 set_config('defaultuserroleid', $role->id);
125 } else {
126 return false;
127 }
128 }
129
130 if ($capabilities = get_records_select('role_capabilities',
131 "roleid = $CFG->defaultuserroleid AND contextid = $sitecontext->id")) {
132 foreach ($capabilities as $capability) {
ca23ffdb 133 if (!isset($USER->capabilities[$sitecontext->id][$capability->capability])) { // Don't overwrite
134 $USER->capabilities[$sitecontext->id][$capability->capability] = $capability->permission;
135 }
8f8ed475 136 }
137
138 // SPECIAL EXCEPTION: If the default user role is actually a guest role, then
139 // remove some capabilities so this user doesn't get confused with a REAL guest
2f089dd5 140 if (isset($USER->capabilities[$sitecontext->id]['moodle/legacy:guest']) and $USER->username != 'guest') {
8f8ed475 141 unset($USER->capabilities[$sitecontext->id]['moodle/legacy:guest']);
142 unset($USER->capabilities[$sitecontext->id]['moodle/course:view']); // No access to courses by default
143 }
144 }
145
146 return true;
147}
148
149
150/**
151 * Get the default guest role
152 * @return object role
153 */
154function get_guest_role() {
155 if ($roles = get_roles_with_capability('moodle/legacy:guest', CAP_ALLOW)) {
156 return array_shift($roles); // Pick the first one
157 } else {
158 return false;
159 }
160}
161
162
bbbf2d40 163/**
164 * This functions get all the course categories in proper order
0468976c 165 * @param int $context
bbbf2d40 166 * @param int $type
167 * @return array of contextids
168 */
0468976c 169function get_parent_cats($context, $type) {
98882637 170
171 $parents = array();
98882637 172
c5ddc3fd 173 switch ($type) {
98882637 174
175 case CONTEXT_COURSECAT:
176
c5ddc3fd 177 if (!$cat = get_record('course_categories','id',$context->instanceid)) {
178 break;
179 }
180
181 while (!empty($cat->parent)) {
182 if (!$context = get_context_instance(CONTEXT_COURSECAT, $cat->parent)) {
183 break;
184 }
98882637 185 $parents[] = $context->id;
186 $cat = get_record('course_categories','id',$cat->parent);
187 }
188
189 break;
190
191 case CONTEXT_COURSE:
192
c5ddc3fd 193 if (!$course = get_record('course', 'id', $context->instanceid)) {
194 break;
195 }
196 if (!$catinstance = get_context_instance(CONTEXT_COURSECAT, $course->category)) {
197 break;
198 }
199
98882637 200 $parents[] = $catinstance->id;
c5ddc3fd 201
202 if (!$cat = get_record('course_categories','id',$course->category)) {
203 break;
204 }
205
206 while (!empty($cat->parent)) {
207 if (!$context = get_context_instance(CONTEXT_COURSECAT, $cat->parent)) {
208 break;
209 }
98882637 210 $parents[] = $context->id;
211 $cat = get_record('course_categories','id',$cat->parent);
212 }
213 break;
214
215 default:
216 break;
217
218 }
219
220 return array_reverse($parents);
bbbf2d40 221}
222
223
cee0901c 224
0468976c 225/**
226 * This function checks for a capability assertion being true. If it isn't
227 * then the page is terminated neatly with a standard error message
228 * @param string $capability - name of the capability
229 * @param object $context - a context object (record from context table)
230 * @param integer $userid - a userid number
d74067e8 231 * @param bool $doanything - if false, ignore do anything
0468976c 232 * @param string $errorstring - an errorstring
d74067e8 233 * @param string $stringfile - which stringfile to get it from
0468976c 234 */
d74067e8 235function require_capability($capability, $context=NULL, $userid=NULL, $doanything=true,
236 $errormessage="nopermissions", $stringfile='') {
a9e1c058 237
238 global $USER;
239
240/// If the current user is not logged in, then make sure they are
241
242 if (empty($userid) and empty($USER->id)) {
243 if ($context && ($context->aggregatelevel == CONTEXT_COURSE)) {
244 require_login($context->instanceid);
245 } else {
246 require_login();
247 }
248 }
249
250/// OK, if they still don't have the capability then print a nice error message
251
d74067e8 252 if (!has_capability($capability, $context, $userid, $doanything)) {
0468976c 253 $capabilityname = get_capability_string($capability);
254 print_error($errormessage, $stringfile, '', $capabilityname);
255 }
256}
257
258
bbbf2d40 259/**
260 * This function returns whether the current user has the capability of performing a function
261 * For example, we can do has_capability('mod/forum:replypost',$cm) in forum
262 * only one of the 4 (moduleinstance, courseid, site, userid) would be set at 1 time
263 * This is a recursive funciton.
bbbf2d40 264 * @uses $USER
265 * @param string $capability - name of the capability
0468976c 266 * @param object $context - a context object (record from context table)
267 * @param integer $userid - a userid number
20aeb4b8 268 * @param bool $doanything - if false, ignore do anything
bbbf2d40 269 * @return bool
270 */
d74067e8 271function has_capability($capability, $context=NULL, $userid=NULL, $doanything=true) {
bbbf2d40 272
20aeb4b8 273 global $USER, $CONTEXT, $CFG;
bbbf2d40 274
a8a7300a 275 if (debugging() && !record_exists('capabilities', 'name', $capability)) {
7f7cacdf 276 debugging('Cabability "'.$capability.'" was not found! This should be fixed in code.');
a8a7300a 277 }
278
8f8ed475 279 if (empty($userid) && empty($USER->capabilities)) { // Real user, first time here
280 if (isloggedin()) {
281 load_defaultuser_role(); // All users get this by default
282 } else {
283 load_notloggedin_role(); // others get this by default
284 }
20aeb4b8 285 }
286
287 if ($userid && $userid != $USER->id) {
9425b25f 288 if (empty($USER->id) or ($userid != $USER->id)) {
289 $capabilities = load_user_capability($capability, $context, $userid);
290 } else { //$USER->id == $userid
291 $capabilities = empty($USER->capabilities) ? NULL : $USER->capabilities;
292 }
293 } else { // no userid
294 $capabilities = empty($USER->capabilities) ? NULL : $USER->capabilities;
98882637 295 }
9425b25f 296
0468976c 297 if (empty($context)) { // Use default CONTEXT if none specified
340ea4e8 298 if (empty($CONTEXT)) {
299 return false;
300 } else {
301 $context = $CONTEXT;
302 }
0468976c 303 } else { // A context was given to us
304 if (empty($CONTEXT)) {
305 $CONTEXT = $context; // Store FIRST used context in this global as future default
306 }
340ea4e8 307 }
bbbf2d40 308
20aeb4b8 309 if ($doanything) {
310 // Check site
311 $sitecontext = get_context_instance(CONTEXT_SYSTEM, SITEID);
312 if (isset($capabilities[$sitecontext->id]['moodle/site:doanything'])) {
313 return (0 < $capabilities[$sitecontext->id]['moodle/site:doanything']);
314 }
98882637 315
20aeb4b8 316 switch ($context->aggregatelevel) {
bbbf2d40 317
20aeb4b8 318 case CONTEXT_COURSECAT:
319 // Check parent cats.
320 $parentcats = get_parent_cats($context, CONTEXT_COURSECAT);
321 foreach ($parentcats as $parentcat) {
322 if (isset($capabilities[$parentcat]['moodle/site:doanything'])) {
323 return (0 < $capabilities[$parentcat]['moodle/site:doanything']);
324 }
cee0901c 325 }
20aeb4b8 326 break;
bbbf2d40 327
20aeb4b8 328 case CONTEXT_COURSE:
329 // Check parent cat.
330 $parentcats = get_parent_cats($context, CONTEXT_COURSE);
98882637 331
20aeb4b8 332 foreach ($parentcats as $parentcat) {
333 if (isset($capabilities[$parentcat]['do_anything'])) {
334 return (0 < $capabilities[$parentcat]['do_anything']);
335 }
9425b25f 336 }
20aeb4b8 337 break;
bbbf2d40 338
20aeb4b8 339 case CONTEXT_GROUP:
340 // Find course.
341 $group = get_record('groups','id',$context->instanceid);
342 $courseinstance = get_context_instance(CONTEXT_COURSE, $group->courseid);
9425b25f 343
20aeb4b8 344 $parentcats = get_parent_cats($courseinstance, CONTEXT_COURSE);
345 foreach ($parentcats as $parentcat) {
346 if (isset($capabilities[$parentcat->id]['do_anything'])) {
347 return (0 < $capabilities[$parentcat->id]['do_anything']);
348 }
9425b25f 349 }
9425b25f 350
20aeb4b8 351 $coursecontext = '';
352 if (isset($capabilities[$courseinstance->id]['do_anything'])) {
353 return (0 < $capabilities[$courseinstance->id]['do_anything']);
354 }
9425b25f 355
20aeb4b8 356 break;
bbbf2d40 357
20aeb4b8 358 case CONTEXT_MODULE:
359 // Find course.
360 $cm = get_record('course_modules', 'id', $context->instanceid);
361 $courseinstance = get_context_instance(CONTEXT_COURSE, $cm->course);
9425b25f 362
20aeb4b8 363 if ($parentcats = get_parent_cats($courseinstance, CONTEXT_COURSE)) {
364 foreach ($parentcats as $parentcat) {
365 if (isset($capabilities[$parentcat]['do_anything'])) {
366 return (0 < $capabilities[$parentcat]['do_anything']);
367 }
cee0901c 368 }
9425b25f 369 }
98882637 370
20aeb4b8 371 if (isset($capabilities[$courseinstance->id]['do_anything'])) {
372 return (0 < $capabilities[$courseinstance->id]['do_anything']);
373 }
bbbf2d40 374
20aeb4b8 375 break;
bbbf2d40 376
20aeb4b8 377 case CONTEXT_BLOCK:
378 // 1 to 1 to course.
379 // Find course.
380 $block = get_record('block_instance','id',$context->instanceid);
381 $courseinstance = get_context_instance(CONTEXT_COURSE, $block->pageid); // needs check
9425b25f 382
20aeb4b8 383 $parentcats = get_parent_cats($courseinstance, CONTEXT_COURSE);
384 foreach ($parentcats as $parentcat) {
385 if (isset($capabilities[$parentcat]['do_anything'])) {
386 return (0 < $capabilities[$parentcat]['do_anything']);
387 }
cee0901c 388 }
9425b25f 389
20aeb4b8 390 if (isset($capabilities[$courseinstance->id]['do_anything'])) {
391 return (0 < $capabilities[$courseinstance->id]['do_anything']);
392 }
393 break;
bbbf2d40 394
20aeb4b8 395 default:
4b10f08b 396 // CONTEXT_SYSTEM: CONTEXT_PERSONAL: CONTEXT_USER:
20aeb4b8 397 // Do nothing.
398 break;
399 }
bbbf2d40 400
20aeb4b8 401 // Last: check self.
402 if (isset($capabilities[$context->id]['do_anything'])) {
403 return (0 < $capabilities[$context->id]['do_anything']);
404 }
98882637 405 }
98882637 406 // do_anything has not been set, we now look for it the normal way.
9425b25f 407 return (0 < capability_search($capability, $context, $capabilities));
bbbf2d40 408
9425b25f 409}
bbbf2d40 410
411
412/**
413 * In a separate function so that we won't have to deal with do_anything.
414 * again. Used by function has_capability.
415 * @param $capability - capability string
0468976c 416 * @param $context - the context object
bbbf2d40 417 * @param $capabilities - either $USER->capability or loaded array
418 * @return permission (int)
419 */
0468976c 420function capability_search($capability, $context, $capabilities) {
20aeb4b8 421
bbbf2d40 422 global $USER, $CFG;
0468976c 423
0468976c 424 if (isset($capabilities[$context->id][$capability])) {
ea82d6b6 425 debugging("Found $capability in context $context->id at level $context->aggregatelevel: ".$capabilities[$context->id][$capability], E_ALL);
0468976c 426 return ($capabilities[$context->id][$capability]);
bbbf2d40 427 }
9425b25f 428
bbbf2d40 429 /* Then, we check the cache recursively */
9425b25f 430 $permission = 0;
431
d140ad3f 432 switch ($context->aggregatelevel) {
bbbf2d40 433
434 case CONTEXT_SYSTEM: // by now it's a definite an inherit
435 $permission = 0;
436 break;
437
438 case CONTEXT_PERSONAL:
0468976c 439 $parentcontext = get_context_instance(CONTEXT_SYSTEM, SITEID);
440 $permission = capability_search($capability, $parentcontext, $capabilities);
bbbf2d40 441 break;
9425b25f 442
4b10f08b 443 case CONTEXT_USER:
0468976c 444 $parentcontext = get_context_instance(CONTEXT_SYSTEM, SITEID);
445 $permission = capability_search($capability, $parentcontext, $capabilities);
bbbf2d40 446 break;
9425b25f 447
bbbf2d40 448 case CONTEXT_COURSECAT: // Coursecat -> coursecat or site
449 $coursecat = get_record('course_categories','id',$context->instanceid);
0468976c 450 if (!empty($coursecat->parent)) { // return parent value if it exists
451 $parentcontext = get_context_instance(CONTEXT_COURSECAT, $coursecat->parent);
bbbf2d40 452 } else { // else return site value
0468976c 453 $parentcontext = get_context_instance(CONTEXT_SYSTEM, SITEID);
bbbf2d40 454 }
0468976c 455 $permission = capability_search($capability, $parentcontext, $capabilities);
bbbf2d40 456 break;
457
458 case CONTEXT_COURSE: // 1 to 1 to course cat
459 // find the course cat, and return its value
460 $course = get_record('course','id',$context->instanceid);
0468976c 461 $parentcontext = get_context_instance(CONTEXT_COURSECAT, $course->category);
462 $permission = capability_search($capability, $parentcontext, $capabilities);
bbbf2d40 463 break;
464
465 case CONTEXT_GROUP: // 1 to 1 to course
466 $group = get_record('groups','id',$context->instanceid);
0468976c 467 $parentcontext = get_context_instance(CONTEXT_COURSE, $group->courseid);
468 $permission = capability_search($capability, $parentcontext, $capabilities);
bbbf2d40 469 break;
470
471 case CONTEXT_MODULE: // 1 to 1 to course
472 $cm = get_record('course_modules','id',$context->instanceid);
0468976c 473 $parentcontext = get_context_instance(CONTEXT_COURSE, $cm->course);
474 $permission = capability_search($capability, $parentcontext, $capabilities);
bbbf2d40 475 break;
476
477 case CONTEXT_BLOCK: // 1 to 1 to course
478 $block = get_record('block_instance','id',$context->instanceid);
0468976c 479 $parentcontext = get_context_instance(CONTEXT_COURSE, $block->pageid); // needs check
480 $permission = capability_search($capability, $parentcontext, $capabilities);
bbbf2d40 481 break;
482
483 default:
484 error ('This is an unknown context!');
485 return false;
486 }
ea82d6b6 487 debugging("Found $capability recursively from context $context->id at level $context->aggregatelevel: $permission", E_ALL);
9425b25f 488
98882637 489 return $permission;
bbbf2d40 490}
491
492
493/**
494 * This function should be called immediately after a login, when $USER is set.
495 * It will build an array of all the capabilities at each level
496 * i.e. site/metacourse/course_category/course/moduleinstance
497 * Note we should only load capabilities if they are explicitly assigned already,
498 * we should not load all module's capability!
499 * @param $userid - the id of the user whose capabilities we want to load
500 * @return array
501 * possible just s simple 2D array with [contextid][capabilityname]
502 * [Capabilities] => [26][forum_post] = 1
503 * [26][forum_start] = -8990
504 * [26][forum_edit] = -1
505 * [273][blah blah] = 1
506 * [273][blah blah blah] = 2
507 */
0468976c 508function load_user_capability($capability='', $context ='', $userid='') {
d140ad3f 509
98882637 510 global $USER, $CFG;
bbbf2d40 511
512 if (empty($userid)) {
dc411d1b 513 if (empty($USER->id)) { // We have no user to get capabilities for
64026e8c 514 debugging('User not logged in for load_user_capability!');
dc411d1b 515 return false;
516 }
64026e8c 517 unset($USER->capabilities); // We don't want possible older capabilites hanging around
518
519 check_enrolment_plugins($USER); // Call "enrol" system to ensure that we have the correct picture
8f8ed475 520
bbbf2d40 521 $userid = $USER->id;
dc411d1b 522 $otheruserid = false;
bbbf2d40 523 } else {
64026e8c 524 if (!$user = get_record('user', 'id', $userid)) {
525 debugging('Non-existent userid in load_user_capability!');
526 return false;
527 }
528
529 check_enrolment_plugins($user); // Ensure that we have the correct picture
530
9425b25f 531 $otheruserid = $userid;
bbbf2d40 532 }
9425b25f 533
5f70bcc3 534
535/// First we generate a list of all relevant contexts of the user
536
537 $usercontexts = array();
bbbf2d40 538
0468976c 539 if ($context) { // if context is specified
540 $usercontexts = get_parent_contexts($context);
98882637 541 } else { // else, we load everything
5f70bcc3 542 if ($userroles = get_records('role_assignments','userid',$userid)) {
543 foreach ($userroles as $userrole) {
544 $usercontexts[] = $userrole->contextid;
545 }
98882637 546 }
5f70bcc3 547 }
548
549/// Set up SQL fragments for searching contexts
550
551 if ($usercontexts) {
0468976c 552 $listofcontexts = '('.implode(',', $usercontexts).')';
5f70bcc3 553 $searchcontexts1 = "c1.id IN $listofcontexts AND";
554 $searchcontexts2 = "c2.id IN $listofcontexts AND";
555 } else {
556 $listofcontexts = $searchcontexts1 = $searchcontexts2 = '';
bbbf2d40 557 }
0468976c 558
64026e8c 559 if ($capability) {
560 $capsearch = " AND rc.capability = '$capability' ";
561 } else {
562 $capsearch ="";
563 }
564
5f70bcc3 565/// Then we use 1 giant SQL to bring out all relevant capabilities.
566/// The first part gets the capabilities of orginal role.
567/// The second part gets the capabilities of overriden roles.
bbbf2d40 568
98882637 569 $siteinstance = get_context_instance(CONTEXT_SYSTEM, SITEID);
bbbf2d40 570
75e84883 571 $SQL = " SELECT rc.capability, c1.id, (c1.aggregatelevel * 100) AS aggrlevel,
bbbf2d40 572 SUM(rc.permission) AS sum
573 FROM
42ac3ecf 574 {$CFG->prefix}role_assignments ra,
575 {$CFG->prefix}role_capabilities rc,
576 {$CFG->prefix}context c1
bbbf2d40 577 WHERE
d4649c76 578 ra.contextid=c1.id AND
579 ra.roleid=rc.roleid AND
bbbf2d40 580 ra.userid=$userid AND
5f70bcc3 581 $searchcontexts1
bbbf2d40 582 rc.contextid=$siteinstance->id
98882637 583 $capsearch
bbbf2d40 584 GROUP BY
0be16c1d 585 rc.capability, (c1.aggregatelevel * 100), c1.id
bbbf2d40 586 HAVING
41811960 587 SUM(rc.permission) != 0
bbbf2d40 588 UNION
589
75e84883 590 SELECT rc.capability, c1.id, (c1.aggregatelevel * 100 + c2.aggregatelevel) AS aggrlevel,
bbbf2d40 591 SUM(rc.permission) AS sum
592 FROM
42ac3ecf 593 {$CFG->prefix}role_assignments ra,
594 {$CFG->prefix}role_capabilities rc,
595 {$CFG->prefix}context c1,
596 {$CFG->prefix}context c2
bbbf2d40 597 WHERE
d4649c76 598 ra.contextid=c1.id AND
599 ra.roleid=rc.roleid AND
600 ra.userid=$userid AND
601 rc.contextid=c2.id AND
5f70bcc3 602 $searchcontexts1
603 $searchcontexts2
604 rc.contextid != $siteinstance->id
bbbf2d40 605 $capsearch
606
607 GROUP BY
0be16c1d 608 rc.capability, (c1.aggregatelevel * 100 + c2.aggregatelevel), c1.id
bbbf2d40 609 HAVING
41811960 610 SUM(rc.permission) != 0
bbbf2d40 611 ORDER BY
75e84883 612 aggrlevel ASC
bbbf2d40 613 ";
614
98882637 615 $capabilities = array(); // Reinitialize.
75e84883 616 if (!$rs = get_recordset_sql($SQL)) {
617 error("Query failed in load_user_capability.");
618 }
5cf38a57 619
bbbf2d40 620 if ($rs && $rs->RecordCount() > 0) {
621 while (!$rs->EOF) {
75e84883 622 $array = $rs->fields;
623 $temprecord = new object;
98882637 624
625 foreach ($array as $key=>$val) {
75e84883 626 if ($key == 'aggrlevel') {
627 $temprecord->aggregatelevel = $val;
628 } else {
629 $temprecord->{$key} = $val;
630 }
98882637 631 }
bbbf2d40 632 $capabilities[] = $temprecord;
633 $rs->MoveNext();
634 }
635 }
d140ad3f 636
bbbf2d40 637 /* so up to this point we should have somethign like this
41811960 638 * $capabilities[1] ->aggregatelevel = 1000
bbbf2d40 639 ->module = SITEID
640 ->capability = do_anything
641 ->id = 1 (id is the context id)
642 ->sum = 0
643
41811960 644 * $capabilities[2] ->aggregatelevel = 1000
bbbf2d40 645 ->module = SITEID
646 ->capability = post_messages
647 ->id = 1
648 ->sum = -9000
649
41811960 650 * $capabilittes[3] ->aggregatelevel = 3000
bbbf2d40 651 ->module = course
652 ->capability = view_course_activities
653 ->id = 25
654 ->sum = 1
655
41811960 656 * $capabilittes[4] ->aggregatelevel = 3000
bbbf2d40 657 ->module = course
658 ->capability = view_course_activities
659 ->id = 26
660 ->sum = 0 (this is another course)
661
41811960 662 * $capabilities[5] ->aggregatelevel = 3050
bbbf2d40 663 ->module = course
664 ->capability = view_course_activities
665 ->id = 25 (override in course 25)
666 ->sum = -1
667 * ....
668 * now we proceed to write the session array, going from top to bottom
669 * at anypoint, we need to go up and check parent to look for prohibit
670 */
671 // print_object($capabilities);
672
673 /* This is where we write to the actualy capabilities array
674 * what we need to do from here on is
675 * going down the array from lowest level to highest level
676 * 1) recursively check for prohibit,
677 * if any, we write prohibit
678 * else, we write the value
679 * 2) at an override level, we overwrite current level
680 * if it's not set to prohibit already, and if different
681 * ........ that should be it ........
682 */
98882637 683 $usercap = array(); // for other user's capabilities
bbbf2d40 684 foreach ($capabilities as $capability) {
685
0468976c 686 $context = get_context_instance_by_id($capability->id);
687
41811960 688 if (!empty($otheruserid)) { // we are pulling out other user's capabilities, do not write to session
98882637 689
0468976c 690 if (capability_prohibits($capability->capability, $context, $capability->sum, $usercap)) {
98882637 691 $usercap[$capability->id][$capability->capability] = -9000;
692 continue;
693 }
694
695 $usercap[$capability->id][$capability->capability] = $capability->sum;
696
697 } else {
698
0468976c 699 if (capability_prohibits($capability->capability, $context, $capability->sum)) { // if any parent or parent's parent is set to prohibit
98882637 700 $USER->capabilities[$capability->id][$capability->capability] = -9000;
701 continue;
702 }
703
704 // if no parental prohibit set
705 // just write to session, i am not sure this is correct yet
706 // since 3050 shows up after 3000, and 3070 shows up after 3050,
707 // it should be ok just to overwrite like this, provided that there's no
708 // parental prohibits
709 // no point writing 0, since 0 = inherit
710 // we need to write even if it's 0, because it could be an inherit override
711 $USER->capabilities[$capability->id][$capability->capability] = $capability->sum;
712 }
bbbf2d40 713 }
714
715 // now we don't care about the huge array anymore, we can dispose it.
716 unset($capabilities);
717
dbe7e582 718 if (!empty($otheruserid)) {
98882637 719 return $usercap; // return the array
bbbf2d40 720 }
721 // see array in session to see what it looks like
722
723}
724
64026e8c 725/*
726 * Check all the login enrolment information for the given user object
727 * by querying the enrolment plugins
728 */
729function check_enrolment_plugins(&$user) {
730 global $CFG;
731
732 require_once($CFG->dirroot .'/enrol/enrol.class.php');
733
734 if (!($plugins = explode(',', $CFG->enrol_plugins_enabled))) {
735 $plugins = array($CFG->enrol);
736 }
737
738 foreach ($plugins as $plugin) {
739 $enrol = enrolment_factory::factory($plugin);
740 if (method_exists($enrol, 'setup_enrolments')) { /// Plugin supports Roles (Moodle 1.7 and later)
741 $enrol->setup_enrolments($user);
742 } else { /// Run legacy enrolment methods
743 if (method_exists($enrol, 'get_student_courses')) {
744 $enrol->get_student_courses($user);
745 }
746 if (method_exists($enrol, 'get_teacher_courses')) {
747 $enrol->get_teacher_courses($user);
748 }
749
750 /// deal with $user->students and $user->teachers stuff
751 unset($user->student);
752 unset($user->teacher);
753 }
754 unset($enrol);
755 }
756}
757
bbbf2d40 758
759/**
760 * This is a recursive function that checks whether the capability in this
761 * context, or the parent capabilities are set to prohibit.
762 *
763 * At this point, we can probably just use the values already set in the
764 * session variable, since we are going down the level. Any prohit set in
765 * parents would already reflect in the session.
766 *
767 * @param $capability - capability name
768 * @param $sum - sum of all capabilities values
0468976c 769 * @param $context - the context object
bbbf2d40 770 * @param $array - when loading another user caps, their caps are not stored in session but an array
771 */
0468976c 772function capability_prohibits($capability, $context, $sum='', $array='') {
bbbf2d40 773 global $USER;
0468976c 774
bbbf2d40 775 if ($sum < -8000) {
776 // If this capability is set to prohibit.
777 return true;
778 }
779
780 if (isset($array)) {
0468976c 781 if (isset($array[$context->id][$capability])
782 && $array[$context->id][$capability] < -8000) {
98882637 783 return true;
784 }
bbbf2d40 785 } else {
98882637 786 // Else if set in session.
0468976c 787 if (isset($USER->capabilities[$context->id][$capability])
788 && $USER->capabilities[$context->id][$capability] < -8000) {
98882637 789 return true;
790 }
bbbf2d40 791 }
d140ad3f 792 switch ($context->aggregatelevel) {
bbbf2d40 793
794 case CONTEXT_SYSTEM:
795 // By now it's a definite an inherit.
796 return 0;
797 break;
798
799 case CONTEXT_PERSONAL:
800 $parent = get_context_instance(CONTEXT_SYSTEM, SITEID);
0468976c 801 return capability_prohibits($capability, $parent);
bbbf2d40 802 break;
803
4b10f08b 804 case CONTEXT_USER:
bbbf2d40 805 $parent = get_context_instance(CONTEXT_SYSTEM, SITEID);
0468976c 806 return capability_prohibits($capability, $parent);
bbbf2d40 807 break;
808
809 case CONTEXT_COURSECAT:
810 // Coursecat -> coursecat or site.
811 $coursecat = get_record('course_categories','id',$context->instanceid);
41811960 812 if (!empty($coursecat->parent)) {
bbbf2d40 813 // return parent value if exist.
814 $parent = get_context_instance(CONTEXT_COURSECAT, $coursecat->parent);
815 } else {
816 // Return site value.
817 $parent = get_context_instance(CONTEXT_SYSTEM, SITEID);
818 }
0468976c 819 return capability_prohibits($capability, $parent);
bbbf2d40 820 break;
821
822 case CONTEXT_COURSE:
823 // 1 to 1 to course cat.
824 // Find the course cat, and return its value.
825 $course = get_record('course','id',$context->instanceid);
826 $parent = get_context_instance(CONTEXT_COURSECAT, $course->category);
0468976c 827 return capability_prohibits($capability, $parent);
bbbf2d40 828 break;
829
830 case CONTEXT_GROUP:
831 // 1 to 1 to course.
832 $group = get_record('groups','id',$context->instanceid);
833 $parent = get_context_instance(CONTEXT_COURSE, $group->courseid);
0468976c 834 return capability_prohibits($capability, $parent);
bbbf2d40 835 break;
836
837 case CONTEXT_MODULE:
838 // 1 to 1 to course.
839 $cm = get_record('course_modules','id',$context->instanceid);
840 $parent = get_context_instance(CONTEXT_COURSE, $cm->course);
0468976c 841 return capability_prohibits($capability, $parent);
bbbf2d40 842 break;
843
844 case CONTEXT_BLOCK:
845 // 1 to 1 to course.
846 $block = get_record('block_instance','id',$context->instanceid);
847 $parent = get_context_instance(CONTEXT_COURSE, $block->pageid); // needs check
0468976c 848 return capability_prohibits($capability, $parent);
bbbf2d40 849 break;
850
851 default:
852 error ('This is an unknown context!');
853 return false;
854 }
855}
856
857
858/**
859 * A print form function. This should either grab all the capabilities from
860 * files or a central table for that particular module instance, then present
861 * them in check boxes. Only relevant capabilities should print for known
862 * context.
863 * @param $mod - module id of the mod
864 */
865function print_capabilities($modid=0) {
866 global $CFG;
867
868 $capabilities = array();
869
870 if ($modid) {
871 // We are in a module specific context.
872
873 // Get the mod's name.
874 // Call the function that grabs the file and parse.
875 $cm = get_record('course_modules', 'id', $modid);
876 $module = get_record('modules', 'id', $cm->module);
877
878 } else {
879 // Print all capabilities.
880 foreach ($capabilities as $capability) {
881 // Prints the check box component.
882 }
883 }
884}
885
886
887/**
1afecc03 888 * Installs the roles system.
889 * This function runs on a fresh install as well as on an upgrade from the old
890 * hard-coded student/teacher/admin etc. roles to the new roles system.
bbbf2d40 891 */
1afecc03 892function moodle_install_roles() {
bbbf2d40 893
1afecc03 894 global $CFG, $db;
895
bbbf2d40 896 // Create a system wide context for assignemnt.
897 $systemcontext = $context = get_context_instance(CONTEXT_SYSTEM, SITEID);
898
1afecc03 899
900 // Create default/legacy roles and capabilities.
901 // (1 legacy capability per legacy role at system level).
31f26796 902 $adminrole = create_role(get_string('administrator'), 'admin', get_string('administratordescription'), 'moodle/legacy:admin');
98882637 903 if (!assign_capability('moodle/site:doanything', CAP_ALLOW, $adminrole, $systemcontext->id)) {
bbbf2d40 904 error('Could not assign moodle/site:doanything to the admin role');
905 }
31f26796 906 $coursecreatorrole = create_role(get_string('coursecreators'), 'coursecreator', get_string('coursecreatorsdescription'), 'moodle/legacy:coursecreator');
907 $editteacherrole = create_role(get_string('defaultcourseteacher'), 'editingteacher', get_string('defaultcourseteacherdescription'), 'moodle/legacy:editingteacher');
908 $noneditteacherrole = create_role(get_string('noneditingteacher'), 'teacher', get_string('noneditingteacherdescription'), 'moodle/legacy:teacher');
909 $studentrole = create_role(get_string('defaultcoursestudent'), 'student', get_string('defaultcoursestudentdescription'), 'moodle/legacy:student');
910 $guestrole = create_role(get_string('guest'), 'guest', get_string('guestdescription'), 'moodle/legacy:guest');
1afecc03 911
912
913 // Look inside user_admin, user_creator, user_teachers, user_students and
914 // assign above new roles. If a user has both teacher and student role,
915 // only teacher role is assigned. The assignment should be system level.
916 $dbtables = $db->MetaTables('TABLES');
bbbf2d40 917
1afecc03 918
98882637 919 /**
bbbf2d40 920 * Upgrade the admins.
1afecc03 921 * Sort using id ASC, first one is primary admin.
bbbf2d40 922 */
1afecc03 923 if (in_array($CFG->prefix.'user_admins', $dbtables)) {
924 if ($useradmins = get_records_sql('SELECT * from '.$CFG->prefix.'user_admins ORDER BY ID ASC')) {
925 foreach ($useradmins as $admin) {
926 role_assign($adminrole, $admin->userid, 0, $systemcontext->id);
927 }
928 }
929 } else {
930 // This is a fresh install.
bbbf2d40 931 }
1afecc03 932
933
bbbf2d40 934 /**
935 * Upgrade course creators.
936 */
1afecc03 937 if (in_array($CFG->prefix.'user_coursecreators', $dbtables)) {
938 if ($usercoursecreators = get_records('user_coursecreators')) {
939 foreach ($usercoursecreators as $coursecreator) {
56b4d70d 940 role_assign($coursecreatorrole, $coursecreator->userid, 0, $systemcontext->id);
1afecc03 941 }
942 }
bbbf2d40 943 }
944
1afecc03 945
bbbf2d40 946 /**
947 * Upgrade editting teachers and non-editting teachers.
948 */
1afecc03 949 if (in_array($CFG->prefix.'user_teachers', $dbtables)) {
950 if ($userteachers = get_records('user_teachers')) {
951 foreach ($userteachers as $teacher) {
17d6a25e 952 // populate the user_lastaccess table
953 unset($access);
954 $access->timeaccess = $teacher->timeaccess;
955 $access->userid = $teacher->userid;
956 $access->courseid = $teacher->course;
957 insert_record('user_lastaccess', $access);
958 // assign the default student role
1afecc03 959 $coursecontext = get_context_instance(CONTEXT_COURSE, $teacher->course); // needs cache
960 if ($teacher->editall) { // editting teacher
961 role_assign($editteacherrole, $teacher->userid, 0, $coursecontext->id);
962 } else {
963 role_assign($noneditteacherrole, $teacher->userid, 0, $coursecontext->id);
964 }
965 }
bbbf2d40 966 }
967 }
1afecc03 968
969
bbbf2d40 970 /**
971 * Upgrade students.
972 */
1afecc03 973 if (in_array($CFG->prefix.'user_students', $dbtables)) {
974 if ($userstudents = get_records('user_students')) {
17d6a25e 975 foreach ($userstudents as $student) {
976 // populate the user_lastaccess table
977 unset($access);
978 $access->timeaccess = $student->timeaccess;
979 $access->userid = $student->userid;
980 $access->courseid = $student->course;
981 insert_record('user_lastaccess', $access);
982 // assign the default student role
1afecc03 983 $coursecontext = get_context_instance(CONTEXT_COURSE, $student->course);
984 role_assign($studentrole, $student->userid, 0, $coursecontext->id);
985 }
986 }
bbbf2d40 987 }
1afecc03 988
989
bbbf2d40 990 /**
991 * Upgrade guest (only 1 entry).
992 */
1afecc03 993 if ($guestuser = get_record('user', 'username', 'guest')) {
994 role_assign($guestrole, $guestuser->id, 0, $systemcontext->id);
995 }
996
945f88ca 997 /**
998 * Insert the correct records for legacy roles
999 */
1000 allow_assign($adminrole, $adminrole);
1001 allow_assign($adminrole, $coursecreatorrole);
1002 allow_assign($adminrole, $noneditteacherrole);
1003 allow_assign($adminrole, $editteacherrole);
1004 allow_assign($adminrole, $studentrole);
1005 allow_assign($adminrole, $guestrole);
1006
1007 allow_assign($coursecreatorrole, $noneditteacherrole);
1008 allow_assign($coursecreatorrole, $editteacherrole);
1009 allow_assign($coursecreatorrole, $studentrole);
1010 allow_assign($coursecreatorrole, $guestrole);
1011
1012 allow_assign($editteacherrole, $noneditteacherrole);
1013 allow_assign($editteacherrole, $studentrole);
1014 allow_assign($editteacherrole, $guestrole);
1015
1016 /// overrides
1017 allow_override($adminrole, $adminrole);
1018 allow_override($adminrole, $coursecreatorrole);
1019 allow_override($adminrole, $noneditteacherrole);
1020 allow_override($adminrole, $editteacherrole);
1021 allow_override($adminrole, $studentrole);
5769734f 1022 allow_override($adminrole, $guestrole);
1afecc03 1023
746a04c5 1024
1afecc03 1025 // Should we delete the tables after we are done? Not yet.
bbbf2d40 1026}
1027
bbbf2d40 1028/**
1029 * Assign the defaults found in this capabality definition to roles that have
1030 * the corresponding legacy capabilities assigned to them.
1031 * @param $legacyperms - an array in the format (example):
1032 * 'guest' => CAP_PREVENT,
1033 * 'student' => CAP_ALLOW,
1034 * 'teacher' => CAP_ALLOW,
1035 * 'editingteacher' => CAP_ALLOW,
1036 * 'coursecreator' => CAP_ALLOW,
1037 * 'admin' => CAP_ALLOW
1038 * @return boolean - success or failure.
1039 */
1040function assign_legacy_capabilities($capability, $legacyperms) {
1041
1042 foreach ($legacyperms as $type => $perm) {
1043
1044 $systemcontext = get_context_instance(CONTEXT_SYSTEM, SITEID);
1045
1046 // The legacy capabilities are:
1047 // 'moodle/legacy:guest'
1048 // 'moodle/legacy:student'
1049 // 'moodle/legacy:teacher'
1050 // 'moodle/legacy:editingteacher'
1051 // 'moodle/legacy:coursecreator'
1052 // 'moodle/legacy:admin'
1053
2e85fffe 1054 if ($roles = get_roles_with_capability('moodle/legacy:'.$type, CAP_ALLOW)) {
1055 foreach ($roles as $role) {
1056 // Assign a site level capability.
1057 if (!assign_capability($capability, $perm, $role->id, $systemcontext->id)) {
1058 return false;
1059 }
bbbf2d40 1060 }
1061 }
1062 }
1063 return true;
1064}
1065
1066
cee0901c 1067/**
1068 * Checks to see if a capability is a legacy capability.
1069 * @param $capabilityname
1070 * @return boolean
1071 */
bbbf2d40 1072function islegacy($capabilityname) {
98882637 1073 if (strstr($capabilityname, 'legacy') === false) {
1074 return false;
1075 } else {
1076 return true;
1077 }
bbbf2d40 1078}
1079
cee0901c 1080
1081
1082/**********************************
bbbf2d40 1083 * Context Manipulation functions *
1084 **********************************/
1085
bbbf2d40 1086/**
1087 * This should be called prolly everytime a user, group, module, course,
1088 * coursecat or site is set up maybe?
1089 * @param $level
1090 * @param $instanceid
1091 */
d140ad3f 1092function create_context($aggregatelevel, $instanceid) {
1093 if (!get_record('context','aggregatelevel',$aggregatelevel,'instanceid',$instanceid)) {
bbbf2d40 1094 $context = new object;
d140ad3f 1095 $context->aggregatelevel = $aggregatelevel;
bbbf2d40 1096 $context->instanceid = $instanceid;
1097 return insert_record('context',$context);
1098 }
1099}
1100
1101
1102/**
1103 * Get the context instance as an object. This function will create the
1104 * context instance if it does not exist yet.
1105 * @param $level
1106 * @param $instance
1107 */
d140ad3f 1108function get_context_instance($aggregatelevel=NULL, $instance=SITEID) {
e5605780 1109
51195e6f 1110 global $context_cache, $context_cache_id, $CONTEXT;
d9a35e12 1111
340ea4e8 1112/// If no level is supplied then return the current global context if there is one
d140ad3f 1113 if (empty($aggregatelevel)) {
340ea4e8 1114 if (empty($CONTEXT)) {
ea82d6b6 1115 debugging("Error: get_context_instance() called without a context");
340ea4e8 1116 } else {
1117 return $CONTEXT;
1118 }
e5605780 1119 }
1120
340ea4e8 1121/// Check the cache
d140ad3f 1122 if (isset($context_cache[$aggregatelevel][$instance])) { // Already cached
1123 return $context_cache[$aggregatelevel][$instance];
e5605780 1124 }
1125
340ea4e8 1126/// Get it from the database, or create it
d140ad3f 1127 if (!$context = get_record('context', 'aggregatelevel', $aggregatelevel, 'instanceid', $instance)) {
1128 create_context($aggregatelevel, $instance);
1129 $context = get_record('context', 'aggregatelevel', $aggregatelevel, 'instanceid', $instance);
e5605780 1130 }
1131
ccfc5ecc 1132/// Only add to cache if context isn't empty.
1133 if (!empty($context)) {
1134 $context_cache[$aggregatelevel][$instance] = $context; // Cache it for later
1135 $context_cache_id[$context->id] = $context; // Cache it for later
1136 }
0468976c 1137
bbbf2d40 1138 return $context;
1139}
1140
cee0901c 1141
340ea4e8 1142/**
1143 * Get a context instance as an object, from a given id.
1144 * @param $id
1145 */
1146function get_context_instance_by_id($id) {
1147
d9a35e12 1148 global $context_cache, $context_cache_id;
1149
340ea4e8 1150 if (isset($context_cache_id[$id])) { // Already cached
75e84883 1151 return $context_cache_id[$id];
340ea4e8 1152 }
1153
1154 if ($context = get_record('context', 'id', $id)) { // Update the cache and return
d140ad3f 1155 $context_cache[$context->aggregatelevel][$context->instanceid] = $context;
340ea4e8 1156 $context_cache_id[$context->id] = $context;
1157 return $context;
1158 }
1159
1160 return false;
1161}
1162
bbbf2d40 1163
8737be58 1164/**
1165 * Get the local override (if any) for a given capability in a role in a context
1166 * @param $roleid
0468976c 1167 * @param $contextid
1168 * @param $capability
8737be58 1169 */
1170function get_local_override($roleid, $contextid, $capability) {
1171 return get_record('role_capabilities', 'roleid', $roleid, 'capability', $capability, 'contextid', $contextid);
1172}
1173
1174
bbbf2d40 1175
1176/************************************
1177 * DB TABLE RELATED FUNCTIONS *
1178 ************************************/
1179
cee0901c 1180/**
bbbf2d40 1181 * function that creates a role
1182 * @param name - role name
31f26796 1183 * @param shortname - role short name
bbbf2d40 1184 * @param description - role description
1185 * @param legacy - optional legacy capability
1186 * @return id or false
1187 */
31f26796 1188function create_role($name, $shortname, $description, $legacy='') {
98882637 1189
1190 // check for duplicate role name
1191
1192 if ($role = get_record('role','name', $name)) {
98882637 1193 error('there is already a role with this name!');
1194 }
1195
31f26796 1196 if ($role = get_record('role','shortname', $shortname)) {
1197 error('there is already a role with this shortname!');
1198 }
1199
98882637 1200 $role->name = $name;
31f26796 1201 $role->shortname = $shortname;
98882637 1202 $role->description = $description;
ec7a8b79 1203
1204 $context = get_context_instance(CONTEXT_SYSTEM, SITEID);
1205
98882637 1206 if ($id = insert_record('role', $role)) {
ec7a8b79 1207 if ($legacy) {
1afecc03 1208 assign_capability($legacy, CAP_ALLOW, $id, $context->id);
98882637 1209 }
ec7a8b79 1210
1211 /// By default, users with role:manage at site level
1212 /// should be able to assign users to this new role, and override this new role's capabilities
1213
1214 // find all admin roles
e46c0987 1215 if ($adminroles = get_roles_with_capability('moodle/role:manage', CAP_ALLOW, $context)) {
1216 // foreach admin role
1217 foreach ($adminroles as $arole) {
1218 // write allow_assign and allow_overrid
1219 allow_assign($arole->id, $id);
1220 allow_override($arole->id, $id);
1221 }
ec7a8b79 1222 }
1223
98882637 1224 return $id;
1225 } else {
1226 return false;
1227 }
bbbf2d40 1228
1229}
1230
1231/**
1232 * Function to write context specific overrides, or default capabilities.
1233 * @param module - string name
1234 * @param capability - string name
1235 * @param contextid - context id
1236 * @param roleid - role id
1237 * @param permission - int 1,-1 or -1000
1238 */
e7876c1e 1239function assign_capability($capability, $permission, $roleid, $contextid, $overwrite=false) {
98882637 1240
1241 global $USER;
1242
1243 if (empty($permission) || $permission == 0) { // if permission is not set
1244 unassign_capability($capability, $roleid, $contextid);
1245 }
bbbf2d40 1246
2e85fffe 1247 $existing = get_record('role_capabilities', 'contextid', $contextid, 'roleid', $roleid, 'capability', $capability);
e7876c1e 1248
1249 if ($existing and !$overwrite) { // We want to keep whatever is there already
1250 return true;
1251 }
1252
bbbf2d40 1253 $cap = new object;
1254 $cap->contextid = $contextid;
1255 $cap->roleid = $roleid;
1256 $cap->capability = $capability;
1257 $cap->permission = $permission;
1258 $cap->timemodified = time();
9db12da7 1259 $cap->modifierid = empty($USER->id) ? 0 : $USER->id;
e7876c1e 1260
1261 if ($existing) {
1262 $cap->id = $existing->id;
1263 return update_record('role_capabilities', $cap);
1264 } else {
1265 return insert_record('role_capabilities', $cap);
1266 }
bbbf2d40 1267}
1268
1269
1270/**
1271 * Unassign a capability from a role.
1272 * @param $roleid - the role id
1273 * @param $capability - the name of the capability
1274 * @return boolean - success or failure
1275 */
1276function unassign_capability($capability, $roleid, $contextid=NULL) {
98882637 1277
1278 if (isset($contextid)) {
1279 $status = delete_records('role_capabilities', 'capability', $capability,
1280 'roleid', $roleid, 'contextid', $contextid);
1281 } else {
1282 $status = delete_records('role_capabilities', 'capability', $capability,
1283 'roleid', $roleid);
1284 }
1285 return $status;
bbbf2d40 1286}
1287
1288
1289/**
1290 * Get the roles that have a given capability.
1291 * @param $capability - capability name (string)
1292 * @param $permission - optional, the permission defined for this capability
1293 * either CAP_ALLOW, CAP_PREVENT or CAP_PROHIBIT
1294 * @return array or role objects
1295 */
ec7a8b79 1296function get_roles_with_capability($capability, $permission=NULL, $context='') {
1297
bbbf2d40 1298 global $CFG;
1299
ec7a8b79 1300 if ($context) {
1301 if ($contexts = get_parent_contexts($context)) {
1302 $listofcontexts = '('.implode(',', $contexts).')';
1303 } else {
1304 $sitecontext = get_context_instance(CONTEXT_SYSTEM, SITEID);
1305 $listofcontexts = '('.$sitecontext->id.')'; // must be site
1306 }
42ac3ecf 1307 $contextstr = "AND (rc.contextid = '$context->id' OR rc.contextid IN $listofcontexts)";
ec7a8b79 1308 } else {
1309 $contextstr = '';
1310 }
1311
bbbf2d40 1312 $selectroles = "SELECT r.*
42ac3ecf 1313 FROM {$CFG->prefix}role r,
1314 {$CFG->prefix}role_capabilities rc
bbbf2d40 1315 WHERE rc.capability = '$capability'
ec7a8b79 1316 AND rc.roleid = r.id $contextstr";
bbbf2d40 1317
1318 if (isset($permission)) {
1319 $selectroles .= " AND rc.permission = '$permission'";
1320 }
1321 return get_records_sql($selectroles);
1322}
1323
1324
1325/**
a9e1c058 1326 * This function makes a role-assignment (a role for a user or group in a particular context)
bbbf2d40 1327 * @param $roleid - the role of the id
1328 * @param $userid - userid
1329 * @param $groupid - group id
1330 * @param $contextid - id of the context
1331 * @param $timestart - time this assignment becomes effective
1332 * @param $timeend - time this assignemnt ceases to be effective
1333 * @uses $USER
1334 * @return id - new id of the assigment
1335 */
f44152f4 1336function role_assign($roleid, $userid, $groupid, $contextid, $timestart=0, $timeend=0, $hidden=0, $enrol='manual') {
aa311411 1337 global $USER, $CFG;
bbbf2d40 1338
ea82d6b6 1339 debugging("Assign roleid $roleid userid $userid contextid $contextid", E_ALL);
bbbf2d40 1340
a9e1c058 1341/// Do some data validation
1342
bbbf2d40 1343 if (empty($roleid)) {
a9e1c058 1344 notify('Role ID not provided');
1345 return false;
bbbf2d40 1346 }
1347
1348 if (empty($userid) && empty($groupid)) {
a9e1c058 1349 notify('Either userid or groupid must be provided');
1350 return false;
bbbf2d40 1351 }
7700027f 1352
1353 if ($userid && !record_exists('user', 'id', $userid)) {
1354 notify('User does not exist!');
1355 return false;
1356 }
bbbf2d40 1357
dc411d1b 1358 if ($groupid && !record_exists('groups', 'id', $groupid)) {
1359 notify('Group does not exist!');
1360 return false;
1361 }
1362
7700027f 1363 if (!$context = get_context_instance_by_id($contextid)) {
a9e1c058 1364 notify('A valid context must be provided');
1365 return false;
bbbf2d40 1366 }
1367
a9e1c058 1368 if (($timestart and $timeend) and ($timestart > $timeend)) {
7700027f 1369 notify('The end time can not be earlier than the start time');
a9e1c058 1370 return false;
1371 }
1372
7700027f 1373
a9e1c058 1374/// Check for existing entry
1375 if ($userid) {
7700027f 1376 $ra = get_record('role_assignments', 'roleid', $roleid, 'contextid', $context->id, 'userid', $userid);
a9e1c058 1377 } else {
7700027f 1378 $ra = get_record('role_assignments', 'roleid', $roleid, 'contextid', $context->id, 'groupid', $groupid);
a9e1c058 1379 }
1380
9ebcb4d2 1381
a9e1c058 1382 $newra = new object;
bbbf2d40 1383
a9e1c058 1384 if (empty($ra)) { // Create a new entry
1385 $newra->roleid = $roleid;
7700027f 1386 $newra->contextid = $context->id;
a9e1c058 1387 $newra->userid = $userid;
1388 $newra->groupid = $groupid;
1389
1390 $newra->hidden = $hidden;
f44152f4 1391 $newra->enrol = $enrol;
a9e1c058 1392 $newra->timestart = $timestart;
1393 $newra->timeend = $timeend;
1394 $newra->timemodified = time();
1395 $newra->modifier = empty($USER->id) ? 0 : $USER->id;
1396
9ebcb4d2 1397 $success = insert_record('role_assignments', $newra);
a9e1c058 1398
1399 } else { // We already have one, just update it
1400
1401 $newra->id = $ra->id;
1402 $newra->hidden = $hidden;
f44152f4 1403 $newra->enrol = $enrol;
a9e1c058 1404 $newra->timestart = $timestart;
1405 $newra->timeend = $timeend;
1406 $newra->timemodified = time();
1407 $newra->modifier = empty($USER->id) ? 0 : $USER->id;
1408
9ebcb4d2 1409 $success = update_record('role_assignments', $newra);
1410 }
1411
7700027f 1412 if ($success) { /// Role was assigned, so do some other things
1413
1414 /// If the user is the current user, then reload the capabilities too.
1415 if (!empty($USER->id) && $USER->id == $userid) {
1416 load_user_capability();
1417 }
1418
0f161e1f 1419 /// Ask all the modules if anything needs to be done for this user
1420 if ($mods = get_list_of_plugins('mod')) {
1421 foreach ($mods as $mod) {
1422 include_once($CFG->dirroot.'/mod/'.$mod.'/lib.php');
1423 $functionname = $mod.'_role_assign';
1424 if (function_exists($functionname)) {
1425 $functionname($userid, $context);
1426 }
1427 }
1428 }
1429
1430 /// Make sure they have an entry in user_lastaccess for courses they can access
1431 // role_add_lastaccess_entries($userid, $context);
a9e1c058 1432 }
4e5f3064 1433
1434 /// now handle metacourse role assignments if in course context
1435 if ($success and $context->aggregatelevel == CONTEXT_COURSE) {
1436 if ($parents = get_records('course_meta', 'child_course', $context->instanceid)) {
1437 foreach ($parents as $parent) {
1aad4310 1438 sync_metacourse($parent->parent_course);
4e5f3064 1439 }
1440 }
1441 }
6eb4f823 1442
1443 return $success;
bbbf2d40 1444}
1445
1446
1447/**
1dc1f037 1448 * Deletes one or more role assignments. You must specify at least one parameter.
bbbf2d40 1449 * @param $roleid
1450 * @param $userid
1451 * @param $groupid
1452 * @param $contextid
1453 * @return boolean - success or failure
1454 */
1dc1f037 1455function role_unassign($roleid=0, $userid=0, $groupid=0, $contextid=0) {
d74067e8 1456
1457 global $USER, $CFG;
4e5f3064 1458
1459 $success = true;
d74067e8 1460
1dc1f037 1461 $args = array('roleid', 'userid', 'groupid', 'contextid');
1462 $select = array();
1463 foreach ($args as $arg) {
1464 if ($$arg) {
1465 $select[] = $arg.' = '.$$arg;
1466 }
1467 }
d74067e8 1468
1dc1f037 1469 if ($select) {
4e5f3064 1470 if ($ras = get_records_select('role_assignments', implode(' AND ', $select))) {
1471 $mods = get_list_of_plugins('mod');
1472 foreach($ras as $ra) {
86e2c51d 1473 /// infinite loop protection when deleting recursively
1474 if (!$ra = get_record('role_assignments', 'id', $ra->id)) {
1475 continue;
1476 }
4e5f3064 1477 $success = delete_records('role_assignments', 'id', $ra->id) and $success;
86e2c51d 1478
4e5f3064 1479 /// If the user is the current user, then reload the capabilities too.
1480 if (!empty($USER->id) && $USER->id == $ra->userid) {
1481 load_user_capability();
1482 }
1483 $context = get_record('context', 'id', $ra->contextid);
0f161e1f 1484
1485 /// Ask all the modules if anything needs to be done for this user
4e5f3064 1486 foreach ($mods as $mod) {
1487 include_once($CFG->dirroot.'/mod/'.$mod.'/lib.php');
1488 $functionname = $mod.'_role_unassign';
1489 if (function_exists($functionname)) {
1490 $functionname($ra->userid, $context); // watch out, $context might be NULL if something goes wrong
1491 }
1492 }
1493
1494 /// now handle metacourse role unassigment and removing from goups if in course context
1495 if (!empty($context) and $context->aggregatelevel == CONTEXT_COURSE) {
1496 //remove from groups when user has no role
1497 $roles = get_user_roles($context, $ra->userid, true);
1498 if (empty($roles)) {
1499 if ($groups = get_groups($context->instanceid, $ra->userid)) {
1500 foreach ($groups as $group) {
1501 delete_records('groups_members', 'groupid', $group->id, 'userid', $ra->userid);
1502 }
1503 }
1504 }
1aad4310 1505 //unassign roles in metacourses if needed
4e5f3064 1506 if ($parents = get_records('course_meta', 'child_course', $context->instanceid)) {
1507 foreach ($parents as $parent) {
1aad4310 1508 sync_metacourse($parent->parent_course);
0f161e1f 1509 }
1510 }
0f161e1f 1511 }
1512 }
d74067e8 1513 }
1dc1f037 1514 }
4e5f3064 1515
1516 return $success;
bbbf2d40 1517}
1518
b963384f 1519/*
1520 * A convenience function to take care of the common case where you
1521 * just want to enrol someone using the default role into a course
1522 *
1523 * @param object $course
1524 * @param object $user
1525 * @param string $enrol - the plugin used to do this enrolment
1526 */
1527function enrol_into_course($course, $user, $enrol) {
1528
1529 if ($course->enrolperiod) {
1530 $timestart = time();
1531 $timeend = time() + $course->enrolperiod;
1532 } else {
1533 $timestart = $timeend = 0;
1534 }
1535
1536 if ($role = get_default_course_role($course)) {
c4381ef5 1537
1538 $context = get_context_instance(CONTEXT_COURSE, $course->id);
1539
b963384f 1540 if (role_assign($role->id, $user->id, 0, $context->id, $timestart, $timeend, 0, $enrol)) {
1541 return false;
1542 }
1543
1544 email_welcome_message_to_user($course, $user);
1545
1546 add_to_log($course->id, 'course', 'enrol', 'view.php?id='.$course->id, $user->id);
1547
1548 return true;
1549 }
1550
1551 return false;
1552}
1553
0f161e1f 1554/**
1555 * Add last access times to user_lastaccess as required
1556 * @param $userid
1557 * @param $context
1558 * @return boolean - success or failure
1559 */
1560function role_add_lastaccess_entries($userid, $context) {
1561
1562 global $USER, $CFG;
1563
1564 if (empty($context->aggregatelevel)) {
1565 return false;
1566 }
1567
1568 $lastaccess = new object; // Reusable object below
1569 $lastaccess->userid = $userid;
1570 $lastaccess->timeaccess = 0;
1571
1572 switch ($context->aggregatelevel) {
1573
1574 case CONTEXT_SYSTEM: // For the whole site
1575 if ($courses = get_record('course')) {
1576 foreach ($courses as $course) {
1577 $lastaccess->courseid = $course->id;
1578 role_set_lastaccess($lastaccess);
1579 }
1580 }
1581 break;
1582
1583 case CONTEXT_CATEGORY: // For a whole category
1584 if ($courses = get_record('course', 'category', $context->instanceid)) {
1585 foreach ($courses as $course) {
1586 $lastaccess->courseid = $course->id;
1587 role_set_lastaccess($lastaccess);
1588 }
1589 }
1590 if ($categories = get_record('course_categories', 'parent', $context->instanceid)) {
1591 foreach ($categories as $category) {
1592 $subcontext = get_context_instance(CONTEXT_CATEGORY, $category->id);
1593 role_add_lastaccess_entries($userid, $subcontext);
1594 }
1595 }
1596 break;
1597
1598
1599 case CONTEXT_COURSE: // For a whole course
1600 if ($course = get_record('course', 'id', $context->instanceid)) {
1601 $lastaccess->courseid = $course->id;
1602 role_set_lastaccess($lastaccess);
1603 }
1604 break;
1605 }
1606}
1607
1608/**
1609 * Delete last access times from user_lastaccess as required
1610 * @param $userid
1611 * @param $context
1612 * @return boolean - success or failure
1613 */
1614function role_remove_lastaccess_entries($userid, $context) {
1615
1616 global $USER, $CFG;
1617
1618}
1619
bbbf2d40 1620
1621/**
1622 * Loads the capability definitions for the component (from file). If no
1623 * capabilities are defined for the component, we simply return an empty array.
1624 * @param $component - examples: 'moodle', 'mod/forum', 'block/quiz_results'
1625 * @return array of capabilities
1626 */
1627function load_capability_def($component) {
1628 global $CFG;
1629
1630 if ($component == 'moodle') {
1631 $defpath = $CFG->libdir.'/db/access.php';
1632 $varprefix = 'moodle';
1633 } else {
0c4d9f49 1634 $compparts = explode('/', $component);
1635
1636 if ($compparts[0] == 'block') {
1637 // Blocks are an exception. Blocks directory is 'blocks', and not
1638 // 'block'. So we need to jump through hoops.
1639 $defpath = $CFG->dirroot.'/'.$compparts[0].
1640 's/'.$compparts[1].'/db/access.php';
1641 $varprefix = $compparts[0].'_'.$compparts[1];
1642 } else {
1643 $defpath = $CFG->dirroot.'/'.$component.'/db/access.php';
1644 $varprefix = str_replace('/', '_', $component);
1645 }
bbbf2d40 1646 }
1647 $capabilities = array();
1648
1649 if (file_exists($defpath)) {
1650 require_once($defpath);
1651 $capabilities = ${$varprefix.'_capabilities'};
1652 }
1653 return $capabilities;
1654}
1655
1656
1657/**
1658 * Gets the capabilities that have been cached in the database for this
1659 * component.
1660 * @param $component - examples: 'moodle', 'mod/forum', 'block/quiz_results'
1661 * @return array of capabilities
1662 */
1663function get_cached_capabilities($component='moodle') {
1664 if ($component == 'moodle') {
1665 $storedcaps = get_records_select('capabilities',
1666 "name LIKE 'moodle/%:%'");
1667 } else {
1668 $storedcaps = get_records_select('capabilities',
1669 "name LIKE '$component:%'");
1670 }
1671 return $storedcaps;
1672}
1673
1674
1675/**
1676 * Updates the capabilities table with the component capability definitions.
1677 * If no parameters are given, the function updates the core moodle
1678 * capabilities.
1679 *
1680 * Note that the absence of the db/access.php capabilities definition file
1681 * will cause any stored capabilities for the component to be removed from
1682 * the database.
1683 *
1684 * @param $component - examples: 'moodle', 'mod/forum', 'block/quiz_results'
1685 * @return boolean
1686 */
1687function update_capabilities($component='moodle') {
1688
1689 $storedcaps = array();
be4486da 1690
1691 $filecaps = load_capability_def($component);
bbbf2d40 1692 $cachedcaps = get_cached_capabilities($component);
1693 if ($cachedcaps) {
1694 foreach ($cachedcaps as $cachedcap) {
1695 array_push($storedcaps, $cachedcap->name);
be4486da 1696 // update risk bitmasks in existing capabilitites if needed
1697 if (array_key_exists($cachedcap->name, $filecaps)) {
1698 if (!array_key_exists('riskbitmask', $filecaps[$cachedcap->name])) {
2b531945 1699 $filecaps[$cachedcap->name]['riskbitmask'] = 0; // no risk if not specified
be4486da 1700 }
1701 if ($cachedcap->riskbitmask != $filecaps[$cachedcap->name]['riskbitmask']) {
1702 $updatecap = new object;
1703 $updatecap->id = $cachedcap->id;
1704 $updatecap->riskbitmask = $filecaps[$cachedcap->name]['riskbitmask'];
1705 if (!update_record('capabilities', $updatecap)) {
1706 return false;
1707 }
1708 }
1709 }
bbbf2d40 1710 }
1711 }
be4486da 1712
bbbf2d40 1713 // Are there new capabilities in the file definition?
1714 $newcaps = array();
1715
1716 foreach ($filecaps as $filecap => $def) {
1717 if (!$storedcaps ||
1718 ($storedcaps && in_array($filecap, $storedcaps) === false)) {
2b531945 1719 if (!array_key_exists('riskbitmask', $def)) {
1720 $def['riskbitmask'] = 0; // no risk if not specified
1721 }
bbbf2d40 1722 $newcaps[$filecap] = $def;
1723 }
1724 }
1725 // Add new capabilities to the stored definition.
1726 foreach ($newcaps as $capname => $capdef) {
1727 $capability = new object;
1728 $capability->name = $capname;
1729 $capability->captype = $capdef['captype'];
1730 $capability->contextlevel = $capdef['contextlevel'];
1731 $capability->component = $component;
be4486da 1732 $capability->riskbitmask = $capdef['riskbitmask'];
bbbf2d40 1733
1734 if (!insert_record('capabilities', $capability, false, 'id')) {
1735 return false;
1736 }
ab5c9044 1737
1738 global $db;
1739 $db->debug= 999;
bbbf2d40 1740 // Do we need to assign the new capabilities to roles that have the
1741 // legacy capabilities moodle/legacy:* as well?
1742 if (isset($capdef['legacy']) && is_array($capdef['legacy']) &&
1743 !assign_legacy_capabilities($capname, $capdef['legacy'])) {
2e85fffe 1744 notify('Could not assign legacy capabilities for '.$capname);
bbbf2d40 1745 }
1746 }
1747 // Are there any capabilities that have been removed from the file
1748 // definition that we need to delete from the stored capabilities and
1749 // role assignments?
1750 capabilities_cleanup($component, $filecaps);
1751
1752 return true;
1753}
1754
1755
1756/**
1757 * Deletes cached capabilities that are no longer needed by the component.
1758 * Also unassigns these capabilities from any roles that have them.
1759 * @param $component - examples: 'moodle', 'mod/forum', 'block/quiz_results'
1760 * @param $newcapdef - array of the new capability definitions that will be
1761 * compared with the cached capabilities
1762 * @return int - number of deprecated capabilities that have been removed
1763 */
1764function capabilities_cleanup($component, $newcapdef=NULL) {
1765
1766 $removedcount = 0;
1767
1768 if ($cachedcaps = get_cached_capabilities($component)) {
1769 foreach ($cachedcaps as $cachedcap) {
1770 if (empty($newcapdef) ||
1771 array_key_exists($cachedcap->name, $newcapdef) === false) {
1772
1773 // Remove from capabilities cache.
1774 if (!delete_records('capabilities', 'name', $cachedcap->name)) {
1775 error('Could not delete deprecated capability '.$cachedcap->name);
1776 } else {
1777 $removedcount++;
1778 }
1779 // Delete from roles.
1780 if($roles = get_roles_with_capability($cachedcap->name)) {
1781 foreach($roles as $role) {
46943f7b 1782 if (!unassign_capability($cachedcap->name, $role->id)) {
bbbf2d40 1783 error('Could not unassign deprecated capability '.
1784 $cachedcap->name.' from role '.$role->name);
1785 }
1786 }
1787 }
1788 } // End if.
1789 }
1790 }
1791 return $removedcount;
1792}
1793
1794
1795
cee0901c 1796/****************
1797 * UI FUNCTIONS *
1798 ****************/
bbbf2d40 1799
1800
1801/**
1802 * prints human readable context identifier.
1803 */
0468976c 1804function print_context_name($context) {
340ea4e8 1805
ec0810ee 1806 $name = '';
d140ad3f 1807 switch ($context->aggregatelevel) {
ec0810ee 1808
bbbf2d40 1809 case CONTEXT_SYSTEM: // by now it's a definite an inherit
ec0810ee 1810 $name = get_string('site');
340ea4e8 1811 break;
bbbf2d40 1812
1813 case CONTEXT_PERSONAL:
ec0810ee 1814 $name = get_string('personal');
340ea4e8 1815 break;
1816
4b10f08b 1817 case CONTEXT_USER:
ec0810ee 1818 if ($user = get_record('user', 'id', $context->instanceid)) {
1819 $name = get_string('user').': '.fullname($user);
1820 }
340ea4e8 1821 break;
1822
bbbf2d40 1823 case CONTEXT_COURSECAT: // Coursecat -> coursecat or site
ec0810ee 1824 if ($category = get_record('course_categories', 'id', $context->instanceid)) {
1825 $name = get_string('category').': '.$category->name;
1826 }
340ea4e8 1827 break;
bbbf2d40 1828
1829 case CONTEXT_COURSE: // 1 to 1 to course cat
ec0810ee 1830 if ($course = get_record('course', 'id', $context->instanceid)) {
1831 $name = get_string('course').': '.$course->fullname;
1832 }
340ea4e8 1833 break;
bbbf2d40 1834
1835 case CONTEXT_GROUP: // 1 to 1 to course
ec0810ee 1836 if ($group = get_record('groups', 'id', $context->instanceid)) {
1837 $name = get_string('group').': '.$group->name;
1838 }
340ea4e8 1839 break;
bbbf2d40 1840
1841 case CONTEXT_MODULE: // 1 to 1 to course
98882637 1842 if ($cm = get_record('course_modules','id',$context->instanceid)) {
1843 if ($module = get_record('modules','id',$cm->module)) {
1844 if ($mod = get_record($module->name, 'id', $cm->instance)) {
ec0810ee 1845 $name = get_string('activitymodule').': '.$mod->name;
98882637 1846 }
ec0810ee 1847 }
1848 }
340ea4e8 1849 break;
bbbf2d40 1850
1851 case CONTEXT_BLOCK: // 1 to 1 to course
98882637 1852 if ($blockinstance = get_record('block_instance','id',$context->instanceid)) {
1853 if ($block = get_record('block','id',$blockinstance->blockid)) {
91be52d7 1854 global $CFG;
1855 require_once("$CFG->dirroot/blocks/moodleblock.class.php");
1856 require_once("$CFG->dirroot/blocks/$block->name/block_$block->name.php");
1857 $blockname = "block_$block->name";
1858 if ($blockobject = new $blockname()) {
1859 $name = $blockobject->title.' ('.get_string('block').')';
1860 }
ec0810ee 1861 }
1862 }
340ea4e8 1863 break;
bbbf2d40 1864
1865 default:
1866 error ('This is an unknown context!');
340ea4e8 1867 return false;
1868
1869 }
340ea4e8 1870 return $name;
bbbf2d40 1871}
1872
1873
1874/**
1875 * Extracts the relevant capabilities given a contextid.
1876 * All case based, example an instance of forum context.
1877 * Will fetch all forum related capabilities, while course contexts
1878 * Will fetch all capabilities
0468976c 1879 * @param object context
bbbf2d40 1880 * @return array();
1881 *
1882 * capabilities
1883 * `name` varchar(150) NOT NULL,
1884 * `captype` varchar(50) NOT NULL,
1885 * `contextlevel` int(10) NOT NULL,
1886 * `component` varchar(100) NOT NULL,
1887 */
0468976c 1888function fetch_context_capabilities($context) {
98882637 1889
1890 global $CFG;
bbbf2d40 1891
1892 $sort = 'ORDER BY contextlevel,component,id'; // To group them sensibly for display
98882637 1893
d140ad3f 1894 switch ($context->aggregatelevel) {
bbbf2d40 1895
98882637 1896 case CONTEXT_SYSTEM: // all
1897 $SQL = "select * from {$CFG->prefix}capabilities";
bbbf2d40 1898 break;
1899
1900 case CONTEXT_PERSONAL:
0a8a95c9 1901 $SQL = "select * from {$CFG->prefix}capabilities where contextlevel = ".CONTEXT_PERSONAL;
bbbf2d40 1902 break;
1903
4b10f08b 1904 case CONTEXT_USER:
1905 $SQL = "select * from {$CFG->prefix}capabilities where contextlevel = ".CONTEXT_USER;
bbbf2d40 1906 break;
1907
1908 case CONTEXT_COURSECAT: // all
98882637 1909 $SQL = "select * from {$CFG->prefix}capabilities";
bbbf2d40 1910 break;
1911
1912 case CONTEXT_COURSE: // all
98882637 1913 $SQL = "select * from {$CFG->prefix}capabilities";
bbbf2d40 1914 break;
1915
1916 case CONTEXT_GROUP: // group caps
1917 break;
1918
1919 case CONTEXT_MODULE: // mod caps
98882637 1920 $cm = get_record('course_modules', 'id', $context->instanceid);
1921 $module = get_record('modules', 'id', $cm->module);
bbbf2d40 1922
98882637 1923 $SQL = "select * from {$CFG->prefix}capabilities where contextlevel = ".CONTEXT_MODULE."
1924 and component = 'mod/$module->name'";
bbbf2d40 1925 break;
1926
1927 case CONTEXT_BLOCK: // block caps
98882637 1928 $cb = get_record('block_instance', 'id', $context->instanceid);
1929 $block = get_record('block', 'id', $cb->blockid);
bbbf2d40 1930
98882637 1931 $SQL = "select * from {$CFG->prefix}capabilities where contextlevel = ".CONTEXT_BLOCK."
1932 and component = 'block/$block->name'";
bbbf2d40 1933 break;
1934
1935 default:
1936 return false;
1937 }
1938
1939 $records = get_records_sql($SQL.' '.$sort);
69eb59f2 1940
1941 // special sorting of core system capabiltites and enrollments
1942 if ($context->aggregatelevel == CONTEXT_SYSTEM) {
1943 $first = array();
1944 foreach ($records as $key=>$record) {
1945 if (preg_match('|^moodle/|', $record->name) and $record->contextlevel == CONTEXT_SYSTEM) {
1946 $first[$key] = $record;
1947 unset($records[$key]);
1948 } else if (count($first)){
1949 break;
1950 }
1951 }
1952 if (count($first)) {
1953 $records = $first + $records; // merge the two arrays keeping the keys
1954 }
1955 }
1956 // end of special sorting
1957
bbbf2d40 1958 return $records;
1959
1960}
1961
1962
1963/**
1964 * This function pulls out all the resolved capabilities (overrides and
1965 * defaults) of a role used in capability overrieds in contexts at a given
1966 * context.
0a8a95c9 1967 * @param obj $context
bbbf2d40 1968 * @param int $roleid
1969 * @return array
1970 */
1648afb2 1971function role_context_capabilities($roleid, $context, $cap='') {
98882637 1972 global $CFG;
1973
8521d83a 1974 $contexts = get_parent_contexts($context);
1975 $contexts[] = $context->id;
98882637 1976 $contexts = '('.implode(',', $contexts).')';
1977
1648afb2 1978 if ($cap) {
e4697bf7 1979 $search = " AND rc.capability = '$cap' ";
1648afb2 1980 } else {
1981 $search = '';
1982 }
1983
98882637 1984 $SQL = "SELECT rc.* FROM {$CFG->prefix}role_capabilities rc, {$CFG->prefix}context c
1985 where rc.contextid in $contexts
1986 and rc.roleid = $roleid
1648afb2 1987 and rc.contextid = c.id $search
d140ad3f 1988 ORDER BY c.aggregatelevel DESC, rc.capability DESC";
1648afb2 1989
98882637 1990 $capabilities = array();
1991
4729012f 1992 if ($records = get_records_sql($SQL)) {
1993 // We are traversing via reverse order.
1994 foreach ($records as $record) {
1995 // If not set yet (i.e. inherit or not set at all), or currently we have a prohibit
1996 if (!isset($capabilities[$record->capability]) || $record->permission<-500) {
1997 $capabilities[$record->capability] = $record->permission;
1998 }
1999 }
98882637 2000 }
2001 return $capabilities;
bbbf2d40 2002}
2003
bbbf2d40 2004/**
0468976c 2005 * Recursive function which, given a context, find all parent context ids,
bbbf2d40 2006 * and return the array in reverse order, i.e. parent first, then grand
2007 * parent, etc.
2008 * @param object $context
2009 * @return array()
2010 */
bbbf2d40 2011function get_parent_contexts($context) {
2012
d140ad3f 2013 switch ($context->aggregatelevel) {
bbbf2d40 2014
2015 case CONTEXT_SYSTEM: // no parent
957861f7 2016 return array();
bbbf2d40 2017 break;
2018
2019 case CONTEXT_PERSONAL:
957861f7 2020 if (!$parent = get_context_instance(CONTEXT_SYSTEM, SITEID)) {
2021 return array();
2022 } else {
2023 return array($parent->id);
2024 }
bbbf2d40 2025 break;
2026
4b10f08b 2027 case CONTEXT_USER:
957861f7 2028 if (!$parent = get_context_instance(CONTEXT_SYSTEM, SITEID)) {
2029 return array();
2030 } else {
2031 return array($parent->id);
2032 }
bbbf2d40 2033 break;
2034
2035 case CONTEXT_COURSECAT: // Coursecat -> coursecat or site
957861f7 2036 if (!$coursecat = get_record('course_categories','id',$context->instanceid)) {
2037 return array();
2038 }
c5ddc3fd 2039 if (!empty($coursecat->parent)) { // return parent value if exist
bbbf2d40 2040 $parent = get_context_instance(CONTEXT_COURSECAT, $coursecat->parent);
2041 return array_merge(array($parent->id), get_parent_contexts($parent));
2042 } else { // else return site value
2043 $parent = get_context_instance(CONTEXT_SYSTEM, SITEID);
2044 return array($parent->id);
2045 }
2046 break;
2047
2048 case CONTEXT_COURSE: // 1 to 1 to course cat
957861f7 2049 if (!$course = get_record('course','id',$context->instanceid)) {
2050 return array();
2051 }
2052 if (!empty($course->category)) {
2053 $parent = get_context_instance(CONTEXT_COURSECAT, $course->category);
2054 return array_merge(array($parent->id), get_parent_contexts($parent));
2055 } else {
2056 return array();
2057 }
bbbf2d40 2058 break;
2059
2060 case CONTEXT_GROUP: // 1 to 1 to course
957861f7 2061 if (!$group = get_record('groups','id',$context->instanceid)) {
2062 return array();
2063 }
2064 if ($parent = get_context_instance(CONTEXT_COURSE, $group->courseid)) {
2065 return array_merge(array($parent->id), get_parent_contexts($parent));
2066 } else {
2067 return array();
2068 }
bbbf2d40 2069 break;
2070
2071 case CONTEXT_MODULE: // 1 to 1 to course
957861f7 2072 if (!$cm = get_record('course_modules','id',$context->instanceid)) {
2073 return array();
2074 }
2075 if ($parent = get_context_instance(CONTEXT_COURSE, $cm->course)) {
2076 return array_merge(array($parent->id), get_parent_contexts($parent));
2077 } else {
2078 return array();
2079 }
bbbf2d40 2080 break;
2081
2082 case CONTEXT_BLOCK: // 1 to 1 to course
957861f7 2083 if (!$block = get_record('block_instance','id',$context->instanceid)) {
2084 return array();
2085 }
2086 if ($parent = get_context_instance(CONTEXT_COURSE, $block->pageid)) {
2087 return array_merge(array($parent->id), get_parent_contexts($parent));
2088 } else {
2089 return array();
2090 }
bbbf2d40 2091 break;
2092
2093 default:
957861f7 2094 error('This is an unknown context!');
bbbf2d40 2095 return false;
2096 }
bbbf2d40 2097}
2098
ea8158c1 2099/** gets a string for sql calls, searching for stuff
2100 * in this context or above
2101 * @param object $context
2102 * @return string
2103 */
2104function get_related_contexts_string($context) {
2105 if ($parents = get_parent_contexts($context)) {
2106 return (' IN ('.$context->id.','.implode(',', $parents).')');
2107 } else {
2108 return (' ='.$context->id);
2109 }
2110}
bbbf2d40 2111/**
2112 * This function gets the capability of a role in a given context.
2113 * It is needed when printing override forms.
2114 * @param int $contextid
bbbf2d40 2115 * @param string $capability
2116 * @param array $capabilities - array loaded using role_context_capabilities
2117 * @return int (allow, prevent, prohibit, inherit)
2118 */
bbbf2d40 2119function get_role_context_capability($contextid, $capability, $capabilities) {
98882637 2120 return $capabilities[$contextid][$capability];
bbbf2d40 2121}
2122
2123
cee0901c 2124/**
2125 * Returns the human-readable, translated version of the capability.
2126 * Basically a big switch statement.
2127 * @param $capabilityname - e.g. mod/choice:readresponses
2128 */
ceb83c70 2129function get_capability_string($capabilityname) {
ae9e4c06 2130
cee0901c 2131 // Typical capabilityname is mod/choice:readresponses
ceb83c70 2132
2133 $names = split('/', $capabilityname);
2134 $stringname = $names[1]; // choice:readresponses
2135 $components = split(':', $stringname);
2136 $componentname = $components[0]; // choice
98882637 2137
2138 switch ($names[0]) {
2139 case 'mod':
ceb83c70 2140 $string = get_string($stringname, $componentname);
98882637 2141 break;
2142
2143 case 'block':
ceb83c70 2144 $string = get_string($stringname, 'block_'.$componentname);
98882637 2145 break;
ceb83c70 2146
98882637 2147 case 'moodle':
ceb83c70 2148 $string = get_string($stringname, 'role');
98882637 2149 break;
2150
2151 case 'enrol':
ceb83c70 2152 $string = get_string($stringname, 'enrol_'.$componentname);
2153 break;
98882637 2154
2155 default:
ceb83c70 2156 $string = get_string($stringname);
98882637 2157 break;
98882637 2158
2159 }
ceb83c70 2160 return $string;
bbbf2d40 2161}
2162
2163
cee0901c 2164/**
2165 * This gets the mod/block/course/core etc strings.
2166 * @param $component
2167 * @param $contextlevel
2168 */
bbbf2d40 2169function get_component_string($component, $contextlevel) {
2170
98882637 2171 switch ($contextlevel) {
bbbf2d40 2172
98882637 2173 case CONTEXT_SYSTEM:
be382aaf 2174 if (preg_match('|^enrol/|', $component)) {
2175 $langname = str_replace('/', '_', $component);
2176 $string = get_string('enrolname', $langname);
69eb59f2 2177 } else {
2178 $string = get_string('coresystem');
2179 }
bbbf2d40 2180 break;
2181
2182 case CONTEXT_PERSONAL:
98882637 2183 $string = get_string('personal');
bbbf2d40 2184 break;
2185
4b10f08b 2186 case CONTEXT_USER:
98882637 2187 $string = get_string('users');
bbbf2d40 2188 break;
2189
2190 case CONTEXT_COURSECAT:
98882637 2191 $string = get_string('categories');
bbbf2d40 2192 break;
2193
2194 case CONTEXT_COURSE:
98882637 2195 $string = get_string('course');
bbbf2d40 2196 break;
2197
2198 case CONTEXT_GROUP:
98882637 2199 $string = get_string('group');
bbbf2d40 2200 break;
2201
2202 case CONTEXT_MODULE:
98882637 2203 $string = get_string('modulename', basename($component));
bbbf2d40 2204 break;
2205
2206 case CONTEXT_BLOCK:
98882637 2207 $string = get_string('blockname', 'block_'.$component.'.php');
bbbf2d40 2208 break;
2209
2210 default:
2211 error ('This is an unknown context!');
2212 return false;
98882637 2213
2214 }
98882637 2215 return $string;
bbbf2d40 2216}
cee0901c 2217
945f88ca 2218/** gets the list of roles assigned to this context
2d9965e1 2219 * and up (parents)
945f88ca 2220 * @param object $context
2221 * @return array
2222 */
e4dd3222 2223function get_roles_used_in_context($context) {
2224
2225 global $CFG;
2d9965e1 2226
2227 $contextlist = get_related_contexts_string($context);
2228 return get_records_sql("SELECT distinct r.id, r.name, r.shortname
2229 FROM {$CFG->prefix}role_assignments ra,
2230 {$CFG->prefix}role r
e4dd3222 2231 WHERE r.id = ra.roleid
2d9965e1 2232 AND ra.contextid $contextlist
2233 ORDER BY r.sortorder ASC");
e4dd3222 2234}
2235
945f88ca 2236/** this function is used to print roles column in user profile page.
2237 * @param int userid
2238 * @param int contextid
2239 * @return string
2240 */
0a8a95c9 2241function get_user_roles_in_context($userid, $contextid){
2242 global $CFG;
2243
2244 $rolestring = '';
2245 $SQL = 'select * from '.$CFG->prefix.'role_assignments ra, '.$CFG->prefix.'role r where ra.userid='.$userid.' and ra.contextid='.$contextid.' and ra.roleid = r.id';
2246 if ($roles = get_records_sql($SQL)) {
2247 foreach ($roles as $userrole) {
2248 $rolestring .= '<a href="'.$CFG->wwwroot.'/user/index.php?contextid='.$userrole->contextid.'&amp;roleid='.$userrole->roleid.'">'.$userrole->name.'</a>, ';
2249 }
2250
2251 }
2252 return rtrim($rolestring, ', ');
2253}
68c52526 2254
2255
945f88ca 2256/**
2257 * Checks if a user can override capabilities of a particular role in this context
2258 * @param object $context
2259 * @param int targetroleid - the id of the role you want to override
2260 * @return boolean
2261 */
68c52526 2262function user_can_override($context, $targetroleid) {
2263 // first check if user has override capability
2264 // if not return false;
2265 if (!has_capability('moodle/role:override', $context)) {
2266 return false;
2267 }
2268 // pull out all active roles of this user from this context(or above)
c0614051 2269 if ($userroles = get_user_roles($context)) {
2270 foreach ($userroles as $userrole) {
2271 // if any in the role_allow_override table, then it's ok
2272 if (get_record('role_allow_override', 'roleid', $userrole->roleid, 'allowoverride', $targetroleid)) {
2273 return true;
2274 }
68c52526 2275 }
2276 }
2277
2278 return false;
2279
2280}
2281
945f88ca 2282/**
2283 * Checks if a user can assign users to a particular role in this context
2284 * @param object $context
2285 * @param int targetroleid - the id of the role you want to assign users to
2286 * @return boolean
2287 */
68c52526 2288function user_can_assign($context, $targetroleid) {
2289
2290 // first check if user has override capability
2291 // if not return false;
2292 if (!has_capability('moodle/role:assign', $context)) {
2293 return false;
2294 }
2295 // pull out all active roles of this user from this context(or above)
c0614051 2296 if ($userroles = get_user_roles($context)) {
2297 foreach ($userroles as $userrole) {
2298 // if any in the role_allow_override table, then it's ok
2299 if (get_record('role_allow_assign', 'roleid', $userrole->roleid, 'allowassign', $targetroleid)) {
2300 return true;
2301 }
68c52526 2302 }
2303 }
2304
2305 return false;
2306}
2307
945f88ca 2308/**
2309 * gets all the user roles assigned in this context, or higher contexts
2310 * this is mainly used when checking if a user can assign a role, or overriding a role
2311 * i.e. we need to know what this user holds, in order to verify against allow_assign and
2312 * allow_override tables
2313 * @param object $context
2314 * @param int $userid
2315 * @return array
2316 */
5b630667 2317function get_user_roles($context, $userid=0, $checkparentcontexts=true) {
68c52526 2318
2319 global $USER, $CFG, $db;
c0614051 2320
2321 if (empty($userid)) {
2322 if (empty($USER->id)) {
2323 return array();
2324 }
2325 $userid = $USER->id;
2326 }
2327
5b630667 2328 if ($checkparentcontexts && ($parents = get_parent_contexts($context))) {
2329 $contexts = ' ra.contextid IN ('.implode(',' , $parents).','.$context->id.')';
c0614051 2330 } else {
5b630667 2331 $contexts = ' ra.contextid = \''.$context->id.'\'';
c0614051 2332 }
2333
31f26796 2334 return get_records_sql('SELECT ra.*, r.name, r.shortname
5b630667 2335 FROM '.$CFG->prefix.'role_assignments ra,
ec6eb110 2336 '.$CFG->prefix.'role r,
2337 '.$CFG->prefix.'context c
c0614051 2338 WHERE ra.userid = '.$userid.
5b630667 2339 ' AND ra.roleid = r.id
ec6eb110 2340 AND ra.contextid = c.id
5b630667 2341 AND '.$contexts.
ec6eb110 2342 ' ORDER BY c.aggregatelevel DESC');
68c52526 2343}
2344
945f88ca 2345/**
2346 * Creates a record in the allow_override table
2347 * @param int sroleid - source roleid
2348 * @param int troleid - target roleid
2349 * @return int - id or false
2350 */
2351function allow_override($sroleid, $troleid) {
2352 $record->roleid = $sroleid;
2353 $record->allowoverride = $troleid;
2354 return insert_record('role_allow_override', $record);
2355}
2356
2357/**
2358 * Creates a record in the allow_assign table
2359 * @param int sroleid - source roleid
2360 * @param int troleid - target roleid
2361 * @return int - id or false
2362 */
2363function allow_assign($sroleid, $troleid) {
ff64aaea 2364 $record = new object;
945f88ca 2365 $record->roleid = $sroleid;
2366 $record->allowassign = $troleid;
2367 return insert_record('role_allow_assign', $record);
2368}
2369
2370/**
ff64aaea 2371 * Gets a list of roles that this user can assign in this context
945f88ca 2372 * @param object $context
2373 * @return array
2374 */
2375function get_assignable_roles ($context) {
2376
945f88ca 2377 $options = array();
ff64aaea 2378
2379 if ($roles = get_records('role')) {
2380 foreach ($roles as $role) {
2381 if (user_can_assign($context, $role->id)) {
2382 $options[$role->id] = $role->name;
2383 }
945f88ca 2384 }
2385 }
2386 return $options;
2387}
2388
2389/**
ff64aaea 2390 * Gets a list of roles that this user can override in this context
945f88ca 2391 * @param object $context
2392 * @return array
2393 */
2394function get_overridable_roles ($context) {
2395
945f88ca 2396 $options = array();
ff64aaea 2397
2398 if ($roles = get_records('role')) {
2399 foreach ($roles as $role) {
2400 if (user_can_override($context, $role->id)) {
2401 $options[$role->id] = $role->name;
2402 }
945f88ca 2403 }
ff64aaea 2404 }
945f88ca 2405
2406 return $options;
945f88ca 2407}
1648afb2 2408
b963384f 2409/*
2410 * Returns a role object that is the default role for new enrolments
2411 * in a given course
2412 *
2413 * @param object $course
2414 * @return object $role
2415 */
2416function get_default_course_role($course) {
2417 global $CFG;
2418
2419/// First let's take the default role the course may have
2420 if (!empty($course->defaultrole)) {
2421 if ($role = get_record('role', 'id', $course->defaultrole)) {
2422 return $role;
2423 }
2424 }
2425
2426/// Otherwise the site setting should tell us
2427 if ($CFG->defaultcourseroleid) {
2428 if ($role = get_record('role', 'id', $CFG->defaultcourseroleid)) {
2429 return $role;
2430 }
2431 }
2432
2433/// It's unlikely we'll get here, but just in case, try and find a student role
2434 if ($studentroles = get_roles_with_capability('moodle/legacy:student', CAP_ALLOW)) {
2435 return array_shift($studentroles); /// Take the first one
2436 }
2437
2438 return NULL;
2439}
2440
1648afb2 2441
2442/**
2443 * who has this capability in this context
2444 * does not handling user level resolving!!!
2445 * i.e 1 person has 2 roles 1 allow, 1 prevent, this will not work properly
2446 * @param $context - object
2447 * @param $capability - string capability
2448 * @param $fields - fields to be pulled
2449 * @param $sort - the sort order
04417640 2450 * @param $limitfrom - number of records to skip (offset)
2451 * @param $limitnum - number of records to fetch
1c45e42e 2452 * @param $groups - single group or array of groups - group(s) user is in
71dea306 2453 * @param $exceptions - list of users to exclude
1648afb2 2454 */
64026e8c 2455function get_users_by_capability($context, $capability, $fields='', $sort='',
2456 $limitfrom='', $limitnum='', $groups='', $exceptions='') {
1648afb2 2457 global $CFG;
2458
64026e8c 2459/// Sorting out groups
1c45e42e 2460 if ($groups) {
71dea306 2461 $groupjoin = 'INNER JOIN '.$CFG->prefix.'groups_members gm ON gm.userid = ra.userid';
1c45e42e 2462
2463 if (is_array($groups)) {
a05708ad 2464 $groupsql = 'AND gm.groupid IN ('.implode(',', $groups).')';
1c45e42e 2465 } else {
a05708ad 2466 $groupsql = 'AND gm.groupid = '.$groups;
1c45e42e 2467 }
2468 } else {
2469 $groupjoin = '';
2470 $groupsql = '';
2471 }
2472
64026e8c 2473/// Sorting out exceptions
5081e786 2474 $exceptionsql = $exceptions ? "AND u.id NOT IN ($exceptions)" : '';
64026e8c 2475
2476/// Set up default fields
2477 if (empty($fields)) {
5b630667 2478 $fields = 'u.*, ul.timeaccess as lastaccess, ra.hidden';
64026e8c 2479 }
2480
2481/// Set up default sort
2482 if (empty($sort)) {
2483 $sort = 'ul.timeaccess';
2484 }
2485
2486 $sortby = $sort ? " ORDER BY $sort " : '';
71dea306 2487
64026e8c 2488/// If context is a course, then construct sql for ul
4e5a0168 2489 if ($context->aggregatelevel == CONTEXT_COURSE) {
71dea306 2490 $courseid = $context->instanceid;
f00b7f8d 2491 $coursesql = "AND (ul.courseid = $courseid OR ul.courseid IS NULL)";
5081e786 2492 } else {
2493 $coursesql = '';
71dea306 2494 }
64026e8c 2495
2496/// Sorting out roles with this capability set
ec7a8b79 2497 $possibleroles = get_roles_with_capability($capability, CAP_ALLOW, $context);
1648afb2 2498 $validroleids = array();
2499 foreach ($possibleroles as $prole) {
2500 $caps = role_context_capabilities($prole->id, $context, $capability); // resolved list
2501 if ($caps[$capability] > 0) { // resolved capability > 0
2502 $validroleids[] = $prole->id;
2503 }
71dea306 2504 }
2505 $roleids = '('.implode(',', $validroleids).')';
64026e8c 2506
2507/// Construct the main SQL
71dea306 2508 $select = " SELECT $fields";
2509 $from = " FROM {$CFG->prefix}user u
2510 INNER JOIN {$CFG->prefix}role_assignments ra ON ra.userid = u.id
2511 LEFT OUTER JOIN {$CFG->prefix}user_lastaccess ul ON ul.userid = u.id
2512 $groupjoin";
2513 $where = " WHERE ra.contextid ".get_related_contexts_string($context)."
64026e8c 2514 AND u.deleted = 0
2515 AND ra.roleid in $roleids
71dea306 2516 $exceptionsql
2517 $coursesql
2518 $groupsql";
2519
2520 return get_records_sql($select.$from.$where.$sortby, $limitfrom, $limitnum);
1648afb2 2521}
7700027f 2522
ab5c9044 2523/**
2524 * gets all the users assigned this role in this context or higher
2525 * @param int roleid
2526 * @param int contextid
2527 * @param bool parent if true, get list of users assigned in higher context too
2528 * @return array()
2529 */
2530function get_role_users($roleid, $context, $parent=false) {
2531 global $CFG;
2532
2533 if ($parent) {
2534 if ($contexts = get_parent_contexts($context)) {
2535 $parentcontexts = 'r.contextid IN ('.implode(',', $contexts).')';
2536 } else {
2537 $parentcontexts = '';
2538 }
2539 } else {
2540 $parentcontexts = '';
2541 }
2542
2543 $SQL = "select u.*
2544 from {$CFG->prefix}role_assignments r,
2545 {$CFG->prefix}user u
2546 where (r.contextid = $context->id $parentcontexts)
2547 and r.roleid = $roleid
2548 and u.id = r.userid"; // join now so that we can just use fullname() later
2549
2550 return get_records_sql($SQL);
2551}
2552
d76a5a7f 2553/**
2554 * This function gets the list of courses that this user has a particular capability in
2555 * This is not the most efficient way of doing this
2556 * @param string capability
2557 * @param int $userid
2558 * @return array
2559 */
2560function get_user_capability_course($capability, $userid='') {
2561
2562 global $USER;
2563 if (!$userid) {
2564 $userid = $USER->id;
2565 }
2566
2567 $usercourses = array();
2568 $courses = get_records_select('course', '', '', 'id, id');
2569
2570 foreach ($courses as $course) {
2571 if (has_capability($capability, get_context_capability(CONTEXT_COURSE, $course->id))) {
2572 $usercourses[] = $course;
2573 }
2574 }
2575 return $usercourses;
2576}
8521d83a 2577?>