fixed add new blog entry and tag edit in blog block; merged from MOODLE_17_STABLE
[moodle.git] / lib / accesslib.php
CommitLineData
bbbf2d40 1<?php
cee0901c 2 /**
3 * Capability session information format
bbbf2d40 4 * 2 x 2 array
5 * [context][capability]
6 * where context is the context id of the table 'context'
7 * and capability is a string defining the capability
8 * e.g.
9 *
10 * [Capabilities] => [26][mod/forum:viewpost] = 1
11 * [26][mod/forum:startdiscussion] = -8990
12 * [26][mod/forum:editallpost] = -1
13 * [273][moodle:blahblah] = 1
14 * [273][moodle:blahblahblah] = 2
15 */
bbbf2d40 16
17// permission definitions
e49e61bf 18define('CAP_INHERIT', 0);
bbbf2d40 19define('CAP_ALLOW', 1);
20define('CAP_PREVENT', -1);
21define('CAP_PROHIBIT', -1000);
22
bbbf2d40 23// context definitions
24define('CONTEXT_SYSTEM', 10);
25define('CONTEXT_PERSONAL', 20);
4b10f08b 26define('CONTEXT_USER', 30);
bbbf2d40 27define('CONTEXT_COURSECAT', 40);
28define('CONTEXT_COURSE', 50);
29define('CONTEXT_GROUP', 60);
30define('CONTEXT_MODULE', 70);
31define('CONTEXT_BLOCK', 80);
32
21b6db6e 33// capability risks - see http://docs.moodle.org/en/Hardening_new_Roles_system
34define('RISK_MANAGETRUST', 0x0001);
a6b02b65 35define('RISK_CONFIG', 0x0002);
21b6db6e 36define('RISK_XSS', 0x0004);
37define('RISK_PERSONAL', 0x0008);
38define('RISK_SPAM', 0x0010);
39
40
340ea4e8 41$context_cache = array(); // Cache of all used context objects for performance (by level and instance)
42$context_cache_id = array(); // Index to above cache by id
bbbf2d40 43
7700027f 44
e7876c1e 45/**
46 * Loads the capabilities for the default guest role to the current user in a specific context
47 * @return object
48 */
49function load_guest_role($context=NULL) {
50 global $USER;
51
52 static $guestrole;
53
54 if (!isloggedin()) {
55 return false;
56 }
57
58 if (!$sitecontext = get_context_instance(CONTEXT_SYSTEM, SITEID)) {
59 return false;
60 }
61
62 if (empty($context)) {
63 $context = $sitecontext;
64 }
65
66 if (empty($guestrole)) {
8f8ed475 67 if (!$guestrole = get_guest_role()) {
e7876c1e 68 return false;
69 }
70 }
71
eef868d1 72 if ($capabilities = get_records_select('role_capabilities',
e7876c1e 73 "roleid = $guestrole->id AND contextid = $sitecontext->id")) {
74 foreach ($capabilities as $capability) {
eef868d1 75 $USER->capabilities[$context->id][$capability->capability] = $capability->permission;
e7876c1e 76 }
77 }
78
79 return true;
80}
81
7700027f 82/**
83 * Load default not logged in role capabilities when user is not logged in
eef868d1 84 * @return bool
7700027f 85 */
20aeb4b8 86function load_notloggedin_role() {
87 global $CFG, $USER;
88
7700027f 89 if (!$sitecontext = get_context_instance(CONTEXT_SYSTEM, SITEID)) {
90 return false;
35a518c5 91 }
92
7700027f 93 if (empty($CFG->notloggedinroleid)) { // Let's set the default to the guest role
8f8ed475 94 if ($role = get_guest_role()) {
7700027f 95 set_config('notloggedinroleid', $role->id);
96 } else {
97 return false;
98 }
99 }
20aeb4b8 100
eef868d1 101 if ($capabilities = get_records_select('role_capabilities',
7700027f 102 "roleid = $CFG->notloggedinroleid AND contextid = $sitecontext->id")) {
103 foreach ($capabilities as $capability) {
eef868d1 104 $USER->capabilities[$sitecontext->id][$capability->capability] = $capability->permission;
7700027f 105 }
20aeb4b8 106 }
107
108 return true;
109}
cee0901c 110
8f8ed475 111/**
112 * Load default not logged in role capabilities when user is not logged in
eef868d1 113 * @return bool
8f8ed475 114 */
115function load_defaultuser_role() {
116 global $CFG, $USER;
117
118 if (!$sitecontext = get_context_instance(CONTEXT_SYSTEM, SITEID)) {
119 return false;
120 }
121
122 if (empty($CFG->defaultuserroleid)) { // Let's set the default to the guest role
123 if ($role = get_guest_role()) {
124 set_config('defaultuserroleid', $role->id);
125 } else {
126 return false;
127 }
128 }
129
eef868d1 130 if ($capabilities = get_records_select('role_capabilities',
8f8ed475 131 "roleid = $CFG->defaultuserroleid AND contextid = $sitecontext->id")) {
132 foreach ($capabilities as $capability) {
ca23ffdb 133 if (!isset($USER->capabilities[$sitecontext->id][$capability->capability])) { // Don't overwrite
eef868d1 134 $USER->capabilities[$sitecontext->id][$capability->capability] = $capability->permission;
ca23ffdb 135 }
8f8ed475 136 }
137
eef868d1 138 // SPECIAL EXCEPTION: If the default user role is actually a guest role, then
8f8ed475 139 // remove some capabilities so this user doesn't get confused with a REAL guest
2f089dd5 140 if (isset($USER->capabilities[$sitecontext->id]['moodle/legacy:guest']) and $USER->username != 'guest') {
eef868d1 141 unset($USER->capabilities[$sitecontext->id]['moodle/legacy:guest']);
8f8ed475 142 unset($USER->capabilities[$sitecontext->id]['moodle/course:view']); // No access to courses by default
143 }
144 }
145
146 return true;
147}
148
149
150/**
151 * Get the default guest role
152 * @return object role
153 */
154function get_guest_role() {
155 if ($roles = get_roles_with_capability('moodle/legacy:guest', CAP_ALLOW)) {
156 return array_shift($roles); // Pick the first one
157 } else {
158 return false;
159 }
160}
161
162
bbbf2d40 163/**
164 * This functions get all the course categories in proper order
0468976c 165 * @param int $context
bbbf2d40 166 * @param int $type
167 * @return array of contextids
168 */
0468976c 169function get_parent_cats($context, $type) {
eef868d1 170
98882637 171 $parents = array();
eef868d1 172
c5ddc3fd 173 switch ($type) {
98882637 174 case CONTEXT_COURSECAT:
c5ddc3fd 175 if (!$cat = get_record('course_categories','id',$context->instanceid)) {
176 break;
177 }
178
179 while (!empty($cat->parent)) {
180 if (!$context = get_context_instance(CONTEXT_COURSECAT, $cat->parent)) {
181 break;
182 }
98882637 183 $parents[] = $context->id;
184 $cat = get_record('course_categories','id',$cat->parent);
185 }
98882637 186 break;
eef868d1 187
98882637 188 case CONTEXT_COURSE:
c5ddc3fd 189 if (!$course = get_record('course', 'id', $context->instanceid)) {
190 break;
191 }
192 if (!$catinstance = get_context_instance(CONTEXT_COURSECAT, $course->category)) {
193 break;
194 }
195
98882637 196 $parents[] = $catinstance->id;
c5ddc3fd 197
198 if (!$cat = get_record('course_categories','id',$course->category)) {
199 break;
200 }
201
202 while (!empty($cat->parent)) {
203 if (!$context = get_context_instance(CONTEXT_COURSECAT, $cat->parent)) {
204 break;
205 }
98882637 206 $parents[] = $context->id;
207 $cat = get_record('course_categories','id',$cat->parent);
208 }
209 break;
eef868d1 210
98882637 211 default:
212 break;
98882637 213 }
98882637 214 return array_reverse($parents);
bbbf2d40 215}
216
217
cee0901c 218
0468976c 219/**
220 * This function checks for a capability assertion being true. If it isn't
221 * then the page is terminated neatly with a standard error message
222 * @param string $capability - name of the capability
223 * @param object $context - a context object (record from context table)
224 * @param integer $userid - a userid number
d74067e8 225 * @param bool $doanything - if false, ignore do anything
0468976c 226 * @param string $errorstring - an errorstring
d74067e8 227 * @param string $stringfile - which stringfile to get it from
0468976c 228 */
eef868d1 229function require_capability($capability, $context=NULL, $userid=NULL, $doanything=true,
d74067e8 230 $errormessage="nopermissions", $stringfile='') {
a9e1c058 231
232 global $USER;
233
234/// If the current user is not logged in, then make sure they are
235
236 if (empty($userid) and empty($USER->id)) {
aad2ba95 237 if ($context && ($context->contextlevel == CONTEXT_COURSE)) {
a9e1c058 238 require_login($context->instanceid);
11ac79ff 239 } else if ($context && ($context->contextlevel == CONTEXT_MODULE)) {
240 if ($cm = get_record('course_modules','id',$context->instanceid)) {
241 require_login($cm->course, true, $cm);
242 } else {
243 require_login();
244 }
a9e1c058 245 } else {
246 require_login();
247 }
248 }
eef868d1 249
a9e1c058 250/// OK, if they still don't have the capability then print a nice error message
251
d74067e8 252 if (!has_capability($capability, $context, $userid, $doanything)) {
0468976c 253 $capabilityname = get_capability_string($capability);
254 print_error($errormessage, $stringfile, '', $capabilityname);
255 }
256}
257
258
bbbf2d40 259/**
260 * This function returns whether the current user has the capability of performing a function
261 * For example, we can do has_capability('mod/forum:replypost',$cm) in forum
262 * only one of the 4 (moduleinstance, courseid, site, userid) would be set at 1 time
263 * This is a recursive funciton.
bbbf2d40 264 * @uses $USER
265 * @param string $capability - name of the capability
0468976c 266 * @param object $context - a context object (record from context table)
267 * @param integer $userid - a userid number
20aeb4b8 268 * @param bool $doanything - if false, ignore do anything
bbbf2d40 269 * @return bool
270 */
d74067e8 271function has_capability($capability, $context=NULL, $userid=NULL, $doanything=true) {
bbbf2d40 272
20aeb4b8 273 global $USER, $CONTEXT, $CFG;
bbbf2d40 274
a8a7300a 275 if (debugging() && !record_exists('capabilities', 'name', $capability)) {
ab61d01b 276 debugging('Capability "'.$capability.'" was not found! This should be fixed in code.');
a8a7300a 277 }
278
8f8ed475 279 if (empty($userid) && empty($USER->capabilities)) { // Real user, first time here
280 if (isloggedin()) {
281 load_defaultuser_role(); // All users get this by default
282 } else {
283 load_notloggedin_role(); // others get this by default
284 }
20aeb4b8 285 }
286
013f2e7c 287 if ($userid && (($USER === NULL) or ($userid != $USER->id))) {
9425b25f 288 if (empty($USER->id) or ($userid != $USER->id)) {
289 $capabilities = load_user_capability($capability, $context, $userid);
290 } else { //$USER->id == $userid
291 $capabilities = empty($USER->capabilities) ? NULL : $USER->capabilities;
292 }
293 } else { // no userid
294 $capabilities = empty($USER->capabilities) ? NULL : $USER->capabilities;
98882637 295 }
9425b25f 296
0468976c 297 if (empty($context)) { // Use default CONTEXT if none specified
340ea4e8 298 if (empty($CONTEXT)) {
299 return false;
300 } else {
301 $context = $CONTEXT;
302 }
0468976c 303 } else { // A context was given to us
304 if (empty($CONTEXT)) {
305 $CONTEXT = $context; // Store FIRST used context in this global as future default
306 }
340ea4e8 307 }
bbbf2d40 308
5fe9a11d 309 if (!is_object($context)) {
310 debugging('Incorrect context parameter "'.$context.'" for has_capability(), object expected! This should be fixed in code.');
311 }
312
20aeb4b8 313 if ($doanything) {
2d07587b 314
f4e2d38a 315 /// First make sure that we aren't in a "switched role"
316
317 $switchroleactive = false; // Assume it isn't active in this context
318
319 if (!empty($USER->switchrole)) { // Switchrole is active somewhere!
320 if (!empty($USER->switchrole[$context->id])) { // Because of current context
321 $switchroleactive = true;
322 } else { // Check parent contexts
323 if ($parentcontextids = get_parent_contexts($context)) {
324 foreach ($parentcontextids as $parentcontextid) {
325 if (!empty($USER->switchrole[$parentcontextid])) { // Yep, switchroles active here
326 $switchroleactive = true;
327 break;
328 }
329 }
330 }
331 }
332 }
333
334 /// Check the site context for doanything (most common) first
335
336 if (empty($switchroleactive)) { // Ignore site setting if switchrole is active
2d07587b 337 $sitecontext = get_context_instance(CONTEXT_SYSTEM, SITEID);
338 if (isset($capabilities[$sitecontext->id]['moodle/site:doanything'])) {
339 return (0 < $capabilities[$sitecontext->id]['moodle/site:doanything']);
340 }
20aeb4b8 341 }
eef868d1 342
aad2ba95 343 switch ($context->contextlevel) {
eef868d1 344
20aeb4b8 345 case CONTEXT_COURSECAT:
346 // Check parent cats.
347 $parentcats = get_parent_cats($context, CONTEXT_COURSECAT);
348 foreach ($parentcats as $parentcat) {
349 if (isset($capabilities[$parentcat]['moodle/site:doanything'])) {
350 return (0 < $capabilities[$parentcat]['moodle/site:doanything']);
351 }
cee0901c 352 }
20aeb4b8 353 break;
bbbf2d40 354
20aeb4b8 355 case CONTEXT_COURSE:
356 // Check parent cat.
357 $parentcats = get_parent_cats($context, CONTEXT_COURSE);
98882637 358
20aeb4b8 359 foreach ($parentcats as $parentcat) {
360 if (isset($capabilities[$parentcat]['do_anything'])) {
361 return (0 < $capabilities[$parentcat]['do_anything']);
362 }
9425b25f 363 }
20aeb4b8 364 break;
bbbf2d40 365
20aeb4b8 366 case CONTEXT_GROUP:
367 // Find course.
368 $group = get_record('groups','id',$context->instanceid);
369 $courseinstance = get_context_instance(CONTEXT_COURSE, $group->courseid);
9425b25f 370
20aeb4b8 371 $parentcats = get_parent_cats($courseinstance, CONTEXT_COURSE);
372 foreach ($parentcats as $parentcat) {
373 if (isset($capabilities[$parentcat->id]['do_anything'])) {
374 return (0 < $capabilities[$parentcat->id]['do_anything']);
375 }
9425b25f 376 }
9425b25f 377
20aeb4b8 378 $coursecontext = '';
379 if (isset($capabilities[$courseinstance->id]['do_anything'])) {
380 return (0 < $capabilities[$courseinstance->id]['do_anything']);
381 }
9425b25f 382
20aeb4b8 383 break;
bbbf2d40 384
20aeb4b8 385 case CONTEXT_MODULE:
386 // Find course.
387 $cm = get_record('course_modules', 'id', $context->instanceid);
388 $courseinstance = get_context_instance(CONTEXT_COURSE, $cm->course);
9425b25f 389
20aeb4b8 390 if ($parentcats = get_parent_cats($courseinstance, CONTEXT_COURSE)) {
391 foreach ($parentcats as $parentcat) {
392 if (isset($capabilities[$parentcat]['do_anything'])) {
393 return (0 < $capabilities[$parentcat]['do_anything']);
394 }
cee0901c 395 }
9425b25f 396 }
98882637 397
20aeb4b8 398 if (isset($capabilities[$courseinstance->id]['do_anything'])) {
399 return (0 < $capabilities[$courseinstance->id]['do_anything']);
400 }
bbbf2d40 401
20aeb4b8 402 break;
bbbf2d40 403
20aeb4b8 404 case CONTEXT_BLOCK:
405 // 1 to 1 to course.
406 // Find course.
407 $block = get_record('block_instance','id',$context->instanceid);
408 $courseinstance = get_context_instance(CONTEXT_COURSE, $block->pageid); // needs check
9425b25f 409
20aeb4b8 410 $parentcats = get_parent_cats($courseinstance, CONTEXT_COURSE);
411 foreach ($parentcats as $parentcat) {
412 if (isset($capabilities[$parentcat]['do_anything'])) {
413 return (0 < $capabilities[$parentcat]['do_anything']);
414 }
cee0901c 415 }
9425b25f 416
20aeb4b8 417 if (isset($capabilities[$courseinstance->id]['do_anything'])) {
418 return (0 < $capabilities[$courseinstance->id]['do_anything']);
419 }
420 break;
bbbf2d40 421
20aeb4b8 422 default:
4b10f08b 423 // CONTEXT_SYSTEM: CONTEXT_PERSONAL: CONTEXT_USER:
20aeb4b8 424 // Do nothing.
425 break;
426 }
bbbf2d40 427
20aeb4b8 428 // Last: check self.
429 if (isset($capabilities[$context->id]['do_anything'])) {
430 return (0 < $capabilities[$context->id]['do_anything']);
431 }
98882637 432 }
98882637 433 // do_anything has not been set, we now look for it the normal way.
9425b25f 434 return (0 < capability_search($capability, $context, $capabilities));
bbbf2d40 435
9425b25f 436}
bbbf2d40 437
438
439/**
440 * In a separate function so that we won't have to deal with do_anything.
441 * again. Used by function has_capability.
442 * @param $capability - capability string
0468976c 443 * @param $context - the context object
bbbf2d40 444 * @param $capabilities - either $USER->capability or loaded array
445 * @return permission (int)
446 */
0468976c 447function capability_search($capability, $context, $capabilities) {
759ac72d 448
bbbf2d40 449 global $USER, $CFG;
0468976c 450
11ac79ff 451 if (!isset($context->id)) {
452 return 0;
453 }
454
0468976c 455 if (isset($capabilities[$context->id][$capability])) {
456 return ($capabilities[$context->id][$capability]);
bbbf2d40 457 }
9425b25f 458
bbbf2d40 459 /* Then, we check the cache recursively */
9425b25f 460 $permission = 0;
461
aad2ba95 462 switch ($context->contextlevel) {
bbbf2d40 463
464 case CONTEXT_SYSTEM: // by now it's a definite an inherit
465 $permission = 0;
466 break;
467
468 case CONTEXT_PERSONAL:
0468976c 469 $parentcontext = get_context_instance(CONTEXT_SYSTEM, SITEID);
470 $permission = capability_search($capability, $parentcontext, $capabilities);
bbbf2d40 471 break;
9425b25f 472
4b10f08b 473 case CONTEXT_USER:
0468976c 474 $parentcontext = get_context_instance(CONTEXT_SYSTEM, SITEID);
475 $permission = capability_search($capability, $parentcontext, $capabilities);
bbbf2d40 476 break;
9425b25f 477
bbbf2d40 478 case CONTEXT_COURSECAT: // Coursecat -> coursecat or site
479 $coursecat = get_record('course_categories','id',$context->instanceid);
0468976c 480 if (!empty($coursecat->parent)) { // return parent value if it exists
481 $parentcontext = get_context_instance(CONTEXT_COURSECAT, $coursecat->parent);
bbbf2d40 482 } else { // else return site value
0468976c 483 $parentcontext = get_context_instance(CONTEXT_SYSTEM, SITEID);
bbbf2d40 484 }
0468976c 485 $permission = capability_search($capability, $parentcontext, $capabilities);
bbbf2d40 486 break;
487
488 case CONTEXT_COURSE: // 1 to 1 to course cat
489 // find the course cat, and return its value
490 $course = get_record('course','id',$context->instanceid);
0468976c 491 $parentcontext = get_context_instance(CONTEXT_COURSECAT, $course->category);
492 $permission = capability_search($capability, $parentcontext, $capabilities);
bbbf2d40 493 break;
494
495 case CONTEXT_GROUP: // 1 to 1 to course
496 $group = get_record('groups','id',$context->instanceid);
0468976c 497 $parentcontext = get_context_instance(CONTEXT_COURSE, $group->courseid);
498 $permission = capability_search($capability, $parentcontext, $capabilities);
bbbf2d40 499 break;
500
501 case CONTEXT_MODULE: // 1 to 1 to course
502 $cm = get_record('course_modules','id',$context->instanceid);
0468976c 503 $parentcontext = get_context_instance(CONTEXT_COURSE, $cm->course);
504 $permission = capability_search($capability, $parentcontext, $capabilities);
bbbf2d40 505 break;
506
507 case CONTEXT_BLOCK: // 1 to 1 to course
508 $block = get_record('block_instance','id',$context->instanceid);
0468976c 509 $parentcontext = get_context_instance(CONTEXT_COURSE, $block->pageid); // needs check
510 $permission = capability_search($capability, $parentcontext, $capabilities);
bbbf2d40 511 break;
512
513 default:
514 error ('This is an unknown context!');
515 return false;
516 }
9425b25f 517
98882637 518 return $permission;
bbbf2d40 519}
520
9fccc080 521// auxillary function for load_user_capabilities()
522// if context c1 is a parent (or itself) of context c2
523// returns true
524function is_parent_context($c1, $c2) {
525 static $parentsarray;
526
527 // context can be itself and this is ok
528 if ($c1 == $c2) {
529 return true;
530 }
531 // hit in cache?
532 if (isset($parentsarray[$c1][$c2])) {
533 return $parentsarray[$c1][$c2];
534 }
535
536 if (!$co2 = get_record('context', 'id', $c2)) {
537 return false;
538 }
539
540 if (!$parents = get_parent_contexts($co2)) {
541 return false;
542 }
543
544 foreach ($parents as $parent) {
545 $parentsarray[$parent][$c2] = true;
546 }
547
548 if (in_array($c1, $parents)) {
549 return true;
550 } else { // else not a parent, set the cache anyway
551 $parentsarray[$c1][$c2] = false;
552 return false;
553 }
554}
555
556
557/*
558 * auxillary function for load_user_capabilities()
559 * handler in usort() to sort contexts according to level
560 */
561function roles_context_cmp($contexta, $contextb) {
562 if ($contexta->contextlevel == $contextb->contextlevel) {
563 return 0;
564 }
565 return ($contexta->contextlevel < $contextb->contextlevel) ? -1 : 1;
566}
567
bbbf2d40 568
569/**
570 * This function should be called immediately after a login, when $USER is set.
571 * It will build an array of all the capabilities at each level
572 * i.e. site/metacourse/course_category/course/moduleinstance
573 * Note we should only load capabilities if they are explicitly assigned already,
574 * we should not load all module's capability!
575 * @param $userid - the id of the user whose capabilities we want to load
576 * @return array
577 * possible just s simple 2D array with [contextid][capabilityname]
578 * [Capabilities] => [26][forum_post] = 1
579 * [26][forum_start] = -8990
580 * [26][forum_edit] = -1
581 * [273][blah blah] = 1
582 * [273][blah blah blah] = 2
583 */
0468976c 584function load_user_capability($capability='', $context ='', $userid='') {
d140ad3f 585
98882637 586 global $USER, $CFG;
bbbf2d40 587
2f1a4248 588 if (empty($CFG->rolesactive)) {
589 return false;
590 }
591
bbbf2d40 592 if (empty($userid)) {
dc411d1b 593 if (empty($USER->id)) { // We have no user to get capabilities for
64026e8c 594 debugging('User not logged in for load_user_capability!');
dc411d1b 595 return false;
596 }
64026e8c 597 unset($USER->capabilities); // We don't want possible older capabilites hanging around
598
599 check_enrolment_plugins($USER); // Call "enrol" system to ensure that we have the correct picture
8f8ed475 600
bbbf2d40 601 $userid = $USER->id;
dc411d1b 602 $otheruserid = false;
bbbf2d40 603 } else {
64026e8c 604 if (!$user = get_record('user', 'id', $userid)) {
605 debugging('Non-existent userid in load_user_capability!');
606 return false;
607 }
608
609 check_enrolment_plugins($user); // Ensure that we have the correct picture
610
9425b25f 611 $otheruserid = $userid;
bbbf2d40 612 }
9425b25f 613
5f70bcc3 614
615/// First we generate a list of all relevant contexts of the user
616
617 $usercontexts = array();
bbbf2d40 618
0468976c 619 if ($context) { // if context is specified
eef868d1 620 $usercontexts = get_parent_contexts($context);
9343a733 621 $usercontexts[] = $context->id; // Add the current context as well
98882637 622 } else { // else, we load everything
5f70bcc3 623 if ($userroles = get_records('role_assignments','userid',$userid)) {
624 foreach ($userroles as $userrole) {
625 $usercontexts[] = $userrole->contextid;
626 }
98882637 627 }
5f70bcc3 628 }
629
630/// Set up SQL fragments for searching contexts
631
632 if ($usercontexts) {
0468976c 633 $listofcontexts = '('.implode(',', $usercontexts).')';
5f70bcc3 634 $searchcontexts1 = "c1.id IN $listofcontexts AND";
5f70bcc3 635 } else {
c76e095f 636 $searchcontexts1 = '';
bbbf2d40 637 }
3ca2dea5 638
64026e8c 639 if ($capability) {
640 $capsearch = " AND rc.capability = '$capability' ";
641 } else {
eef868d1 642 $capsearch ="";
64026e8c 643 }
644
e38f38c3 645/// Set up SQL fragments for timestart, timeend etc
646 $now = time();
85f101fa 647 $timesql = "AND ((ra.timestart = 0 OR ra.timestart < $now) AND (ra.timeend = 0 OR ra.timeend > $now))";
e38f38c3 648
5f70bcc3 649/// Then we use 1 giant SQL to bring out all relevant capabilities.
650/// The first part gets the capabilities of orginal role.
651/// The second part gets the capabilities of overriden roles.
bbbf2d40 652
98882637 653 $siteinstance = get_context_instance(CONTEXT_SYSTEM, SITEID);
9fccc080 654 $capabilities = array(); // Reinitialize.
655
656 // SQL for normal capabilities
657 $SQL1 = "SELECT rc.capability, c1.id as id1, c1.id as id2, (c1.contextlevel * 100) AS aggrlevel,
bbbf2d40 658 SUM(rc.permission) AS sum
659 FROM
eef868d1 660 {$CFG->prefix}role_assignments ra,
42ac3ecf 661 {$CFG->prefix}role_capabilities rc,
662 {$CFG->prefix}context c1
bbbf2d40 663 WHERE
d4649c76 664 ra.contextid=c1.id AND
665 ra.roleid=rc.roleid AND
bbbf2d40 666 ra.userid=$userid AND
5f70bcc3 667 $searchcontexts1
eef868d1 668 rc.contextid=$siteinstance->id
98882637 669 $capsearch
e38f38c3 670 $timesql
bbbf2d40 671 GROUP BY
aad2ba95 672 rc.capability, (c1.contextlevel * 100), c1.id
bbbf2d40 673 HAVING
9fccc080 674 SUM(rc.permission) != 0
675 ORDER BY
676 aggrlevel ASC";
677
678 if (!$rs = get_recordset_sql($SQL1)) {
679 error("Query failed in load_user_capability.");
680 }
bbbf2d40 681
9fccc080 682 if ($rs && $rs->RecordCount() > 0) {
683 while (!$rs->EOF) {
684 $array = $rs->fields;
685 $temprecord = new object;
686
687 foreach ($array as $key=>$val) {
688 if ($key == 'aggrlevel') {
689 $temprecord->contextlevel = $val;
690 } else {
691 $temprecord->{$key} = $val;
692 }
693 }
694
695 $capabilities[] = $temprecord;
696 $rs->MoveNext();
697 }
698 }
699 // SQL for overrides
700 // this is take out because we have no way of making sure c1 is indeed related to c2 (parent)
701 // if we do not group by sum, it is possible to have multiple records of rc.capability, c1.id, c2.id, tuple having
702 // different values, we can maually sum it when we go through the list
703 $SQL2 = "SELECT rc.capability, c1.id as id1, c2.id as id2, (c1.contextlevel * 100 + c2.contextlevel) AS aggrlevel,
704 rc.permission AS sum
bbbf2d40 705 FROM
42ac3ecf 706 {$CFG->prefix}role_assignments ra,
707 {$CFG->prefix}role_capabilities rc,
708 {$CFG->prefix}context c1,
709 {$CFG->prefix}context c2
bbbf2d40 710 WHERE
d4649c76 711 ra.contextid=c1.id AND
eef868d1 712 ra.roleid=rc.roleid AND
713 ra.userid=$userid AND
714 rc.contextid=c2.id AND
5f70bcc3 715 $searchcontexts1
5f70bcc3 716 rc.contextid != $siteinstance->id
bbbf2d40 717 $capsearch
e38f38c3 718 $timesql
eef868d1 719
bbbf2d40 720 GROUP BY
9fccc080 721 rc.capability, (c1.contextlevel * 100 + c2.contextlevel), c1.id, c2.id
bbbf2d40 722 HAVING
9fccc080 723 rc.permission != 0
bbbf2d40 724 ORDER BY
75e84883 725 aggrlevel ASC
bbbf2d40 726 ";
727
9fccc080 728
729 if (!$rs = get_recordset_sql($SQL2)) {
75e84883 730 error("Query failed in load_user_capability.");
731 }
5cf38a57 732
bbbf2d40 733 if ($rs && $rs->RecordCount() > 0) {
734 while (!$rs->EOF) {
75e84883 735 $array = $rs->fields;
736 $temprecord = new object;
eef868d1 737
98882637 738 foreach ($array as $key=>$val) {
75e84883 739 if ($key == 'aggrlevel') {
aad2ba95 740 $temprecord->contextlevel = $val;
75e84883 741 } else {
742 $temprecord->{$key} = $val;
743 }
98882637 744 }
9fccc080 745 // for overrides, we have to make sure that context2 is a child of context1
746 // otherwise the combination makes no sense
747 if (is_parent_context($temprecord->id1, $temprecord->id2)) {
748 $capabilities[] = $temprecord;
749 } // only write if relevant
bbbf2d40 750 $rs->MoveNext();
751 }
752 }
9fccc080 753
754 // this step sorts capabilities according to the contextlevel
755 // it is very important because the order matters when we
756 // go through each capabilities later. (i.e. higher level contextlevel
757 // will override lower contextlevel settings
758 usort($capabilities, 'roles_context_cmp');
eef868d1 759
bbbf2d40 760 /* so up to this point we should have somethign like this
aad2ba95 761 * $capabilities[1] ->contextlevel = 1000
bbbf2d40 762 ->module = SITEID
763 ->capability = do_anything
764 ->id = 1 (id is the context id)
765 ->sum = 0
eef868d1 766
aad2ba95 767 * $capabilities[2] ->contextlevel = 1000
bbbf2d40 768 ->module = SITEID
769 ->capability = post_messages
770 ->id = 1
771 ->sum = -9000
772
aad2ba95 773 * $capabilittes[3] ->contextlevel = 3000
bbbf2d40 774 ->module = course
775 ->capability = view_course_activities
776 ->id = 25
777 ->sum = 1
778
aad2ba95 779 * $capabilittes[4] ->contextlevel = 3000
bbbf2d40 780 ->module = course
781 ->capability = view_course_activities
782 ->id = 26
783 ->sum = 0 (this is another course)
eef868d1 784
aad2ba95 785 * $capabilities[5] ->contextlevel = 3050
bbbf2d40 786 ->module = course
787 ->capability = view_course_activities
788 ->id = 25 (override in course 25)
789 ->sum = -1
790 * ....
791 * now we proceed to write the session array, going from top to bottom
792 * at anypoint, we need to go up and check parent to look for prohibit
793 */
794 // print_object($capabilities);
795
796 /* This is where we write to the actualy capabilities array
797 * what we need to do from here on is
798 * going down the array from lowest level to highest level
799 * 1) recursively check for prohibit,
800 * if any, we write prohibit
801 * else, we write the value
802 * 2) at an override level, we overwrite current level
803 * if it's not set to prohibit already, and if different
804 * ........ that should be it ........
805 */
98882637 806 $usercap = array(); // for other user's capabilities
bbbf2d40 807 foreach ($capabilities as $capability) {
808
9fccc080 809 if (!$context = get_context_instance_by_id($capability->id2)) {
7bfa3101 810 continue; // incorrect stale context
811 }
0468976c 812
41811960 813 if (!empty($otheruserid)) { // we are pulling out other user's capabilities, do not write to session
eef868d1 814
0468976c 815 if (capability_prohibits($capability->capability, $context, $capability->sum, $usercap)) {
9fccc080 816 $usercap[$capability->id2][$capability->capability] = CAP_PROHIBIT;
98882637 817 continue;
818 }
9fccc080 819 if (!empty($usercap[$capability->id2][$capability->capability])) {
820 $usercap[$capability->id2][$capability->capability] += $capability->sum;
821 } else {
822 $usercap[$capability->id2][$capability->capability] = $capability->sum;
823 }
eef868d1 824
98882637 825 } else {
826
0468976c 827 if (capability_prohibits($capability->capability, $context, $capability->sum)) { // if any parent or parent's parent is set to prohibit
9fccc080 828 $USER->capabilities[$capability->id2][$capability->capability] = CAP_PROHIBIT;
98882637 829 continue;
830 }
eef868d1 831
98882637 832 // if no parental prohibit set
833 // just write to session, i am not sure this is correct yet
834 // since 3050 shows up after 3000, and 3070 shows up after 3050,
835 // it should be ok just to overwrite like this, provided that there's no
836 // parental prohibits
837 // no point writing 0, since 0 = inherit
838 // we need to write even if it's 0, because it could be an inherit override
9fccc080 839 if (!empty($USER->capabilities[$capability->id2][$capability->capability])) {
840 $USER->capabilities[$capability->id2][$capability->capability] += $capability->sum;
841 } else {
842 $USER->capabilities[$capability->id2][$capability->capability] = $capability->sum;
843 }
98882637 844 }
bbbf2d40 845 }
eef868d1 846
bbbf2d40 847 // now we don't care about the huge array anymore, we can dispose it.
848 unset($capabilities);
eef868d1 849
dbe7e582 850 if (!empty($otheruserid)) {
eef868d1 851 return $usercap; // return the array
bbbf2d40 852 }
2f1a4248 853}
854
855
856/*
857 * A convenience function to completely load all the capabilities
858 * for the current user. This is what gets called from login, for example.
859 */
860function load_all_capabilities() {
861 global $USER;
862
863 if (empty($USER->username)) {
864 return;
865 }
bbbf2d40 866
2f1a4248 867 load_user_capability(); // Load basic capabilities assigned to this user
868
869 if ($USER->username == 'guest') {
870 load_guest_role(); // All non-guest users get this by default
871 } else {
872 load_defaultuser_role(); // All non-guest users get this by default
873 }
bbbf2d40 874}
875
2f1a4248 876
64026e8c 877/*
878 * Check all the login enrolment information for the given user object
eef868d1 879 * by querying the enrolment plugins
64026e8c 880 */
881function check_enrolment_plugins(&$user) {
882 global $CFG;
883
e4ec4e41 884 static $inprogress; // To prevent this function being called more than once in an invocation
885
218eb651 886 if (!empty($inprogress[$user->id])) {
e4ec4e41 887 return;
888 }
889
218eb651 890 $inprogress[$user->id] = true; // Set the flag
e4ec4e41 891
64026e8c 892 require_once($CFG->dirroot .'/enrol/enrol.class.php');
eef868d1 893
64026e8c 894 if (!($plugins = explode(',', $CFG->enrol_plugins_enabled))) {
895 $plugins = array($CFG->enrol);
896 }
897
898 foreach ($plugins as $plugin) {
899 $enrol = enrolment_factory::factory($plugin);
900 if (method_exists($enrol, 'setup_enrolments')) { /// Plugin supports Roles (Moodle 1.7 and later)
901 $enrol->setup_enrolments($user);
902 } else { /// Run legacy enrolment methods
903 if (method_exists($enrol, 'get_student_courses')) {
904 $enrol->get_student_courses($user);
905 }
906 if (method_exists($enrol, 'get_teacher_courses')) {
907 $enrol->get_teacher_courses($user);
908 }
909
910 /// deal with $user->students and $user->teachers stuff
911 unset($user->student);
912 unset($user->teacher);
913 }
914 unset($enrol);
915 }
e4ec4e41 916
218eb651 917 unset($inprogress[$user->id]); // Unset the flag
64026e8c 918}
919
bbbf2d40 920
921/**
922 * This is a recursive function that checks whether the capability in this
923 * context, or the parent capabilities are set to prohibit.
924 *
925 * At this point, we can probably just use the values already set in the
926 * session variable, since we are going down the level. Any prohit set in
927 * parents would already reflect in the session.
928 *
929 * @param $capability - capability name
930 * @param $sum - sum of all capabilities values
0468976c 931 * @param $context - the context object
bbbf2d40 932 * @param $array - when loading another user caps, their caps are not stored in session but an array
933 */
0468976c 934function capability_prohibits($capability, $context, $sum='', $array='') {
bbbf2d40 935 global $USER;
0468976c 936
2176adf1 937 if (empty($context->id)) {
938 return false;
939 }
940
941 if (empty($capability)) {
942 return false;
943 }
944
819e5a70 945 if ($sum < (CAP_PROHIBIT/2)) {
bbbf2d40 946 // If this capability is set to prohibit.
947 return true;
948 }
eef868d1 949
819e5a70 950 if (!empty($array)) {
eef868d1 951 if (isset($array[$context->id][$capability])
819e5a70 952 && $array[$context->id][$capability] < (CAP_PROHIBIT/2)) {
98882637 953 return true;
eef868d1 954 }
bbbf2d40 955 } else {
98882637 956 // Else if set in session.
eef868d1 957 if (isset($USER->capabilities[$context->id][$capability])
819e5a70 958 && $USER->capabilities[$context->id][$capability] < (CAP_PROHIBIT/2)) {
98882637 959 return true;
960 }
bbbf2d40 961 }
aad2ba95 962 switch ($context->contextlevel) {
eef868d1 963
bbbf2d40 964 case CONTEXT_SYSTEM:
965 // By now it's a definite an inherit.
966 return 0;
967 break;
968
969 case CONTEXT_PERSONAL:
2176adf1 970 $parent = get_context_instance(CONTEXT_SYSTEM);
0468976c 971 return capability_prohibits($capability, $parent);
bbbf2d40 972 break;
973
4b10f08b 974 case CONTEXT_USER:
2176adf1 975 $parent = get_context_instance(CONTEXT_SYSTEM);
0468976c 976 return capability_prohibits($capability, $parent);
bbbf2d40 977 break;
978
979 case CONTEXT_COURSECAT:
980 // Coursecat -> coursecat or site.
2176adf1 981 if (!$coursecat = get_record('course_categories','id',$context->instanceid)) {
982 return false;
983 }
41811960 984 if (!empty($coursecat->parent)) {
bbbf2d40 985 // return parent value if exist.
986 $parent = get_context_instance(CONTEXT_COURSECAT, $coursecat->parent);
987 } else {
988 // Return site value.
2176adf1 989 $parent = get_context_instance(CONTEXT_SYSTEM);
bbbf2d40 990 }
0468976c 991 return capability_prohibits($capability, $parent);
bbbf2d40 992 break;
993
994 case CONTEXT_COURSE:
995 // 1 to 1 to course cat.
996 // Find the course cat, and return its value.
2176adf1 997 if (!$course = get_record('course','id',$context->instanceid)) {
998 return false;
999 }
bbbf2d40 1000 $parent = get_context_instance(CONTEXT_COURSECAT, $course->category);
0468976c 1001 return capability_prohibits($capability, $parent);
bbbf2d40 1002 break;
1003
1004 case CONTEXT_GROUP:
1005 // 1 to 1 to course.
2176adf1 1006 if (!$group = get_record('groups','id',$context->instanceid)) {
1007 return false;
1008 }
bbbf2d40 1009 $parent = get_context_instance(CONTEXT_COURSE, $group->courseid);
0468976c 1010 return capability_prohibits($capability, $parent);
bbbf2d40 1011 break;
1012
1013 case CONTEXT_MODULE:
1014 // 1 to 1 to course.
2176adf1 1015 if (!$cm = get_record('course_modules','id',$context->instanceid)) {
1016 return false;
1017 }
bbbf2d40 1018 $parent = get_context_instance(CONTEXT_COURSE, $cm->course);
0468976c 1019 return capability_prohibits($capability, $parent);
bbbf2d40 1020 break;
1021
1022 case CONTEXT_BLOCK:
1023 // 1 to 1 to course.
2176adf1 1024 if (!$block = get_record('block_instance','id',$context->instanceid)) {
1025 return false;
1026 }
bbbf2d40 1027 $parent = get_context_instance(CONTEXT_COURSE, $block->pageid); // needs check
0468976c 1028 return capability_prohibits($capability, $parent);
bbbf2d40 1029 break;
1030
1031 default:
2176adf1 1032 print_error('unknowncontext');
1033 return false;
bbbf2d40 1034 }
1035}
1036
1037
1038/**
1039 * A print form function. This should either grab all the capabilities from
1040 * files or a central table for that particular module instance, then present
1041 * them in check boxes. Only relevant capabilities should print for known
1042 * context.
1043 * @param $mod - module id of the mod
1044 */
1045function print_capabilities($modid=0) {
1046 global $CFG;
eef868d1 1047
bbbf2d40 1048 $capabilities = array();
1049
1050 if ($modid) {
1051 // We are in a module specific context.
1052
1053 // Get the mod's name.
1054 // Call the function that grabs the file and parse.
1055 $cm = get_record('course_modules', 'id', $modid);
1056 $module = get_record('modules', 'id', $cm->module);
eef868d1 1057
bbbf2d40 1058 } else {
1059 // Print all capabilities.
1060 foreach ($capabilities as $capability) {
1061 // Prints the check box component.
1062 }
1063 }
1064}
1065
1066
1067/**
1afecc03 1068 * Installs the roles system.
1069 * This function runs on a fresh install as well as on an upgrade from the old
1070 * hard-coded student/teacher/admin etc. roles to the new roles system.
bbbf2d40 1071 */
1afecc03 1072function moodle_install_roles() {
bbbf2d40 1073
1afecc03 1074 global $CFG, $db;
eef868d1 1075
459c1ff1 1076/// Create a system wide context for assignemnt.
bbbf2d40 1077 $systemcontext = $context = get_context_instance(CONTEXT_SYSTEM, SITEID);
1078
1afecc03 1079
459c1ff1 1080/// Create default/legacy roles and capabilities.
1081/// (1 legacy capability per legacy role at system level).
1082
ba8d8027 1083 $adminrole = create_role(get_string('administrator'), 'admin',
459c1ff1 1084 get_string('administratordescription'), 'moodle/legacy:admin');
ba8d8027 1085 $coursecreatorrole = create_role(get_string('coursecreators'), 'coursecreator',
459c1ff1 1086 get_string('coursecreatorsdescription'), 'moodle/legacy:coursecreator');
ba8d8027 1087 $editteacherrole = create_role(get_string('defaultcourseteacher'), 'editingteacher',
459c1ff1 1088 get_string('defaultcourseteacherdescription'), 'moodle/legacy:editingteacher');
ba8d8027 1089 $noneditteacherrole = create_role(get_string('noneditingteacher'), 'teacher',
459c1ff1 1090 get_string('noneditingteacherdescription'), 'moodle/legacy:teacher');
ba8d8027 1091 $studentrole = create_role(get_string('defaultcoursestudent'), 'student',
459c1ff1 1092 get_string('defaultcoursestudentdescription'), 'moodle/legacy:student');
ba8d8027 1093 $guestrole = create_role(get_string('guest'), 'guest',
459c1ff1 1094 get_string('guestdescription'), 'moodle/legacy:guest');
2851ba9b 1095
17e5635c 1096/// Now is the correct moment to install capabilities - after creation of legacy roles, but before assigning of roles
459c1ff1 1097
98882637 1098 if (!assign_capability('moodle/site:doanything', CAP_ALLOW, $adminrole, $systemcontext->id)) {
bbbf2d40 1099 error('Could not assign moodle/site:doanything to the admin role');
1100 }
250934b8 1101 if (!update_capabilities()) {
1102 error('Had trouble upgrading the core capabilities for the Roles System');
1103 }
1afecc03 1104
459c1ff1 1105/// Look inside user_admin, user_creator, user_teachers, user_students and
1106/// assign above new roles. If a user has both teacher and student role,
1107/// only teacher role is assigned. The assignment should be system level.
1108
1afecc03 1109 $dbtables = $db->MetaTables('TABLES');
eef868d1 1110
72da5046 1111/// Set up the progress bar
1112
1113 $usertables = array('user_admins', 'user_coursecreators', 'user_teachers', 'user_students');
1114
1115 $totalcount = $progresscount = 0;
1116 foreach ($usertables as $usertable) {
1117 if (in_array($CFG->prefix.$usertable, $dbtables)) {
1118 $totalcount += count_records($usertable);
1119 }
1120 }
1121
aae37b63 1122 print_progress(0, $totalcount, 5, 1, 'Processing role assignments');
1afecc03 1123
459c1ff1 1124/// Upgrade the admins.
1125/// Sort using id ASC, first one is primary admin.
1126
1afecc03 1127 if (in_array($CFG->prefix.'user_admins', $dbtables)) {
f1dcf000 1128 if ($rs = get_recordset_sql('SELECT * from '.$CFG->prefix.'user_admins ORDER BY ID ASC')) {
1129 while (! $rs->EOF) {
1130 $admin = $rs->FetchObj();
1afecc03 1131 role_assign($adminrole, $admin->userid, 0, $systemcontext->id);
72da5046 1132 $progresscount++;
aae37b63 1133 print_progress($progresscount, $totalcount, 5, 1, 'Processing role assignments');
f1dcf000 1134 $rs->MoveNext();
1afecc03 1135 }
1136 }
1137 } else {
1138 // This is a fresh install.
bbbf2d40 1139 }
1afecc03 1140
1141
459c1ff1 1142/// Upgrade course creators.
1afecc03 1143 if (in_array($CFG->prefix.'user_coursecreators', $dbtables)) {
f1dcf000 1144 if ($rs = get_recordset('user_coursecreators')) {
1145 while (! $rs->EOF) {
1146 $coursecreator = $rs->FetchObj();
56b4d70d 1147 role_assign($coursecreatorrole, $coursecreator->userid, 0, $systemcontext->id);
72da5046 1148 $progresscount++;
aae37b63 1149 print_progress($progresscount, $totalcount, 5, 1, 'Processing role assignments');
f1dcf000 1150 $rs->MoveNext();
1afecc03 1151 }
1152 }
bbbf2d40 1153 }
1154
1afecc03 1155
459c1ff1 1156/// Upgrade editting teachers and non-editting teachers.
1afecc03 1157 if (in_array($CFG->prefix.'user_teachers', $dbtables)) {
f1dcf000 1158 if ($rs = get_recordset('user_teachers')) {
1159 while (! $rs->EOF) {
1160 $teacher = $rs->FetchObj();
1161
17d6a25e 1162 // populate the user_lastaccess table
ece4945b 1163 $access = new object();
17d6a25e 1164 $access->timeaccess = $teacher->timeaccess;
1165 $access->userid = $teacher->userid;
1166 $access->courseid = $teacher->course;
1167 insert_record('user_lastaccess', $access);
f1dcf000 1168
17d6a25e 1169 // assign the default student role
1afecc03 1170 $coursecontext = get_context_instance(CONTEXT_COURSE, $teacher->course); // needs cache
1171 if ($teacher->editall) { // editting teacher
1172 role_assign($editteacherrole, $teacher->userid, 0, $coursecontext->id);
1173 } else {
1174 role_assign($noneditteacherrole, $teacher->userid, 0, $coursecontext->id);
1175 }
72da5046 1176 $progresscount++;
aae37b63 1177 print_progress($progresscount, $totalcount, 5, 1, 'Processing role assignments');
f1dcf000 1178
1179 $rs->MoveNext();
1afecc03 1180 }
bbbf2d40 1181 }
1182 }
1afecc03 1183
1184
459c1ff1 1185/// Upgrade students.
1afecc03 1186 if (in_array($CFG->prefix.'user_students', $dbtables)) {
f1dcf000 1187 if ($rs = get_recordset('user_students')) {
1188 while (! $rs->EOF) {
1189 $student = $rs->FetchObj();
1190
17d6a25e 1191 // populate the user_lastaccess table
f1dcf000 1192 $access = new object;
17d6a25e 1193 $access->timeaccess = $student->timeaccess;
1194 $access->userid = $student->userid;
1195 $access->courseid = $student->course;
1196 insert_record('user_lastaccess', $access);
f1dcf000 1197
17d6a25e 1198 // assign the default student role
1afecc03 1199 $coursecontext = get_context_instance(CONTEXT_COURSE, $student->course);
1200 role_assign($studentrole, $student->userid, 0, $coursecontext->id);
72da5046 1201 $progresscount++;
aae37b63 1202 print_progress($progresscount, $totalcount, 5, 1, 'Processing role assignments');
f1dcf000 1203
1204 $rs->MoveNext();
1afecc03 1205 }
1206 }
bbbf2d40 1207 }
1afecc03 1208
1209
459c1ff1 1210/// Upgrade guest (only 1 entry).
1afecc03 1211 if ($guestuser = get_record('user', 'username', 'guest')) {
1212 role_assign($guestrole, $guestuser->id, 0, $systemcontext->id);
1213 }
aae37b63 1214 print_progress($totalcount, $totalcount, 5, 1, 'Processing role assignments');
1afecc03 1215
459c1ff1 1216
1217/// Insert the correct records for legacy roles
945f88ca 1218 allow_assign($adminrole, $adminrole);
1219 allow_assign($adminrole, $coursecreatorrole);
1220 allow_assign($adminrole, $noneditteacherrole);
eef868d1 1221 allow_assign($adminrole, $editteacherrole);
945f88ca 1222 allow_assign($adminrole, $studentrole);
1223 allow_assign($adminrole, $guestrole);
eef868d1 1224
945f88ca 1225 allow_assign($coursecreatorrole, $noneditteacherrole);
1226 allow_assign($coursecreatorrole, $editteacherrole);
eef868d1 1227 allow_assign($coursecreatorrole, $studentrole);
945f88ca 1228 allow_assign($coursecreatorrole, $guestrole);
eef868d1 1229
1230 allow_assign($editteacherrole, $noneditteacherrole);
1231 allow_assign($editteacherrole, $studentrole);
945f88ca 1232 allow_assign($editteacherrole, $guestrole);
eef868d1 1233
459c1ff1 1234/// Set up default permissions for overrides
945f88ca 1235 allow_override($adminrole, $adminrole);
1236 allow_override($adminrole, $coursecreatorrole);
1237 allow_override($adminrole, $noneditteacherrole);
eef868d1 1238 allow_override($adminrole, $editteacherrole);
945f88ca 1239 allow_override($adminrole, $studentrole);
eef868d1 1240 allow_override($adminrole, $guestrole);
1afecc03 1241
746a04c5 1242
459c1ff1 1243/// Delete the old user tables when we are done
1244
83ea392e 1245 drop_table(new XMLDBTable('user_students'));
1246 drop_table(new XMLDBTable('user_teachers'));
1247 drop_table(new XMLDBTable('user_coursecreators'));
1248 drop_table(new XMLDBTable('user_admins'));
459c1ff1 1249
bbbf2d40 1250}
1251
bbbf2d40 1252/**
1253 * Assign the defaults found in this capabality definition to roles that have
1254 * the corresponding legacy capabilities assigned to them.
1255 * @param $legacyperms - an array in the format (example):
1256 * 'guest' => CAP_PREVENT,
1257 * 'student' => CAP_ALLOW,
1258 * 'teacher' => CAP_ALLOW,
1259 * 'editingteacher' => CAP_ALLOW,
1260 * 'coursecreator' => CAP_ALLOW,
1261 * 'admin' => CAP_ALLOW
1262 * @return boolean - success or failure.
1263 */
1264function assign_legacy_capabilities($capability, $legacyperms) {
eef868d1 1265
bbbf2d40 1266 foreach ($legacyperms as $type => $perm) {
eef868d1 1267
bbbf2d40 1268 $systemcontext = get_context_instance(CONTEXT_SYSTEM, SITEID);
eef868d1 1269
bbbf2d40 1270 // The legacy capabilities are:
1271 // 'moodle/legacy:guest'
1272 // 'moodle/legacy:student'
1273 // 'moodle/legacy:teacher'
1274 // 'moodle/legacy:editingteacher'
1275 // 'moodle/legacy:coursecreator'
1276 // 'moodle/legacy:admin'
eef868d1 1277
2e85fffe 1278 if ($roles = get_roles_with_capability('moodle/legacy:'.$type, CAP_ALLOW)) {
1279 foreach ($roles as $role) {
1280 // Assign a site level capability.
1281 if (!assign_capability($capability, $perm, $role->id, $systemcontext->id)) {
1282 return false;
1283 }
bbbf2d40 1284 }
1285 }
1286 }
1287 return true;
1288}
1289
1290
cee0901c 1291/**
1292 * Checks to see if a capability is a legacy capability.
1293 * @param $capabilityname
1294 * @return boolean
1295 */
bbbf2d40 1296function islegacy($capabilityname) {
98882637 1297 if (strstr($capabilityname, 'legacy') === false) {
eef868d1 1298 return false;
98882637 1299 } else {
eef868d1 1300 return true;
98882637 1301 }
bbbf2d40 1302}
1303
cee0901c 1304
1305
1306/**********************************
bbbf2d40 1307 * Context Manipulation functions *
1308 **********************************/
1309
bbbf2d40 1310/**
9991d157 1311 * Create a new context record for use by all roles-related stuff
bbbf2d40 1312 * @param $level
1313 * @param $instanceid
3ca2dea5 1314 *
1315 * @return object newly created context (or existing one with a debug warning)
bbbf2d40 1316 */
aad2ba95 1317function create_context($contextlevel, $instanceid) {
3ca2dea5 1318 if (!$context = get_record('context','contextlevel',$contextlevel,'instanceid',$instanceid)) {
1319 if (!validate_context($contextlevel, $instanceid)) {
1320 debugging('Error: Invalid context creation request for level "'.s($contextlevel).'", instance "'.s($instanceid).'".');
1321 return NULL;
1322 }
1323 $context = new object();
aad2ba95 1324 $context->contextlevel = $contextlevel;
bbbf2d40 1325 $context->instanceid = $instanceid;
3ca2dea5 1326 if ($id = insert_record('context',$context)) {
1327 return get_record('context','id',$id);
1328 } else {
1329 debugging('Error: could not insert new context level "'.s($contextlevel).'", instance "'.s($instanceid).'".');
1330 return NULL;
1331 }
1332 } else {
1333 debugging('Warning: Context id "'.s($context->id).'" not created, because it already exists.');
1334 return $context;
bbbf2d40 1335 }
1336}
1337
9991d157 1338/**
1339 * Create a new context record for use by all roles-related stuff
1340 * @param $level
1341 * @param $instanceid
3ca2dea5 1342 *
1343 * @return true if properly deleted
9991d157 1344 */
1345function delete_context($contextlevel, $instanceid) {
1346 if ($context = get_context_instance($contextlevel, $instanceid)) {
1347 return delete_records('context', 'id', $context->id) &&
1348 delete_records('role_assignments', 'contextid', $context->id) &&
9b5d7a46 1349 delete_records('role_capabilities', 'contextid', $context->id);
9991d157 1350 }
1351 return true;
1352}
1353
3ca2dea5 1354/**
1355 * Validate that object with instanceid really exists in given context level.
1356 *
1357 * return if instanceid object exists
1358 */
1359function validate_context($contextlevel, $instanceid) {
1360 switch ($contextlevel) {
1361
1362 case CONTEXT_SYSTEM:
1363 return ($instanceid == SITEID);
1364
1365 case CONTEXT_PERSONAL:
1366 return (boolean)count_records('user', 'id', $instanceid);
1367
1368 case CONTEXT_USER:
1369 return (boolean)count_records('user', 'id', $instanceid);
1370
1371 case CONTEXT_COURSECAT:
1cd3eba9 1372 if ($instanceid == 0) {
1373 return true; // site course category
1374 }
3ca2dea5 1375 return (boolean)count_records('course_categories', 'id', $instanceid);
1376
1377 case CONTEXT_COURSE:
1378 return (boolean)count_records('course', 'id', $instanceid);
1379
1380 case CONTEXT_GROUP:
1381 return (boolean)count_records('groups', 'id', $instanceid);
1382
1383 case CONTEXT_MODULE:
1384 return (boolean)count_records('course_modules', 'id', $instanceid);
1385
1386 case CONTEXT_BLOCK:
1387 return (boolean)count_records('block_instance', 'id', $instanceid);
1388
1389 default:
1390 return false;
1391 }
1392}
bbbf2d40 1393
1394/**
1395 * Get the context instance as an object. This function will create the
1396 * context instance if it does not exist yet.
1397 * @param $level
1398 * @param $instance
1399 */
aad2ba95 1400function get_context_instance($contextlevel=NULL, $instance=SITEID) {
e5605780 1401
51195e6f 1402 global $context_cache, $context_cache_id, $CONTEXT;
a36a3a3f 1403 static $allowed_contexts = array(CONTEXT_SYSTEM, CONTEXT_PERSONAL, CONTEXT_USER, CONTEXT_COURSECAT, CONTEXT_COURSE, CONTEXT_GROUP, CONTEXT_MODULE, CONTEXT_BLOCK);
d9a35e12 1404
b7cec865 1405 // This is really a systen context
1406 if ($contextlevel == CONTEXT_COURSE && $instance == SITEID) {
1407 $contextlevel = CONTEXT_SYSTEM;
1408 }
1409
340ea4e8 1410/// If no level is supplied then return the current global context if there is one
aad2ba95 1411 if (empty($contextlevel)) {
340ea4e8 1412 if (empty($CONTEXT)) {
a36a3a3f 1413 //fatal error, code must be fixed
1414 error("Error: get_context_instance() called without a context");
340ea4e8 1415 } else {
1416 return $CONTEXT;
1417 }
e5605780 1418 }
1419
a36a3a3f 1420/// check allowed context levels
1421 if (!in_array($contextlevel, $allowed_contexts)) {
7bfa3101 1422 // fatal error, code must be fixed - probably typo or switched parameters
a36a3a3f 1423 error('Error: get_context_instance() called with incorrect context level "'.s($contextlevel).'"');
1424 }
1425
340ea4e8 1426/// Check the cache
aad2ba95 1427 if (isset($context_cache[$contextlevel][$instance])) { // Already cached
1428 return $context_cache[$contextlevel][$instance];
e5605780 1429 }
1430
340ea4e8 1431/// Get it from the database, or create it
aad2ba95 1432 if (!$context = get_record('context', 'contextlevel', $contextlevel, 'instanceid', $instance)) {
1433 create_context($contextlevel, $instance);
1434 $context = get_record('context', 'contextlevel', $contextlevel, 'instanceid', $instance);
e5605780 1435 }
1436
ccfc5ecc 1437/// Only add to cache if context isn't empty.
1438 if (!empty($context)) {
aad2ba95 1439 $context_cache[$contextlevel][$instance] = $context; // Cache it for later
ccfc5ecc 1440 $context_cache_id[$context->id] = $context; // Cache it for later
1441 }
0468976c 1442
bbbf2d40 1443 return $context;
1444}
1445
cee0901c 1446
340ea4e8 1447/**
1448 * Get a context instance as an object, from a given id.
1449 * @param $id
1450 */
1451function get_context_instance_by_id($id) {
1452
d9a35e12 1453 global $context_cache, $context_cache_id;
1454
340ea4e8 1455 if (isset($context_cache_id[$id])) { // Already cached
75e84883 1456 return $context_cache_id[$id];
340ea4e8 1457 }
1458
1459 if ($context = get_record('context', 'id', $id)) { // Update the cache and return
aad2ba95 1460 $context_cache[$context->contextlevel][$context->instanceid] = $context;
340ea4e8 1461 $context_cache_id[$context->id] = $context;
1462 return $context;
1463 }
1464
1465 return false;
1466}
1467
bbbf2d40 1468
8737be58 1469/**
1470 * Get the local override (if any) for a given capability in a role in a context
1471 * @param $roleid
0468976c 1472 * @param $contextid
1473 * @param $capability
8737be58 1474 */
1475function get_local_override($roleid, $contextid, $capability) {
1476 return get_record('role_capabilities', 'roleid', $roleid, 'capability', $capability, 'contextid', $contextid);
1477}
1478
1479
bbbf2d40 1480
1481/************************************
1482 * DB TABLE RELATED FUNCTIONS *
1483 ************************************/
1484
cee0901c 1485/**
bbbf2d40 1486 * function that creates a role
1487 * @param name - role name
31f26796 1488 * @param shortname - role short name
bbbf2d40 1489 * @param description - role description
1490 * @param legacy - optional legacy capability
1491 * @return id or false
1492 */
8420bee9 1493function create_role($name, $shortname, $description, $legacy='') {
eef868d1 1494
98882637 1495 // check for duplicate role name
eef868d1 1496
98882637 1497 if ($role = get_record('role','name', $name)) {
eef868d1 1498 error('there is already a role with this name!');
98882637 1499 }
eef868d1 1500
31f26796 1501 if ($role = get_record('role','shortname', $shortname)) {
eef868d1 1502 error('there is already a role with this shortname!');
31f26796 1503 }
1504
b5959f30 1505 $role = new object();
98882637 1506 $role->name = $name;
31f26796 1507 $role->shortname = $shortname;
98882637 1508 $role->description = $description;
eef868d1 1509
8420bee9 1510 //find free sortorder number
1511 $role->sortorder = count_records('role');
1512 while (get_record('role','sortorder', $role->sortorder)) {
1513 $role->sortorder += 1;
b5959f30 1514 }
1515
eef868d1 1516 $context = get_context_instance(CONTEXT_SYSTEM, SITEID);
1517
98882637 1518 if ($id = insert_record('role', $role)) {
eef868d1 1519 if ($legacy) {
1520 assign_capability($legacy, CAP_ALLOW, $id, $context->id);
98882637 1521 }
eef868d1 1522
ec7a8b79 1523 /// By default, users with role:manage at site level
1524 /// should be able to assign users to this new role, and override this new role's capabilities
eef868d1 1525
ec7a8b79 1526 // find all admin roles
e46c0987 1527 if ($adminroles = get_roles_with_capability('moodle/role:manage', CAP_ALLOW, $context)) {
1528 // foreach admin role
1529 foreach ($adminroles as $arole) {
1530 // write allow_assign and allow_overrid
1531 allow_assign($arole->id, $id);
eef868d1 1532 allow_override($arole->id, $id);
e46c0987 1533 }
ec7a8b79 1534 }
eef868d1 1535
98882637 1536 return $id;
1537 } else {
eef868d1 1538 return false;
98882637 1539 }
eef868d1 1540
bbbf2d40 1541}
1542
8420bee9 1543/**
1544 * function that deletes a role and cleanups up after it
1545 * @param roleid - id of role to delete
1546 * @return success
1547 */
1548function delete_role($roleid) {
1549 $success = true;
1550
1551// first unssign all users
1552 if (!role_unassign($roleid)) {
1553 debugging("Error while unassigning all users from role with ID $roleid!");
1554 $success = false;
1555 }
1556
1557// cleanup all references to this role, ignore errors
1558 if ($success) {
1559 delete_records('role_capabilities', 'roleid', $roleid);
1560 delete_records('role_allow_assign', 'roleid', $roleid);
1561 delete_records('role_allow_assign', 'allowassign', $roleid);
1562 delete_records('role_allow_override', 'roleid', $roleid);
1563 delete_records('role_allow_override', 'allowoverride', $roleid);
1564 delete_records('role_names', 'roleid', $roleid);
1565 }
1566
1567// finally delete the role itself
1568 if ($success and !delete_records('role', 'id', $roleid)) {
ece4945b 1569 debugging("Could not delete role record with ID $roleid!");
8420bee9 1570 $success = false;
1571 }
1572
1573 return $success;
1574}
1575
bbbf2d40 1576/**
1577 * Function to write context specific overrides, or default capabilities.
1578 * @param module - string name
1579 * @param capability - string name
1580 * @param contextid - context id
1581 * @param roleid - role id
1582 * @param permission - int 1,-1 or -1000
96986241 1583 * should not be writing if permission is 0
bbbf2d40 1584 */
e7876c1e 1585function assign_capability($capability, $permission, $roleid, $contextid, $overwrite=false) {
eef868d1 1586
98882637 1587 global $USER;
eef868d1 1588
96986241 1589 if (empty($permission) || $permission == CAP_INHERIT) { // if permission is not set
eef868d1 1590 unassign_capability($capability, $roleid, $contextid);
96986241 1591 return true;
98882637 1592 }
eef868d1 1593
2e85fffe 1594 $existing = get_record('role_capabilities', 'contextid', $contextid, 'roleid', $roleid, 'capability', $capability);
e7876c1e 1595
1596 if ($existing and !$overwrite) { // We want to keep whatever is there already
1597 return true;
1598 }
1599
bbbf2d40 1600 $cap = new object;
1601 $cap->contextid = $contextid;
1602 $cap->roleid = $roleid;
1603 $cap->capability = $capability;
1604 $cap->permission = $permission;
1605 $cap->timemodified = time();
9db12da7 1606 $cap->modifierid = empty($USER->id) ? 0 : $USER->id;
e7876c1e 1607
1608 if ($existing) {
1609 $cap->id = $existing->id;
1610 return update_record('role_capabilities', $cap);
1611 } else {
1612 return insert_record('role_capabilities', $cap);
1613 }
bbbf2d40 1614}
1615
1616
1617/**
1618 * Unassign a capability from a role.
1619 * @param $roleid - the role id
1620 * @param $capability - the name of the capability
1621 * @return boolean - success or failure
1622 */
1623function unassign_capability($capability, $roleid, $contextid=NULL) {
eef868d1 1624
98882637 1625 if (isset($contextid)) {
1626 $status = delete_records('role_capabilities', 'capability', $capability,
1627 'roleid', $roleid, 'contextid', $contextid);
1628 } else {
1629 $status = delete_records('role_capabilities', 'capability', $capability,
1630 'roleid', $roleid);
1631 }
1632 return $status;
bbbf2d40 1633}
1634
1635
1636/**
759ac72d 1637 * Get the roles that have a given capability assigned to it. This function
1638 * does not resolve the actual permission of the capability. It just checks
1639 * for assignment only.
bbbf2d40 1640 * @param $capability - capability name (string)
1641 * @param $permission - optional, the permission defined for this capability
1642 * either CAP_ALLOW, CAP_PREVENT or CAP_PROHIBIT
1643 * @return array or role objects
1644 */
ec7a8b79 1645function get_roles_with_capability($capability, $permission=NULL, $context='') {
1646
bbbf2d40 1647 global $CFG;
eef868d1 1648
ec7a8b79 1649 if ($context) {
1650 if ($contexts = get_parent_contexts($context)) {
1651 $listofcontexts = '('.implode(',', $contexts).')';
1652 } else {
1653 $sitecontext = get_context_instance(CONTEXT_SYSTEM, SITEID);
eef868d1 1654 $listofcontexts = '('.$sitecontext->id.')'; // must be site
1655 }
42ac3ecf 1656 $contextstr = "AND (rc.contextid = '$context->id' OR rc.contextid IN $listofcontexts)";
ec7a8b79 1657 } else {
1658 $contextstr = '';
1659 }
eef868d1 1660
1661 $selectroles = "SELECT r.*
42ac3ecf 1662 FROM {$CFG->prefix}role r,
1663 {$CFG->prefix}role_capabilities rc
bbbf2d40 1664 WHERE rc.capability = '$capability'
ec7a8b79 1665 AND rc.roleid = r.id $contextstr";
bbbf2d40 1666
1667 if (isset($permission)) {
1668 $selectroles .= " AND rc.permission = '$permission'";
1669 }
1670 return get_records_sql($selectroles);
1671}
1672
1673
1674/**
a9e1c058 1675 * This function makes a role-assignment (a role for a user or group in a particular context)
bbbf2d40 1676 * @param $roleid - the role of the id
1677 * @param $userid - userid
1678 * @param $groupid - group id
1679 * @param $contextid - id of the context
1680 * @param $timestart - time this assignment becomes effective
1681 * @param $timeend - time this assignemnt ceases to be effective
1682 * @uses $USER
1683 * @return id - new id of the assigment
1684 */
f44152f4 1685function role_assign($roleid, $userid, $groupid, $contextid, $timestart=0, $timeend=0, $hidden=0, $enrol='manual') {
aa311411 1686 global $USER, $CFG;
bbbf2d40 1687
7eb0b60a 1688 debugging("Assign roleid $roleid userid $userid contextid $contextid", DEBUG_DEVELOPER);
bbbf2d40 1689
a9e1c058 1690/// Do some data validation
1691
bbbf2d40 1692 if (empty($roleid)) {
9d829c68 1693 debugging('Role ID not provided');
a9e1c058 1694 return false;
bbbf2d40 1695 }
1696
1697 if (empty($userid) && empty($groupid)) {
9d829c68 1698 debugging('Either userid or groupid must be provided');
a9e1c058 1699 return false;
bbbf2d40 1700 }
eef868d1 1701
7700027f 1702 if ($userid && !record_exists('user', 'id', $userid)) {
82396e5b 1703 debugging('User ID '.intval($userid).' does not exist!');
7700027f 1704 return false;
1705 }
bbbf2d40 1706
dc411d1b 1707 if ($groupid && !record_exists('groups', 'id', $groupid)) {
82396e5b 1708 debugging('Group ID '.intval($groupid).' does not exist!');
dc411d1b 1709 return false;
1710 }
1711
7700027f 1712 if (!$context = get_context_instance_by_id($contextid)) {
82396e5b 1713 debugging('Context ID '.intval($contextid).' does not exist!');
a9e1c058 1714 return false;
bbbf2d40 1715 }
1716
a9e1c058 1717 if (($timestart and $timeend) and ($timestart > $timeend)) {
9d829c68 1718 debugging('The end time can not be earlier than the start time');
a9e1c058 1719 return false;
1720 }
1721
7700027f 1722
a9e1c058 1723/// Check for existing entry
1724 if ($userid) {
7700027f 1725 $ra = get_record('role_assignments', 'roleid', $roleid, 'contextid', $context->id, 'userid', $userid);
a9e1c058 1726 } else {
7700027f 1727 $ra = get_record('role_assignments', 'roleid', $roleid, 'contextid', $context->id, 'groupid', $groupid);
a9e1c058 1728 }
1729
9ebcb4d2 1730
a9e1c058 1731 $newra = new object;
bbbf2d40 1732
a9e1c058 1733 if (empty($ra)) { // Create a new entry
1734 $newra->roleid = $roleid;
7700027f 1735 $newra->contextid = $context->id;
a9e1c058 1736 $newra->userid = $userid;
1737 $newra->groupid = $groupid;
1738
1739 $newra->hidden = $hidden;
f44152f4 1740 $newra->enrol = $enrol;
a9e1c058 1741 $newra->timestart = $timestart;
1742 $newra->timeend = $timeend;
1743 $newra->timemodified = time();
1744 $newra->modifier = empty($USER->id) ? 0 : $USER->id;
1745
9ebcb4d2 1746 $success = insert_record('role_assignments', $newra);
a9e1c058 1747
1748 } else { // We already have one, just update it
1749
1750 $newra->id = $ra->id;
1751 $newra->hidden = $hidden;
f44152f4 1752 $newra->enrol = $enrol;
a9e1c058 1753 $newra->timestart = $timestart;
1754 $newra->timeend = $timeend;
1755 $newra->timemodified = time();
1756 $newra->modifier = empty($USER->id) ? 0 : $USER->id;
1757
9ebcb4d2 1758 $success = update_record('role_assignments', $newra);
1759 }
1760
7700027f 1761 if ($success) { /// Role was assigned, so do some other things
1762
1763 /// If the user is the current user, then reload the capabilities too.
1764 if (!empty($USER->id) && $USER->id == $userid) {
2f1a4248 1765 load_all_capabilities();
7700027f 1766 }
9b5d7a46 1767
0f161e1f 1768 /// Ask all the modules if anything needs to be done for this user
1769 if ($mods = get_list_of_plugins('mod')) {
1770 foreach ($mods as $mod) {
1771 include_once($CFG->dirroot.'/mod/'.$mod.'/lib.php');
1772 $functionname = $mod.'_role_assign';
1773 if (function_exists($functionname)) {
1774 $functionname($userid, $context);
1775 }
1776 }
1777 }
1778
1779 /// Make sure they have an entry in user_lastaccess for courses they can access
1780 // role_add_lastaccess_entries($userid, $context);
a9e1c058 1781 }
eef868d1 1782
4e5f3064 1783 /// now handle metacourse role assignments if in course context
aad2ba95 1784 if ($success and $context->contextlevel == CONTEXT_COURSE) {
4e5f3064 1785 if ($parents = get_records('course_meta', 'child_course', $context->instanceid)) {
1786 foreach ($parents as $parent) {
1aad4310 1787 sync_metacourse($parent->parent_course);
4e5f3064 1788 }
1789 }
1790 }
6eb4f823 1791
1792 return $success;
bbbf2d40 1793}
1794
1795
1796/**
1dc1f037 1797 * Deletes one or more role assignments. You must specify at least one parameter.
bbbf2d40 1798 * @param $roleid
1799 * @param $userid
1800 * @param $groupid
1801 * @param $contextid
1802 * @return boolean - success or failure
1803 */
1dc1f037 1804function role_unassign($roleid=0, $userid=0, $groupid=0, $contextid=0) {
d74067e8 1805
1806 global $USER, $CFG;
eef868d1 1807
4e5f3064 1808 $success = true;
d74067e8 1809
1dc1f037 1810 $args = array('roleid', 'userid', 'groupid', 'contextid');
1811 $select = array();
1812 foreach ($args as $arg) {
1813 if ($$arg) {
1814 $select[] = $arg.' = '.$$arg;
1815 }
1816 }
d74067e8 1817
1dc1f037 1818 if ($select) {
4e5f3064 1819 if ($ras = get_records_select('role_assignments', implode(' AND ', $select))) {
1820 $mods = get_list_of_plugins('mod');
1821 foreach($ras as $ra) {
86e2c51d 1822 /// infinite loop protection when deleting recursively
1823 if (!$ra = get_record('role_assignments', 'id', $ra->id)) {
1824 continue;
1825 }
4e5f3064 1826 $success = delete_records('role_assignments', 'id', $ra->id) and $success;
86e2c51d 1827
4e5f3064 1828 /// If the user is the current user, then reload the capabilities too.
1829 if (!empty($USER->id) && $USER->id == $ra->userid) {
2f1a4248 1830 load_all_capabilities();
4e5f3064 1831 }
1832 $context = get_record('context', 'id', $ra->contextid);
0f161e1f 1833
1834 /// Ask all the modules if anything needs to be done for this user
4e5f3064 1835 foreach ($mods as $mod) {
1836 include_once($CFG->dirroot.'/mod/'.$mod.'/lib.php');
1837 $functionname = $mod.'_role_unassign';
1838 if (function_exists($functionname)) {
1839 $functionname($ra->userid, $context); // watch out, $context might be NULL if something goes wrong
1840 }
1841 }
1842
1843 /// now handle metacourse role unassigment and removing from goups if in course context
aad2ba95 1844 if (!empty($context) and $context->contextlevel == CONTEXT_COURSE) {
4e5f3064 1845 //remove from groups when user has no role
1846 $roles = get_user_roles($context, $ra->userid, true);
1847 if (empty($roles)) {
1848 if ($groups = get_groups($context->instanceid, $ra->userid)) {
1849 foreach ($groups as $group) {
1850 delete_records('groups_members', 'groupid', $group->id, 'userid', $ra->userid);
1851 }
1852 }
1853 }
1aad4310 1854 //unassign roles in metacourses if needed
4e5f3064 1855 if ($parents = get_records('course_meta', 'child_course', $context->instanceid)) {
1856 foreach ($parents as $parent) {
1aad4310 1857 sync_metacourse($parent->parent_course);
0f161e1f 1858 }
1859 }
0f161e1f 1860 }
1861 }
d74067e8 1862 }
1dc1f037 1863 }
4e5f3064 1864
1865 return $success;
bbbf2d40 1866}
1867
eef868d1 1868/*
1869 * A convenience function to take care of the common case where you
b963384f 1870 * just want to enrol someone using the default role into a course
1871 *
1872 * @param object $course
1873 * @param object $user
1874 * @param string $enrol - the plugin used to do this enrolment
1875 */
1876function enrol_into_course($course, $user, $enrol) {
1877
1878 if ($course->enrolperiod) {
1879 $timestart = time();
1880 $timeend = time() + $course->enrolperiod;
1881 } else {
1882 $timestart = $timeend = 0;
1883 }
1884
1885 if ($role = get_default_course_role($course)) {
c4381ef5 1886
1887 $context = get_context_instance(CONTEXT_COURSE, $course->id);
1888
e2183037 1889 if (!role_assign($role->id, $user->id, 0, $context->id, $timestart, $timeend, 0, $enrol)) {
b963384f 1890 return false;
1891 }
eef868d1 1892
b963384f 1893 email_welcome_message_to_user($course, $user);
eef868d1 1894
b963384f 1895 add_to_log($course->id, 'course', 'enrol', 'view.php?id='.$course->id, $user->id);
1896
1897 return true;
1898 }
1899
1900 return false;
1901}
1902
0f161e1f 1903/**
1904 * Add last access times to user_lastaccess as required
1905 * @param $userid
1906 * @param $context
1907 * @return boolean - success or failure
1908 */
1909function role_add_lastaccess_entries($userid, $context) {
1910
1911 global $USER, $CFG;
1912
aad2ba95 1913 if (empty($context->contextlevel)) {
0f161e1f 1914 return false;
1915 }
1916
1917 $lastaccess = new object; // Reusable object below
1918 $lastaccess->userid = $userid;
1919 $lastaccess->timeaccess = 0;
1920
aad2ba95 1921 switch ($context->contextlevel) {
0f161e1f 1922
1923 case CONTEXT_SYSTEM: // For the whole site
1924 if ($courses = get_record('course')) {
1925 foreach ($courses as $course) {
1926 $lastaccess->courseid = $course->id;
1927 role_set_lastaccess($lastaccess);
1928 }
1929 }
1930 break;
1931
1932 case CONTEXT_CATEGORY: // For a whole category
1933 if ($courses = get_record('course', 'category', $context->instanceid)) {
1934 foreach ($courses as $course) {
1935 $lastaccess->courseid = $course->id;
1936 role_set_lastaccess($lastaccess);
1937 }
1938 }
1939 if ($categories = get_record('course_categories', 'parent', $context->instanceid)) {
1940 foreach ($categories as $category) {
1941 $subcontext = get_context_instance(CONTEXT_CATEGORY, $category->id);
1942 role_add_lastaccess_entries($userid, $subcontext);
1943 }
1944 }
1945 break;
eef868d1 1946
0f161e1f 1947
1948 case CONTEXT_COURSE: // For a whole course
1949 if ($course = get_record('course', 'id', $context->instanceid)) {
1950 $lastaccess->courseid = $course->id;
1951 role_set_lastaccess($lastaccess);
1952 }
1953 break;
1954 }
1955}
1956
1957/**
1958 * Delete last access times from user_lastaccess as required
1959 * @param $userid
1960 * @param $context
1961 * @return boolean - success or failure
1962 */
1963function role_remove_lastaccess_entries($userid, $context) {
1964
1965 global $USER, $CFG;
1966
1967}
1968
bbbf2d40 1969
1970/**
1971 * Loads the capability definitions for the component (from file). If no
1972 * capabilities are defined for the component, we simply return an empty array.
1973 * @param $component - examples: 'moodle', 'mod/forum', 'block/quiz_results'
1974 * @return array of capabilities
1975 */
1976function load_capability_def($component) {
1977 global $CFG;
1978
1979 if ($component == 'moodle') {
1980 $defpath = $CFG->libdir.'/db/access.php';
1981 $varprefix = 'moodle';
1982 } else {
0c4d9f49 1983 $compparts = explode('/', $component);
eef868d1 1984
0c4d9f49 1985 if ($compparts[0] == 'block') {
1986 // Blocks are an exception. Blocks directory is 'blocks', and not
1987 // 'block'. So we need to jump through hoops.
1988 $defpath = $CFG->dirroot.'/'.$compparts[0].
1989 's/'.$compparts[1].'/db/access.php';
1990 $varprefix = $compparts[0].'_'.$compparts[1];
1991 } else {
1992 $defpath = $CFG->dirroot.'/'.$component.'/db/access.php';
1993 $varprefix = str_replace('/', '_', $component);
1994 }
bbbf2d40 1995 }
1996 $capabilities = array();
eef868d1 1997
bbbf2d40 1998 if (file_exists($defpath)) {
1999 require_once($defpath);
2000 $capabilities = ${$varprefix.'_capabilities'};
2001 }
2002 return $capabilities;
2003}
2004
2005
2006/**
2007 * Gets the capabilities that have been cached in the database for this
2008 * component.
2009 * @param $component - examples: 'moodle', 'mod/forum', 'block/quiz_results'
2010 * @return array of capabilities
2011 */
2012function get_cached_capabilities($component='moodle') {
2013 if ($component == 'moodle') {
2014 $storedcaps = get_records_select('capabilities',
2015 "name LIKE 'moodle/%:%'");
2016 } else {
2017 $storedcaps = get_records_select('capabilities',
2018 "name LIKE '$component:%'");
2019 }
2020 return $storedcaps;
2021}
2022
2023
2024/**
2025 * Updates the capabilities table with the component capability definitions.
2026 * If no parameters are given, the function updates the core moodle
2027 * capabilities.
2028 *
2029 * Note that the absence of the db/access.php capabilities definition file
2030 * will cause any stored capabilities for the component to be removed from
eef868d1 2031 * the database.
bbbf2d40 2032 *
2033 * @param $component - examples: 'moodle', 'mod/forum', 'block/quiz_results'
2034 * @return boolean
2035 */
2036function update_capabilities($component='moodle') {
eef868d1 2037
bbbf2d40 2038 $storedcaps = array();
be4486da 2039
2040 $filecaps = load_capability_def($component);
bbbf2d40 2041 $cachedcaps = get_cached_capabilities($component);
2042 if ($cachedcaps) {
2043 foreach ($cachedcaps as $cachedcap) {
2044 array_push($storedcaps, $cachedcap->name);
17e5635c 2045 // update risk bitmasks in existing capabilities if needed
be4486da 2046 if (array_key_exists($cachedcap->name, $filecaps)) {
2047 if (!array_key_exists('riskbitmask', $filecaps[$cachedcap->name])) {
2b531945 2048 $filecaps[$cachedcap->name]['riskbitmask'] = 0; // no risk if not specified
be4486da 2049 }
2050 if ($cachedcap->riskbitmask != $filecaps[$cachedcap->name]['riskbitmask']) {
2051 $updatecap = new object;
2052 $updatecap->id = $cachedcap->id;
2053 $updatecap->riskbitmask = $filecaps[$cachedcap->name]['riskbitmask'];
2054 if (!update_record('capabilities', $updatecap)) {
2055 return false;
2056 }
2057 }
2058 }
bbbf2d40 2059 }
2060 }
be4486da 2061
bbbf2d40 2062 // Are there new capabilities in the file definition?
2063 $newcaps = array();
eef868d1 2064
bbbf2d40 2065 foreach ($filecaps as $filecap => $def) {
eef868d1 2066 if (!$storedcaps ||
bbbf2d40 2067 ($storedcaps && in_array($filecap, $storedcaps) === false)) {
2b531945 2068 if (!array_key_exists('riskbitmask', $def)) {
2069 $def['riskbitmask'] = 0; // no risk if not specified
2070 }
bbbf2d40 2071 $newcaps[$filecap] = $def;
2072 }
2073 }
2074 // Add new capabilities to the stored definition.
2075 foreach ($newcaps as $capname => $capdef) {
2076 $capability = new object;
2077 $capability->name = $capname;
2078 $capability->captype = $capdef['captype'];
2079 $capability->contextlevel = $capdef['contextlevel'];
2080 $capability->component = $component;
be4486da 2081 $capability->riskbitmask = $capdef['riskbitmask'];
eef868d1 2082
bbbf2d40 2083 if (!insert_record('capabilities', $capability, false, 'id')) {
2084 return false;
2085 }
eef868d1 2086
bbbf2d40 2087 // Do we need to assign the new capabilities to roles that have the
2088 // legacy capabilities moodle/legacy:* as well?
2089 if (isset($capdef['legacy']) && is_array($capdef['legacy']) &&
2090 !assign_legacy_capabilities($capname, $capdef['legacy'])) {
2e85fffe 2091 notify('Could not assign legacy capabilities for '.$capname);
bbbf2d40 2092 }
2093 }
2094 // Are there any capabilities that have been removed from the file
2095 // definition that we need to delete from the stored capabilities and
2096 // role assignments?
2097 capabilities_cleanup($component, $filecaps);
eef868d1 2098
bbbf2d40 2099 return true;
2100}
2101
2102
2103/**
2104 * Deletes cached capabilities that are no longer needed by the component.
2105 * Also unassigns these capabilities from any roles that have them.
2106 * @param $component - examples: 'moodle', 'mod/forum', 'block/quiz_results'
2107 * @param $newcapdef - array of the new capability definitions that will be
2108 * compared with the cached capabilities
2109 * @return int - number of deprecated capabilities that have been removed
2110 */
2111function capabilities_cleanup($component, $newcapdef=NULL) {
eef868d1 2112
bbbf2d40 2113 $removedcount = 0;
eef868d1 2114
bbbf2d40 2115 if ($cachedcaps = get_cached_capabilities($component)) {
2116 foreach ($cachedcaps as $cachedcap) {
2117 if (empty($newcapdef) ||
2118 array_key_exists($cachedcap->name, $newcapdef) === false) {
eef868d1 2119
bbbf2d40 2120 // Remove from capabilities cache.
2121 if (!delete_records('capabilities', 'name', $cachedcap->name)) {
2122 error('Could not delete deprecated capability '.$cachedcap->name);
2123 } else {
2124 $removedcount++;
2125 }
2126 // Delete from roles.
2127 if($roles = get_roles_with_capability($cachedcap->name)) {
2128 foreach($roles as $role) {
46943f7b 2129 if (!unassign_capability($cachedcap->name, $role->id)) {
bbbf2d40 2130 error('Could not unassign deprecated capability '.
2131 $cachedcap->name.' from role '.$role->name);
2132 }
2133 }
2134 }
2135 } // End if.
2136 }
2137 }
2138 return $removedcount;
2139}
2140
2141
2142
cee0901c 2143/****************
2144 * UI FUNCTIONS *
2145 ****************/
bbbf2d40 2146
2147
2148/**
2149 * prints human readable context identifier.
2150 */
0468976c 2151function print_context_name($context) {
340ea4e8 2152
ec0810ee 2153 $name = '';
aad2ba95 2154 switch ($context->contextlevel) {
ec0810ee 2155
bbbf2d40 2156 case CONTEXT_SYSTEM: // by now it's a definite an inherit
ec0810ee 2157 $name = get_string('site');
340ea4e8 2158 break;
bbbf2d40 2159
2160 case CONTEXT_PERSONAL:
ec0810ee 2161 $name = get_string('personal');
340ea4e8 2162 break;
2163
4b10f08b 2164 case CONTEXT_USER:
ec0810ee 2165 if ($user = get_record('user', 'id', $context->instanceid)) {
2166 $name = get_string('user').': '.fullname($user);
2167 }
340ea4e8 2168 break;
2169
bbbf2d40 2170 case CONTEXT_COURSECAT: // Coursecat -> coursecat or site
ec0810ee 2171 if ($category = get_record('course_categories', 'id', $context->instanceid)) {
2172 $name = get_string('category').': '.$category->name;
2173 }
340ea4e8 2174 break;
bbbf2d40 2175
2176 case CONTEXT_COURSE: // 1 to 1 to course cat
ec0810ee 2177 if ($course = get_record('course', 'id', $context->instanceid)) {
2178 $name = get_string('course').': '.$course->fullname;
2179 }
340ea4e8 2180 break;
bbbf2d40 2181
2182 case CONTEXT_GROUP: // 1 to 1 to course
ec0810ee 2183 if ($group = get_record('groups', 'id', $context->instanceid)) {
2184 $name = get_string('group').': '.$group->name;
2185 }
340ea4e8 2186 break;
bbbf2d40 2187
2188 case CONTEXT_MODULE: // 1 to 1 to course
98882637 2189 if ($cm = get_record('course_modules','id',$context->instanceid)) {
2190 if ($module = get_record('modules','id',$cm->module)) {
2191 if ($mod = get_record($module->name, 'id', $cm->instance)) {
ec0810ee 2192 $name = get_string('activitymodule').': '.$mod->name;
98882637 2193 }
ec0810ee 2194 }
2195 }
340ea4e8 2196 break;
bbbf2d40 2197
2198 case CONTEXT_BLOCK: // 1 to 1 to course
98882637 2199 if ($blockinstance = get_record('block_instance','id',$context->instanceid)) {
2200 if ($block = get_record('block','id',$blockinstance->blockid)) {
91be52d7 2201 global $CFG;
2202 require_once("$CFG->dirroot/blocks/moodleblock.class.php");
2203 require_once("$CFG->dirroot/blocks/$block->name/block_$block->name.php");
2204 $blockname = "block_$block->name";
2205 if ($blockobject = new $blockname()) {
2206 $name = $blockobject->title.' ('.get_string('block').')';
2207 }
ec0810ee 2208 }
2209 }
340ea4e8 2210 break;
bbbf2d40 2211
2212 default:
2213 error ('This is an unknown context!');
340ea4e8 2214 return false;
2215
2216 }
340ea4e8 2217 return $name;
bbbf2d40 2218}
2219
2220
2221/**
eef868d1 2222 * Extracts the relevant capabilities given a contextid.
bbbf2d40 2223 * All case based, example an instance of forum context.
2224 * Will fetch all forum related capabilities, while course contexts
2225 * Will fetch all capabilities
0468976c 2226 * @param object context
bbbf2d40 2227 * @return array();
2228 *
2229 * capabilities
2230 * `name` varchar(150) NOT NULL,
2231 * `captype` varchar(50) NOT NULL,
2232 * `contextlevel` int(10) NOT NULL,
2233 * `component` varchar(100) NOT NULL,
2234 */
0468976c 2235function fetch_context_capabilities($context) {
eef868d1 2236
98882637 2237 global $CFG;
bbbf2d40 2238
2239 $sort = 'ORDER BY contextlevel,component,id'; // To group them sensibly for display
eef868d1 2240
aad2ba95 2241 switch ($context->contextlevel) {
bbbf2d40 2242
98882637 2243 case CONTEXT_SYSTEM: // all
2244 $SQL = "select * from {$CFG->prefix}capabilities";
bbbf2d40 2245 break;
2246
2247 case CONTEXT_PERSONAL:
0a8a95c9 2248 $SQL = "select * from {$CFG->prefix}capabilities where contextlevel = ".CONTEXT_PERSONAL;
bbbf2d40 2249 break;
eef868d1 2250
4b10f08b 2251 case CONTEXT_USER:
8020a016 2252 $SQL = "SELECT *
2253 FROM {$CFG->prefix}capabilities
2254 WHERE contextlevel = ".CONTEXT_USER;
bbbf2d40 2255 break;
eef868d1 2256
bbbf2d40 2257 case CONTEXT_COURSECAT: // all
98882637 2258 $SQL = "select * from {$CFG->prefix}capabilities";
bbbf2d40 2259 break;
2260
2261 case CONTEXT_COURSE: // all
98882637 2262 $SQL = "select * from {$CFG->prefix}capabilities";
bbbf2d40 2263 break;
2264
2265 case CONTEXT_GROUP: // group caps
2266 break;
2267
2268 case CONTEXT_MODULE: // mod caps
98882637 2269 $cm = get_record('course_modules', 'id', $context->instanceid);
2270 $module = get_record('modules', 'id', $cm->module);
eef868d1 2271
98882637 2272 $SQL = "select * from {$CFG->prefix}capabilities where contextlevel = ".CONTEXT_MODULE."
2273 and component = 'mod/$module->name'";
bbbf2d40 2274 break;
2275
2276 case CONTEXT_BLOCK: // block caps
98882637 2277 $cb = get_record('block_instance', 'id', $context->instanceid);
2278 $block = get_record('block', 'id', $cb->blockid);
eef868d1 2279
98882637 2280 $SQL = "select * from {$CFG->prefix}capabilities where contextlevel = ".CONTEXT_BLOCK."
2281 and component = 'block/$block->name'";
bbbf2d40 2282 break;
2283
2284 default:
2285 return false;
2286 }
2287
16e2e2f3 2288 if (!$records = get_records_sql($SQL.' '.$sort)) {
2289 $records = array();
2290 }
ba8d8027 2291
2292/// the rest of code is a bit hacky, think twice before modifying it :-(
69eb59f2 2293
2294 // special sorting of core system capabiltites and enrollments
e9c82dca 2295 if (in_array($context->contextlevel, array(CONTEXT_SYSTEM, CONTEXT_COURSECAT, CONTEXT_COURSE))) {
69eb59f2 2296 $first = array();
2297 foreach ($records as $key=>$record) {
2298 if (preg_match('|^moodle/|', $record->name) and $record->contextlevel == CONTEXT_SYSTEM) {
2299 $first[$key] = $record;
2300 unset($records[$key]);
2301 } else if (count($first)){
2302 break;
2303 }
2304 }
2305 if (count($first)) {
2306 $records = $first + $records; // merge the two arrays keeping the keys
2307 }
ba8d8027 2308 } else {
2309 $contextindependentcaps = fetch_context_independent_capabilities();
2310 $records = array_merge($contextindependentcaps, $records);
69eb59f2 2311 }
ba8d8027 2312
bbbf2d40 2313 return $records;
eef868d1 2314
bbbf2d40 2315}
2316
2317
759ac72d 2318/**
2319 * Gets the context-independent capabilities that should be overrridable in
2320 * any context.
2321 * @return array of capability records from the capabilities table.
2322 */
2323function fetch_context_independent_capabilities() {
eef868d1 2324
17e5635c 2325 //only CONTEXT_SYSTEM capabilities here or it will break the hack in fetch_context_capabilities()
759ac72d 2326 $contextindependentcaps = array(
2327 'moodle/site:accessallgroups'
2328 );
2329
2330 $records = array();
eef868d1 2331
759ac72d 2332 foreach ($contextindependentcaps as $capname) {
2333 $record = get_record('capabilities', 'name', $capname);
2334 array_push($records, $record);
2335 }
2336 return $records;
2337}
2338
2339
bbbf2d40 2340/**
2341 * This function pulls out all the resolved capabilities (overrides and
759ac72d 2342 * defaults) of a role used in capability overrides in contexts at a given
bbbf2d40 2343 * context.
0a8a95c9 2344 * @param obj $context
bbbf2d40 2345 * @param int $roleid
dc558690 2346 * @param bool self - if set to true, resolve till this level, else stop at immediate parent level
bbbf2d40 2347 * @return array
2348 */
1648afb2 2349function role_context_capabilities($roleid, $context, $cap='') {
dc558690 2350 global $CFG;
eef868d1 2351
8521d83a 2352 $contexts = get_parent_contexts($context);
2353 $contexts[] = $context->id;
98882637 2354 $contexts = '('.implode(',', $contexts).')';
eef868d1 2355
1648afb2 2356 if ($cap) {
e4697bf7 2357 $search = " AND rc.capability = '$cap' ";
1648afb2 2358 } else {
eef868d1 2359 $search = '';
1648afb2 2360 }
eef868d1 2361
2362 $SQL = "SELECT rc.*
2363 FROM {$CFG->prefix}role_capabilities rc,
dc558690 2364 {$CFG->prefix}context c
2365 WHERE rc.contextid in $contexts
2366 AND rc.roleid = $roleid
2367 AND rc.contextid = c.id $search
aad2ba95 2368 ORDER BY c.contextlevel DESC,
eef868d1 2369 rc.capability DESC";
759ac72d 2370
98882637 2371 $capabilities = array();
eef868d1 2372
4729012f 2373 if ($records = get_records_sql($SQL)) {
2374 // We are traversing via reverse order.
2375 foreach ($records as $record) {
2376 // If not set yet (i.e. inherit or not set at all), or currently we have a prohibit
2377 if (!isset($capabilities[$record->capability]) || $record->permission<-500) {
2378 $capabilities[$record->capability] = $record->permission;
eef868d1 2379 }
4729012f 2380 }
98882637 2381 }
2382 return $capabilities;
bbbf2d40 2383}
2384
bbbf2d40 2385/**
eef868d1 2386 * Recursive function which, given a context, find all parent context ids,
bbbf2d40 2387 * and return the array in reverse order, i.e. parent first, then grand
2388 * parent, etc.
2389 * @param object $context
2390 * @return array()
2391 */
bbbf2d40 2392function get_parent_contexts($context) {
759ac72d 2393
aad2ba95 2394 switch ($context->contextlevel) {
bbbf2d40 2395
2396 case CONTEXT_SYSTEM: // no parent
957861f7 2397 return array();
bbbf2d40 2398 break;
2399
2400 case CONTEXT_PERSONAL:
957861f7 2401 if (!$parent = get_context_instance(CONTEXT_SYSTEM, SITEID)) {
2402 return array();
2403 } else {
2404 return array($parent->id);
2405 }
bbbf2d40 2406 break;
eef868d1 2407
4b10f08b 2408 case CONTEXT_USER:
957861f7 2409 if (!$parent = get_context_instance(CONTEXT_SYSTEM, SITEID)) {
2410 return array();
2411 } else {
2412 return array($parent->id);
2413 }
bbbf2d40 2414 break;
eef868d1 2415
bbbf2d40 2416 case CONTEXT_COURSECAT: // Coursecat -> coursecat or site
957861f7 2417 if (!$coursecat = get_record('course_categories','id',$context->instanceid)) {
2418 return array();
2419 }
c5ddc3fd 2420 if (!empty($coursecat->parent)) { // return parent value if exist
bbbf2d40 2421 $parent = get_context_instance(CONTEXT_COURSECAT, $coursecat->parent);
2422 return array_merge(array($parent->id), get_parent_contexts($parent));
2423 } else { // else return site value
2424 $parent = get_context_instance(CONTEXT_SYSTEM, SITEID);
2425 return array($parent->id);
2426 }
2427 break;
2428
2429 case CONTEXT_COURSE: // 1 to 1 to course cat
957861f7 2430 if (!$course = get_record('course','id',$context->instanceid)) {
2431 return array();
2432 }
2433 if (!empty($course->category)) {
2434 $parent = get_context_instance(CONTEXT_COURSECAT, $course->category);
2435 return array_merge(array($parent->id), get_parent_contexts($parent));
2436 } else {
2437 return array();
2438 }
bbbf2d40 2439 break;
2440
2441 case CONTEXT_GROUP: // 1 to 1 to course
957861f7 2442 if (!$group = get_record('groups','id',$context->instanceid)) {
2443 return array();
2444 }
2445 if ($parent = get_context_instance(CONTEXT_COURSE, $group->courseid)) {
2446 return array_merge(array($parent->id), get_parent_contexts($parent));
2447 } else {
2448 return array();
2449 }
bbbf2d40 2450 break;
2451
2452 case CONTEXT_MODULE: // 1 to 1 to course
957861f7 2453 if (!$cm = get_record('course_modules','id',$context->instanceid)) {
2454 return array();
2455 }
2456 if ($parent = get_context_instance(CONTEXT_COURSE, $cm->course)) {
2457 return array_merge(array($parent->id), get_parent_contexts($parent));
2458 } else {
2459 return array();
2460 }
bbbf2d40 2461 break;
2462
2463 case CONTEXT_BLOCK: // 1 to 1 to course
957861f7 2464 if (!$block = get_record('block_instance','id',$context->instanceid)) {
2465 return array();
2466 }
2467 if ($parent = get_context_instance(CONTEXT_COURSE, $block->pageid)) {
2468 return array_merge(array($parent->id), get_parent_contexts($parent));
2469 } else {
2470 return array();
2471 }
bbbf2d40 2472 break;
2473
2474 default:
957861f7 2475 error('This is an unknown context!');
bbbf2d40 2476 return false;
2477 }
bbbf2d40 2478}
2479
759ac72d 2480
2481/**
2482 * Gets a string for sql calls, searching for stuff in this context or above
ea8158c1 2483 * @param object $context
2484 * @return string
2485 */
2486function get_related_contexts_string($context) {
2487 if ($parents = get_parent_contexts($context)) {
eef868d1 2488 return (' IN ('.$context->id.','.implode(',', $parents).')');
ea8158c1 2489 } else {
2490 return (' ='.$context->id);
2491 }
2492}
759ac72d 2493
2494
bbbf2d40 2495/**
2496 * This function gets the capability of a role in a given context.
2497 * It is needed when printing override forms.
2498 * @param int $contextid
bbbf2d40 2499 * @param string $capability
2500 * @param array $capabilities - array loaded using role_context_capabilities
2501 * @return int (allow, prevent, prohibit, inherit)
2502 */
bbbf2d40 2503function get_role_context_capability($contextid, $capability, $capabilities) {
759ac72d 2504 if (isset($capabilities[$contextid][$capability])) {
2505 return $capabilities[$contextid][$capability];
2506 }
2507 else {
2508 return false;
2509 }
bbbf2d40 2510}
2511
2512
cee0901c 2513/**
2514 * Returns the human-readable, translated version of the capability.
2515 * Basically a big switch statement.
2516 * @param $capabilityname - e.g. mod/choice:readresponses
2517 */
ceb83c70 2518function get_capability_string($capabilityname) {
eef868d1 2519
cee0901c 2520 // Typical capabilityname is mod/choice:readresponses
ceb83c70 2521
2522 $names = split('/', $capabilityname);
2523 $stringname = $names[1]; // choice:readresponses
eef868d1 2524 $components = split(':', $stringname);
ceb83c70 2525 $componentname = $components[0]; // choice
98882637 2526
2527 switch ($names[0]) {
2528 case 'mod':
ceb83c70 2529 $string = get_string($stringname, $componentname);
98882637 2530 break;
eef868d1 2531
98882637 2532 case 'block':
ceb83c70 2533 $string = get_string($stringname, 'block_'.$componentname);
98882637 2534 break;
ceb83c70 2535
98882637 2536 case 'moodle':
ceb83c70 2537 $string = get_string($stringname, 'role');
98882637 2538 break;
eef868d1 2539
98882637 2540 case 'enrol':
ceb83c70 2541 $string = get_string($stringname, 'enrol_'.$componentname);
eef868d1 2542 break;
2543
98882637 2544 default:
ceb83c70 2545 $string = get_string($stringname);
eef868d1 2546 break;
2547
98882637 2548 }
ceb83c70 2549 return $string;
bbbf2d40 2550}
2551
2552
cee0901c 2553/**
2554 * This gets the mod/block/course/core etc strings.
2555 * @param $component
2556 * @param $contextlevel
2557 */
bbbf2d40 2558function get_component_string($component, $contextlevel) {
2559
98882637 2560 switch ($contextlevel) {
bbbf2d40 2561
98882637 2562 case CONTEXT_SYSTEM:
be382aaf 2563 if (preg_match('|^enrol/|', $component)) {
2564 $langname = str_replace('/', '_', $component);
2565 $string = get_string('enrolname', $langname);
f3652521 2566 } else if (preg_match('|^block/|', $component)) {
2567 $langname = str_replace('/', '_', $component);
2568 $string = get_string('blockname', $langname);
69eb59f2 2569 } else {
2570 $string = get_string('coresystem');
2571 }
bbbf2d40 2572 break;
2573
2574 case CONTEXT_PERSONAL:
98882637 2575 $string = get_string('personal');
bbbf2d40 2576 break;
2577
4b10f08b 2578 case CONTEXT_USER:
98882637 2579 $string = get_string('users');
bbbf2d40 2580 break;
2581
2582 case CONTEXT_COURSECAT:
98882637 2583 $string = get_string('categories');
bbbf2d40 2584 break;
2585
2586 case CONTEXT_COURSE:
98882637 2587 $string = get_string('course');
bbbf2d40 2588 break;
2589
2590 case CONTEXT_GROUP:
98882637 2591 $string = get_string('group');
bbbf2d40 2592 break;
2593
2594 case CONTEXT_MODULE:
98882637 2595 $string = get_string('modulename', basename($component));
bbbf2d40 2596 break;
2597
2598 case CONTEXT_BLOCK:
98882637 2599 $string = get_string('blockname', 'block_'.$component.'.php');
bbbf2d40 2600 break;
2601
2602 default:
2603 error ('This is an unknown context!');
2604 return false;
eef868d1 2605
98882637 2606 }
98882637 2607 return $string;
bbbf2d40 2608}
cee0901c 2609
759ac72d 2610/**
2611 * Gets the list of roles assigned to this context and up (parents)
945f88ca 2612 * @param object $context
2613 * @return array
2614 */
e4dd3222 2615function get_roles_used_in_context($context) {
2616
2617 global $CFG;
2d9965e1 2618 $contextlist = get_related_contexts_string($context);
eef868d1 2619
759ac72d 2620 $sql = "SELECT DISTINCT r.id,
2621 r.name,
2622 r.shortname,
2623 r.sortorder
2624 FROM {$CFG->prefix}role_assignments ra,
eef868d1 2625 {$CFG->prefix}role r
2626 WHERE r.id = ra.roleid
759ac72d 2627 AND ra.contextid $contextlist
2628 ORDER BY r.sortorder ASC";
eef868d1 2629
759ac72d 2630 return get_records_sql($sql);
e4dd3222 2631}
2632
eef868d1 2633/** this function is used to print roles column in user profile page.
945f88ca 2634 * @param int userid
2635 * @param int contextid
2636 * @return string
2637 */
0a8a95c9 2638function get_user_roles_in_context($userid, $contextid){
2639 global $CFG;
eef868d1 2640
0a8a95c9 2641 $rolestring = '';
2642 $SQL = 'select * from '.$CFG->prefix.'role_assignments ra, '.$CFG->prefix.'role r where ra.userid='.$userid.' and ra.contextid='.$contextid.' and ra.roleid = r.id';
2643 if ($roles = get_records_sql($SQL)) {
2644 foreach ($roles as $userrole) {
2645 $rolestring .= '<a href="'.$CFG->wwwroot.'/user/index.php?contextid='.$userrole->contextid.'&amp;roleid='.$userrole->roleid.'">'.$userrole->name.'</a>, ';
eef868d1 2646 }
2647
0a8a95c9 2648 }
2649 return rtrim($rolestring, ', ');
2650}
68c52526 2651
2652
945f88ca 2653/**
2654 * Checks if a user can override capabilities of a particular role in this context
2655 * @param object $context
2656 * @param int targetroleid - the id of the role you want to override
2657 * @return boolean
2658 */
68c52526 2659function user_can_override($context, $targetroleid) {
2660 // first check if user has override capability
2661 // if not return false;
2662 if (!has_capability('moodle/role:override', $context)) {
eef868d1 2663 return false;
68c52526 2664 }
2665 // pull out all active roles of this user from this context(or above)
c0614051 2666 if ($userroles = get_user_roles($context)) {
2667 foreach ($userroles as $userrole) {
2668 // if any in the role_allow_override table, then it's ok
2669 if (get_record('role_allow_override', 'roleid', $userrole->roleid, 'allowoverride', $targetroleid)) {
2670 return true;
2671 }
68c52526 2672 }
2673 }
eef868d1 2674
68c52526 2675 return false;
eef868d1 2676
68c52526 2677}
2678
945f88ca 2679/**
2680 * Checks if a user can assign users to a particular role in this context
2681 * @param object $context
2682 * @param int targetroleid - the id of the role you want to assign users to
2683 * @return boolean
2684 */
68c52526 2685function user_can_assign($context, $targetroleid) {
eef868d1 2686
68c52526 2687 // first check if user has override capability
2688 // if not return false;
2689 if (!has_capability('moodle/role:assign', $context)) {
eef868d1 2690 return false;
68c52526 2691 }
2692 // pull out all active roles of this user from this context(or above)
c0614051 2693 if ($userroles = get_user_roles($context)) {
2694 foreach ($userroles as $userrole) {
2695 // if any in the role_allow_override table, then it's ok
2696 if (get_record('role_allow_assign', 'roleid', $userrole->roleid, 'allowassign', $targetroleid)) {
2697 return true;
2698 }
68c52526 2699 }
2700 }
eef868d1 2701
2702 return false;
68c52526 2703}
2704
ece4945b 2705/** Returns all site roles in correct sort order.
2706 *
2707 */
2708function get_all_roles() {
2709 return get_records('role', '', '', 'sortorder ASC');
2710}
2711
945f88ca 2712/**
2713 * gets all the user roles assigned in this context, or higher contexts
2714 * this is mainly used when checking if a user can assign a role, or overriding a role
2715 * i.e. we need to know what this user holds, in order to verify against allow_assign and
2716 * allow_override tables
2717 * @param object $context
2718 * @param int $userid
2719 * @return array
2720 */
5b630667 2721function get_user_roles($context, $userid=0, $checkparentcontexts=true) {
68c52526 2722
2723 global $USER, $CFG, $db;
c0614051 2724
2725 if (empty($userid)) {
2726 if (empty($USER->id)) {
2727 return array();
2728 }
2729 $userid = $USER->id;
2730 }
2731
5b630667 2732 if ($checkparentcontexts && ($parents = get_parent_contexts($context))) {
2733 $contexts = ' ra.contextid IN ('.implode(',' , $parents).','.$context->id.')';
c0614051 2734 } else {
5b630667 2735 $contexts = ' ra.contextid = \''.$context->id.'\'';
c0614051 2736 }
2737
31f26796 2738 return get_records_sql('SELECT ra.*, r.name, r.shortname
5b630667 2739 FROM '.$CFG->prefix.'role_assignments ra,
ec6eb110 2740 '.$CFG->prefix.'role r,
2741 '.$CFG->prefix.'context c
c0614051 2742 WHERE ra.userid = '.$userid.
5b630667 2743 ' AND ra.roleid = r.id
ec6eb110 2744 AND ra.contextid = c.id
eef868d1 2745 AND '.$contexts.
ece4945b 2746 ' ORDER BY c.contextlevel DESC, r.sortorder ASC');
68c52526 2747}
2748
945f88ca 2749/**
eef868d1 2750 * Creates a record in the allow_override table
945f88ca 2751 * @param int sroleid - source roleid
2752 * @param int troleid - target roleid
2753 * @return int - id or false
2754 */
2755function allow_override($sroleid, $troleid) {
ece4945b 2756 $record = new object();
945f88ca 2757 $record->roleid = $sroleid;
2758 $record->allowoverride = $troleid;
2759 return insert_record('role_allow_override', $record);
2760}
2761
2762/**
eef868d1 2763 * Creates a record in the allow_assign table
945f88ca 2764 * @param int sroleid - source roleid
2765 * @param int troleid - target roleid
2766 * @return int - id or false
2767 */
2768function allow_assign($sroleid, $troleid) {
ff64aaea 2769 $record = new object;
945f88ca 2770 $record->roleid = $sroleid;
2771 $record->allowassign = $troleid;
2772 return insert_record('role_allow_assign', $record);
2773}
2774
2775/**
ff64aaea 2776 * Gets a list of roles that this user can assign in this context
945f88ca 2777 * @param object $context
2778 * @return array
2779 */
5e67946d 2780function get_assignable_roles ($context, $field="name") {
945f88ca 2781
945f88ca 2782 $options = array();
ff64aaea 2783
ece4945b 2784 if ($roles = get_all_roles()) {
ff64aaea 2785 foreach ($roles as $role) {
2786 if (user_can_assign($context, $role->id)) {
5e67946d 2787 $options[$role->id] = strip_tags(format_string($role->{$field}, true));
ff64aaea 2788 }
945f88ca 2789 }
2790 }
2791 return $options;
2792}
2793
2794/**
ff64aaea 2795 * Gets a list of roles that this user can override in this context
945f88ca 2796 * @param object $context
2797 * @return array
2798 */
2799function get_overridable_roles ($context) {
2800
945f88ca 2801 $options = array();
ff64aaea 2802
ece4945b 2803 if ($roles = get_all_roles()) {
ff64aaea 2804 foreach ($roles as $role) {
2805 if (user_can_override($context, $role->id)) {
65b0c132 2806 $options[$role->id] = strip_tags(format_string($role->name, true));
ff64aaea 2807 }
945f88ca 2808 }
ff64aaea 2809 }
eef868d1 2810
2811 return $options;
945f88ca 2812}
1648afb2 2813
b963384f 2814/*
2815 * Returns a role object that is the default role for new enrolments
2816 * in a given course
2817 *
eef868d1 2818 * @param object $course
b963384f 2819 * @return object $role
2820 */
2821function get_default_course_role($course) {
2822 global $CFG;
2823
2824/// First let's take the default role the course may have
2825 if (!empty($course->defaultrole)) {
2826 if ($role = get_record('role', 'id', $course->defaultrole)) {
2827 return $role;
2828 }
2829 }
2830
2831/// Otherwise the site setting should tell us
2832 if ($CFG->defaultcourseroleid) {
2833 if ($role = get_record('role', 'id', $CFG->defaultcourseroleid)) {
2834 return $role;
2835 }
2836 }
2837
2838/// It's unlikely we'll get here, but just in case, try and find a student role
2839 if ($studentroles = get_roles_with_capability('moodle/legacy:student', CAP_ALLOW)) {
2840 return array_shift($studentroles); /// Take the first one
2841 }
2842
2843 return NULL;
2844}
2845
1648afb2 2846
2847/**
2848 * who has this capability in this context
2849 * does not handling user level resolving!!!
2850 * i.e 1 person has 2 roles 1 allow, 1 prevent, this will not work properly
2851 * @param $context - object
2852 * @param $capability - string capability
2853 * @param $fields - fields to be pulled
2854 * @param $sort - the sort order
04417640 2855 * @param $limitfrom - number of records to skip (offset)
eef868d1 2856 * @param $limitnum - number of records to fetch
1c45e42e 2857 * @param $groups - single group or array of groups - group(s) user is in
71dea306 2858 * @param $exceptions - list of users to exclude
1648afb2 2859 */
eef868d1 2860function get_users_by_capability($context, $capability, $fields='', $sort='',
1d546bb1 2861 $limitfrom='', $limitnum='', $groups='', $exceptions='', $doanything=true) {
1648afb2 2862 global $CFG;
eef868d1 2863
64026e8c 2864/// Sorting out groups
1c45e42e 2865 if ($groups) {
71dea306 2866 $groupjoin = 'INNER JOIN '.$CFG->prefix.'groups_members gm ON gm.userid = ra.userid';
eef868d1 2867
1c45e42e 2868 if (is_array($groups)) {
a05708ad 2869 $groupsql = 'AND gm.groupid IN ('.implode(',', $groups).')';
1c45e42e 2870 } else {
eef868d1 2871 $groupsql = 'AND gm.groupid = '.$groups;
1c45e42e 2872 }
2873 } else {
2874 $groupjoin = '';
eef868d1 2875 $groupsql = '';
1c45e42e 2876 }
eef868d1 2877
64026e8c 2878/// Sorting out exceptions
5081e786 2879 $exceptionsql = $exceptions ? "AND u.id NOT IN ($exceptions)" : '';
64026e8c 2880
2881/// Set up default fields
2882 if (empty($fields)) {
5b630667 2883 $fields = 'u.*, ul.timeaccess as lastaccess, ra.hidden';
64026e8c 2884 }
2885
2886/// Set up default sort
2887 if (empty($sort)) {
2888 $sort = 'ul.timeaccess';
2889 }
2890
eef868d1 2891 $sortby = $sort ? " ORDER BY $sort " : '';
2892
64026e8c 2893/// If context is a course, then construct sql for ul
aad2ba95 2894 if ($context->contextlevel == CONTEXT_COURSE) {
71dea306 2895 $courseid = $context->instanceid;
f00b7f8d 2896 $coursesql = "AND (ul.courseid = $courseid OR ul.courseid IS NULL)";
5081e786 2897 } else {
2898 $coursesql = '';
71dea306 2899 }
64026e8c 2900
2901/// Sorting out roles with this capability set
9d829c68 2902 if ($possibleroles = get_roles_with_capability($capability, CAP_ALLOW, $context)) {
1d546bb1 2903 if (!$doanything) {
3ca2dea5 2904 if (!$sitecontext = get_context_instance(CONTEXT_SYSTEM, SITEID)) {
1d546bb1 2905 return false; // Something is seriously wrong
2906 }
2907 $doanythingroles = get_roles_with_capability('moodle/site:doanything', CAP_ALLOW, $sitecontext);
e836a7dd 2908 }
e836a7dd 2909
9d829c68 2910 $validroleids = array();
e836a7dd 2911 foreach ($possibleroles as $possiblerole) {
1d546bb1 2912 if (!$doanything) {
2913 if (isset($doanythingroles[$possiblerole->id])) { // We don't want these included
2914 continue;
2915 }
e836a7dd 2916 }
bccdf227 2917 if ($caps = role_context_capabilities($possiblerole->id, $context, $capability)) { // resolved list
2918 if (isset($caps[$capability]) && $caps[$capability] > 0) { // resolved capability > 0
2919 $validroleids[] = $possiblerole->id;
2920 }
9d829c68 2921 }
1648afb2 2922 }
1d546bb1 2923 if (empty($validroleids)) {
2924 return false;
2925 }
9d829c68 2926 $roleids = '('.implode(',', $validroleids).')';
2927 } else {
2928 return false; // No need to continue, since no roles have this capability set
eef868d1 2929 }
64026e8c 2930
2931/// Construct the main SQL
71dea306 2932 $select = " SELECT $fields";
eef868d1 2933 $from = " FROM {$CFG->prefix}user u
2934 INNER JOIN {$CFG->prefix}role_assignments ra ON ra.userid = u.id
0a3e9703 2935 INNER JOIN {$CFG->prefix}role r ON r.id = ra.roleid
71dea306 2936 LEFT OUTER JOIN {$CFG->prefix}user_lastaccess ul ON ul.userid = u.id
2937 $groupjoin";
eef868d1 2938 $where = " WHERE ra.contextid ".get_related_contexts_string($context)."
2939 AND u.deleted = 0
2940 AND ra.roleid in $roleids
71dea306 2941 $exceptionsql
2942 $coursesql
2943 $groupsql";
2944
eef868d1 2945 return get_records_sql($select.$from.$where.$sortby, $limitfrom, $limitnum);
1648afb2 2946}
7700027f 2947
ab5c9044 2948/**
2949 * gets all the users assigned this role in this context or higher
2950 * @param int roleid
2951 * @param int contextid
2952 * @param bool parent if true, get list of users assigned in higher context too
2953 * @return array()
2954 */
2851ba9b 2955function get_role_users($roleid, $context, $parent=false, $fields='', $sort='u.lastname ASC') {
ab5c9044 2956 global $CFG;
eef868d1 2957
2851ba9b 2958 if (empty($fields)) {
2959 $fields = 'u.id, u.confirmed, u.username, u.firstname, u.lastname, '.
2960 'u.maildisplay, u.mailformat, u.maildigest, u.email, u.city, '.
2961 'u.country, u.picture, u.idnumber, u.department, u.institution, '.
2962 'u.emailstop, u.lang, u.timezone';
2963 }
2964
ab5c9044 2965 if ($parent) {
2966 if ($contexts = get_parent_contexts($context)) {
7ea02fe9 2967 $parentcontexts = ' OR r.contextid IN ('.implode(',', $contexts).')';
ab5c9044 2968 } else {
eef868d1 2969 $parentcontexts = '';
ab5c9044 2970 }
2971 } else {
eef868d1 2972 $parentcontexts = '';
2973 }
2974
b16de849 2975 if ($roleid) {
2976 $roleselect = "AND r.roleid = $roleid";
2977 } else {
2978 $roleselect = '';
2979 }
2980
7ea02fe9 2981 $SQL = "SELECT $fields
2982 FROM {$CFG->prefix}role_assignments r,
eef868d1 2983 {$CFG->prefix}user u
7ea02fe9 2984 WHERE (r.contextid = $context->id $parentcontexts)
b16de849 2985 AND u.id = r.userid $roleselect
7ea02fe9 2986 ORDER BY $sort
2987 "; // join now so that we can just use fullname() later
eef868d1 2988
ab5c9044 2989 return get_records_sql($SQL);
2990}
2991
bac2f88a 2992/**
2993 * Counts all the users assigned this role in this context or higher
2994 * @param int roleid
2995 * @param int contextid
2996 * @param bool parent if true, get list of users assigned in higher context too
2997 * @return array()
2998 */
2999function count_role_users($roleid, $context, $parent=false) {
3000 global $CFG;
3001
3002 if ($parent) {
3003 if ($contexts = get_parent_contexts($context)) {
7ea02fe9 3004 $parentcontexts = ' OR r.contextid IN ('.implode(',', $contexts).')';
bac2f88a 3005 } else {
3006 $parentcontexts = '';
3007 }
3008 } else {
3009 $parentcontexts = '';
3010 }
3011
3012 $SQL = "SELECT count(*)
3013 FROM {$CFG->prefix}role_assignments r
3014 WHERE (r.contextid = $context->id $parentcontexts)
3015 AND r.roleid = $roleid";
3016
3017 return count_records_sql($SQL);
3018}
3019
eef868d1 3020/**
d76a5a7f 3021 * This function gets the list of courses that this user has a particular capability in
3022 * This is not the most efficient way of doing this
3023 * @param string capability
3024 * @param int $userid
3025 * @return array
3026 */
3027function get_user_capability_course($capability, $userid='') {
eef868d1 3028
d76a5a7f 3029 global $USER;
3030 if (!$userid) {
eef868d1 3031 $userid = $USER->id;
d76a5a7f 3032 }
eef868d1 3033
d76a5a7f 3034 $usercourses = array();
3035 $courses = get_records_select('course', '', '', 'id, id');
eef868d1 3036
d76a5a7f 3037 foreach ($courses as $course) {
4dd5d751 3038 if (has_capability($capability, get_context_instance(CONTEXT_COURSE, $course->id))) {
d76a5a7f 3039 $usercourses[] = $course;
3040 }
3041 }
eef868d1 3042 return $usercourses;
e38f38c3 3043}
3044
3045
3046/** This function finds the roles assigned directly to this context only
3047 * i.e. no parents role
3048 * @param object $context
3049 * @return array
3050 */
3051function get_roles_on_exact_context($context) {
b5959f30 3052
e38f38c3 3053 global $CFG;
49293027 3054
ac57f761 3055 return get_records_sql("SELECT r.*
e38f38c3 3056 FROM {$CFG->prefix}role_assignments ra,
3057 {$CFG->prefix}role r
3058 WHERE ra.roleid = r.id
3059 AND ra.contextid = $context->id");
b5959f30 3060
49293027 3061}
3062
b5959f30 3063/*
3a52e764 3064 * Switches the current user to another role for the current session and only
b5959f30 3065 * in the given context. If roleid is not valid (eg 0) or the current user
3066 * doesn't have permissions to be switching roles then the user's session
3a52e764 3067 * is compltely reset to have their normal roles.
3068 * @param integer $roleid
3069 * @param object $context
3070 * @return bool
3071 */
3072function role_switch($roleid, $context) {
3073 global $USER;
3074
3075 global $db;
3076
3077/// If we can't use this or are already using it or no role was specified then bail completely and reset
b5959f30 3078 if (empty($roleid) || !has_capability('moodle/role:switchroles', $context)
2d07587b 3079 || !empty($USER->switchrole[$context->id]) || !confirm_sesskey()) {
3080 load_user_capability('', $context); // Reset all permissions for this context to normal
3081 unset($USER->switchrole[$context->id]); // Delete old capabilities
3a52e764 3082 return true;
3083 }
3084
3085/// We're allowed to switch but can we switch to the specified role? Use assignable roles to check.
3086 if (!$roles = get_assignable_roles($context)) {
3087 return false;
3088 }
3089
3090 if (empty($roles[$roleid])) { /// We can't switch to this particular role
3091 return false;
3092 }
3093
3094 if (!$sitecontext = get_context_instance(CONTEXT_SYSTEM, SITEID)) {
3095 return false;
3096 }
3097
3098/// We have a valid roleid that this user can switch to, so let's set up the session
3099
2d07587b 3100 $USER->switchrole[$context->id] = $roleid; // So we know later what state we are in
3a52e764 3101
3102 unset($USER->capabilities[$context->id]); // Delete old capabilities
3103
3104 if ($capabilities = get_records_select('role_capabilities', "roleid = $roleid AND contextid = $sitecontext->id")) {
3105 foreach ($capabilities as $capability) {
3106 $USER->capabilities[$context->id][$capability->capability] = $capability->permission;
3107 }
3108 }
3109
2d07587b 3110/// Add some permissions we are really going to always need, even if the role doesn't have them!
3a52e764 3111
3112 $USER->capabilities[$context->id]['moodle/course:view'] = CAP_ALLOW;
3113
3114 return true;
3115
3116}
3117
3118
49293027 3119// get any role that has an override on exact context
3120function get_roles_with_override_on_context($context) {
b5959f30 3121
49293027 3122 global $CFG;
b5959f30 3123
ac57f761 3124 return get_records_sql("SELECT r.*
49293027 3125 FROM {$CFG->prefix}role_capabilities rc,
3126 {$CFG->prefix}role r
3127 WHERE rc.roleid = r.id
3128 AND rc.contextid = $context->id");
3129}
3130
3131// get all capabilities for this role on this context (overrids)
3132function get_capabilities_from_role_on_context($role, $context) {
b5959f30 3133
49293027 3134 global $CFG;
b5959f30 3135
3136 return get_records_sql("SELECT *
49293027 3137 FROM {$CFG->prefix}role_capabilities
3138 WHERE contextid = $context->id
3139 AND roleid = $role->id");
01e52ac7 3140}
3141
5b5781f4 3142// find out which roles has assignment on this context
3143function get_roles_with_assignment_on_context($context) {
ece4945b 3144
5b5781f4 3145 global $CFG;
ece4945b 3146
ac57f761 3147 return get_records_sql("SELECT r.*
5b5781f4 3148 FROM {$CFG->prefix}role_assignments ra,
3149 {$CFG->prefix}role r
3150 WHERE ra.roleid = r.id
3151 AND ra.contextid = $context->id");
3152}
3153
3154
3155
01e52ac7 3156/* find all user assignemnt of users for this role, on this context
3157 */
3158function get_users_from_role_on_context($role, $context) {
b5959f30 3159
01e52ac7 3160 global $CFG;
b5959f30 3161
01e52ac7 3162 return get_records_sql("SELECT *
3163 FROM {$CFG->prefix}role_assignments
3164 WHERE contextid = $context->id
b5959f30 3165 AND roleid = $role->id");
01e52ac7 3166}
3a52e764 3167
7b37cb9a 3168/*
3169 * Simple function returning a boolean true if roles exist, otherwise false
3170 */
3171function user_has_role_assignment($userid, $roleid, $contextid=0) {
3172
3173 if ($contextid) {
3174 return record_exists('role_assignments', 'userid', $userid, 'roleid', $roleid, 'contextid', $contextid);
3175 } else {
3176 return record_exists('role_assignments', 'userid', $userid, 'roleid', $roleid);
3177 }
3178}
3179
f3652521 3180?>