DOn't terminate upgrade if stats didn't work
[moodle.git] / lib / accesslib.php
CommitLineData
bbbf2d40 1<?php
cee0901c 2 /**
3 * Capability session information format
bbbf2d40 4 * 2 x 2 array
5 * [context][capability]
6 * where context is the context id of the table 'context'
7 * and capability is a string defining the capability
8 * e.g.
9 *
10 * [Capabilities] => [26][mod/forum:viewpost] = 1
11 * [26][mod/forum:startdiscussion] = -8990
12 * [26][mod/forum:editallpost] = -1
13 * [273][moodle:blahblah] = 1
14 * [273][moodle:blahblahblah] = 2
15 */
bbbf2d40 16
17// permission definitions
e49e61bf 18define('CAP_INHERIT', 0);
bbbf2d40 19define('CAP_ALLOW', 1);
20define('CAP_PREVENT', -1);
21define('CAP_PROHIBIT', -1000);
22
bbbf2d40 23// context definitions
24define('CONTEXT_SYSTEM', 10);
25define('CONTEXT_PERSONAL', 20);
4b10f08b 26define('CONTEXT_USER', 30);
bbbf2d40 27define('CONTEXT_COURSECAT', 40);
28define('CONTEXT_COURSE', 50);
29define('CONTEXT_GROUP', 60);
30define('CONTEXT_MODULE', 70);
31define('CONTEXT_BLOCK', 80);
32
21b6db6e 33// capability risks - see http://docs.moodle.org/en/Hardening_new_Roles_system
34define('RISK_MANAGETRUST', 0x0001);
a6b02b65 35define('RISK_CONFIG', 0x0002);
21b6db6e 36define('RISK_XSS', 0x0004);
37define('RISK_PERSONAL', 0x0008);
38define('RISK_SPAM', 0x0010);
39
40
340ea4e8 41$context_cache = array(); // Cache of all used context objects for performance (by level and instance)
42$context_cache_id = array(); // Index to above cache by id
bbbf2d40 43
7700027f 44
e7876c1e 45/**
46 * Loads the capabilities for the default guest role to the current user in a specific context
47 * @return object
48 */
49function load_guest_role($context=NULL) {
50 global $USER;
51
52 static $guestrole;
53
54 if (!isloggedin()) {
55 return false;
56 }
57
58 if (!$sitecontext = get_context_instance(CONTEXT_SYSTEM, SITEID)) {
59 return false;
60 }
61
62 if (empty($context)) {
63 $context = $sitecontext;
64 }
65
66 if (empty($guestrole)) {
8f8ed475 67 if (!$guestrole = get_guest_role()) {
e7876c1e 68 return false;
69 }
70 }
71
eef868d1 72 if ($capabilities = get_records_select('role_capabilities',
e7876c1e 73 "roleid = $guestrole->id AND contextid = $sitecontext->id")) {
74 foreach ($capabilities as $capability) {
eef868d1 75 $USER->capabilities[$context->id][$capability->capability] = $capability->permission;
e7876c1e 76 }
77 }
78
79 return true;
80}
81
7700027f 82/**
83 * Load default not logged in role capabilities when user is not logged in
eef868d1 84 * @return bool
7700027f 85 */
20aeb4b8 86function load_notloggedin_role() {
87 global $CFG, $USER;
88
7700027f 89 if (!$sitecontext = get_context_instance(CONTEXT_SYSTEM, SITEID)) {
90 return false;
35a518c5 91 }
92
7700027f 93 if (empty($CFG->notloggedinroleid)) { // Let's set the default to the guest role
8f8ed475 94 if ($role = get_guest_role()) {
7700027f 95 set_config('notloggedinroleid', $role->id);
96 } else {
97 return false;
98 }
99 }
20aeb4b8 100
eef868d1 101 if ($capabilities = get_records_select('role_capabilities',
7700027f 102 "roleid = $CFG->notloggedinroleid AND contextid = $sitecontext->id")) {
103 foreach ($capabilities as $capability) {
eef868d1 104 $USER->capabilities[$sitecontext->id][$capability->capability] = $capability->permission;
7700027f 105 }
20aeb4b8 106 }
107
108 return true;
109}
cee0901c 110
8f8ed475 111/**
112 * Load default not logged in role capabilities when user is not logged in
eef868d1 113 * @return bool
8f8ed475 114 */
115function load_defaultuser_role() {
116 global $CFG, $USER;
117
118 if (!$sitecontext = get_context_instance(CONTEXT_SYSTEM, SITEID)) {
119 return false;
120 }
121
122 if (empty($CFG->defaultuserroleid)) { // Let's set the default to the guest role
123 if ($role = get_guest_role()) {
124 set_config('defaultuserroleid', $role->id);
125 } else {
126 return false;
127 }
128 }
129
eef868d1 130 if ($capabilities = get_records_select('role_capabilities',
8f8ed475 131 "roleid = $CFG->defaultuserroleid AND contextid = $sitecontext->id")) {
132 foreach ($capabilities as $capability) {
ca23ffdb 133 if (!isset($USER->capabilities[$sitecontext->id][$capability->capability])) { // Don't overwrite
eef868d1 134 $USER->capabilities[$sitecontext->id][$capability->capability] = $capability->permission;
ca23ffdb 135 }
8f8ed475 136 }
137
eef868d1 138 // SPECIAL EXCEPTION: If the default user role is actually a guest role, then
8f8ed475 139 // remove some capabilities so this user doesn't get confused with a REAL guest
2f089dd5 140 if (isset($USER->capabilities[$sitecontext->id]['moodle/legacy:guest']) and $USER->username != 'guest') {
eef868d1 141 unset($USER->capabilities[$sitecontext->id]['moodle/legacy:guest']);
8f8ed475 142 unset($USER->capabilities[$sitecontext->id]['moodle/course:view']); // No access to courses by default
143 }
144 }
145
146 return true;
147}
148
149
150/**
151 * Get the default guest role
152 * @return object role
153 */
154function get_guest_role() {
155 if ($roles = get_roles_with_capability('moodle/legacy:guest', CAP_ALLOW)) {
156 return array_shift($roles); // Pick the first one
157 } else {
158 return false;
159 }
160}
161
162
bbbf2d40 163/**
164 * This functions get all the course categories in proper order
0468976c 165 * @param int $context
bbbf2d40 166 * @param int $type
167 * @return array of contextids
168 */
0468976c 169function get_parent_cats($context, $type) {
eef868d1 170
98882637 171 $parents = array();
eef868d1 172
c5ddc3fd 173 switch ($type) {
98882637 174 case CONTEXT_COURSECAT:
c5ddc3fd 175 if (!$cat = get_record('course_categories','id',$context->instanceid)) {
176 break;
177 }
178
179 while (!empty($cat->parent)) {
180 if (!$context = get_context_instance(CONTEXT_COURSECAT, $cat->parent)) {
181 break;
182 }
98882637 183 $parents[] = $context->id;
184 $cat = get_record('course_categories','id',$cat->parent);
185 }
98882637 186 break;
eef868d1 187
98882637 188 case CONTEXT_COURSE:
c5ddc3fd 189 if (!$course = get_record('course', 'id', $context->instanceid)) {
190 break;
191 }
192 if (!$catinstance = get_context_instance(CONTEXT_COURSECAT, $course->category)) {
193 break;
194 }
195
98882637 196 $parents[] = $catinstance->id;
c5ddc3fd 197
198 if (!$cat = get_record('course_categories','id',$course->category)) {
199 break;
200 }
201
202 while (!empty($cat->parent)) {
203 if (!$context = get_context_instance(CONTEXT_COURSECAT, $cat->parent)) {
204 break;
205 }
98882637 206 $parents[] = $context->id;
207 $cat = get_record('course_categories','id',$cat->parent);
208 }
209 break;
eef868d1 210
98882637 211 default:
212 break;
98882637 213 }
98882637 214 return array_reverse($parents);
bbbf2d40 215}
216
217
cee0901c 218
0468976c 219/**
220 * This function checks for a capability assertion being true. If it isn't
221 * then the page is terminated neatly with a standard error message
222 * @param string $capability - name of the capability
223 * @param object $context - a context object (record from context table)
224 * @param integer $userid - a userid number
d74067e8 225 * @param bool $doanything - if false, ignore do anything
0468976c 226 * @param string $errorstring - an errorstring
d74067e8 227 * @param string $stringfile - which stringfile to get it from
0468976c 228 */
eef868d1 229function require_capability($capability, $context=NULL, $userid=NULL, $doanything=true,
d74067e8 230 $errormessage="nopermissions", $stringfile='') {
a9e1c058 231
232 global $USER;
233
234/// If the current user is not logged in, then make sure they are
235
236 if (empty($userid) and empty($USER->id)) {
237 if ($context && ($context->aggregatelevel == CONTEXT_COURSE)) {
238 require_login($context->instanceid);
239 } else {
240 require_login();
241 }
242 }
eef868d1 243
a9e1c058 244/// OK, if they still don't have the capability then print a nice error message
245
d74067e8 246 if (!has_capability($capability, $context, $userid, $doanything)) {
0468976c 247 $capabilityname = get_capability_string($capability);
248 print_error($errormessage, $stringfile, '', $capabilityname);
249 }
250}
251
252
bbbf2d40 253/**
254 * This function returns whether the current user has the capability of performing a function
255 * For example, we can do has_capability('mod/forum:replypost',$cm) in forum
256 * only one of the 4 (moduleinstance, courseid, site, userid) would be set at 1 time
257 * This is a recursive funciton.
bbbf2d40 258 * @uses $USER
259 * @param string $capability - name of the capability
0468976c 260 * @param object $context - a context object (record from context table)
261 * @param integer $userid - a userid number
20aeb4b8 262 * @param bool $doanything - if false, ignore do anything
bbbf2d40 263 * @return bool
264 */
d74067e8 265function has_capability($capability, $context=NULL, $userid=NULL, $doanything=true) {
bbbf2d40 266
20aeb4b8 267 global $USER, $CONTEXT, $CFG;
bbbf2d40 268
a8a7300a 269 if (debugging() && !record_exists('capabilities', 'name', $capability)) {
7f7cacdf 270 debugging('Cabability "'.$capability.'" was not found! This should be fixed in code.');
a8a7300a 271 }
272
8f8ed475 273 if (empty($userid) && empty($USER->capabilities)) { // Real user, first time here
274 if (isloggedin()) {
275 load_defaultuser_role(); // All users get this by default
276 } else {
277 load_notloggedin_role(); // others get this by default
278 }
20aeb4b8 279 }
280
281 if ($userid && $userid != $USER->id) {
9425b25f 282 if (empty($USER->id) or ($userid != $USER->id)) {
283 $capabilities = load_user_capability($capability, $context, $userid);
284 } else { //$USER->id == $userid
285 $capabilities = empty($USER->capabilities) ? NULL : $USER->capabilities;
286 }
287 } else { // no userid
288 $capabilities = empty($USER->capabilities) ? NULL : $USER->capabilities;
98882637 289 }
9425b25f 290
0468976c 291 if (empty($context)) { // Use default CONTEXT if none specified
340ea4e8 292 if (empty($CONTEXT)) {
293 return false;
294 } else {
295 $context = $CONTEXT;
296 }
0468976c 297 } else { // A context was given to us
298 if (empty($CONTEXT)) {
299 $CONTEXT = $context; // Store FIRST used context in this global as future default
300 }
340ea4e8 301 }
bbbf2d40 302
20aeb4b8 303 if ($doanything) {
2d07587b 304
20aeb4b8 305 // Check site
2d07587b 306 if (empty($USER->switchrole[$context->id])) { // Ignore site setting if switchrole is active
307 $sitecontext = get_context_instance(CONTEXT_SYSTEM, SITEID);
308 if (isset($capabilities[$sitecontext->id]['moodle/site:doanything'])) {
309 return (0 < $capabilities[$sitecontext->id]['moodle/site:doanything']);
310 }
20aeb4b8 311 }
eef868d1 312
20aeb4b8 313 switch ($context->aggregatelevel) {
eef868d1 314
20aeb4b8 315 case CONTEXT_COURSECAT:
316 // Check parent cats.
317 $parentcats = get_parent_cats($context, CONTEXT_COURSECAT);
318 foreach ($parentcats as $parentcat) {
319 if (isset($capabilities[$parentcat]['moodle/site:doanything'])) {
320 return (0 < $capabilities[$parentcat]['moodle/site:doanything']);
321 }
cee0901c 322 }
20aeb4b8 323 break;
bbbf2d40 324
20aeb4b8 325 case CONTEXT_COURSE:
326 // Check parent cat.
327 $parentcats = get_parent_cats($context, CONTEXT_COURSE);
98882637 328
20aeb4b8 329 foreach ($parentcats as $parentcat) {
330 if (isset($capabilities[$parentcat]['do_anything'])) {
331 return (0 < $capabilities[$parentcat]['do_anything']);
332 }
9425b25f 333 }
20aeb4b8 334 break;
bbbf2d40 335
20aeb4b8 336 case CONTEXT_GROUP:
337 // Find course.
338 $group = get_record('groups','id',$context->instanceid);
339 $courseinstance = get_context_instance(CONTEXT_COURSE, $group->courseid);
9425b25f 340
20aeb4b8 341 $parentcats = get_parent_cats($courseinstance, CONTEXT_COURSE);
342 foreach ($parentcats as $parentcat) {
343 if (isset($capabilities[$parentcat->id]['do_anything'])) {
344 return (0 < $capabilities[$parentcat->id]['do_anything']);
345 }
9425b25f 346 }
9425b25f 347
20aeb4b8 348 $coursecontext = '';
349 if (isset($capabilities[$courseinstance->id]['do_anything'])) {
350 return (0 < $capabilities[$courseinstance->id]['do_anything']);
351 }
9425b25f 352
20aeb4b8 353 break;
bbbf2d40 354
20aeb4b8 355 case CONTEXT_MODULE:
356 // Find course.
357 $cm = get_record('course_modules', 'id', $context->instanceid);
358 $courseinstance = get_context_instance(CONTEXT_COURSE, $cm->course);
9425b25f 359
20aeb4b8 360 if ($parentcats = get_parent_cats($courseinstance, CONTEXT_COURSE)) {
361 foreach ($parentcats as $parentcat) {
362 if (isset($capabilities[$parentcat]['do_anything'])) {
363 return (0 < $capabilities[$parentcat]['do_anything']);
364 }
cee0901c 365 }
9425b25f 366 }
98882637 367
20aeb4b8 368 if (isset($capabilities[$courseinstance->id]['do_anything'])) {
369 return (0 < $capabilities[$courseinstance->id]['do_anything']);
370 }
bbbf2d40 371
20aeb4b8 372 break;
bbbf2d40 373
20aeb4b8 374 case CONTEXT_BLOCK:
375 // 1 to 1 to course.
376 // Find course.
377 $block = get_record('block_instance','id',$context->instanceid);
378 $courseinstance = get_context_instance(CONTEXT_COURSE, $block->pageid); // needs check
9425b25f 379
20aeb4b8 380 $parentcats = get_parent_cats($courseinstance, CONTEXT_COURSE);
381 foreach ($parentcats as $parentcat) {
382 if (isset($capabilities[$parentcat]['do_anything'])) {
383 return (0 < $capabilities[$parentcat]['do_anything']);
384 }
cee0901c 385 }
9425b25f 386
20aeb4b8 387 if (isset($capabilities[$courseinstance->id]['do_anything'])) {
388 return (0 < $capabilities[$courseinstance->id]['do_anything']);
389 }
390 break;
bbbf2d40 391
20aeb4b8 392 default:
4b10f08b 393 // CONTEXT_SYSTEM: CONTEXT_PERSONAL: CONTEXT_USER:
20aeb4b8 394 // Do nothing.
395 break;
396 }
bbbf2d40 397
20aeb4b8 398 // Last: check self.
399 if (isset($capabilities[$context->id]['do_anything'])) {
400 return (0 < $capabilities[$context->id]['do_anything']);
401 }
98882637 402 }
98882637 403 // do_anything has not been set, we now look for it the normal way.
9425b25f 404 return (0 < capability_search($capability, $context, $capabilities));
bbbf2d40 405
9425b25f 406}
bbbf2d40 407
408
409/**
410 * In a separate function so that we won't have to deal with do_anything.
411 * again. Used by function has_capability.
412 * @param $capability - capability string
0468976c 413 * @param $context - the context object
bbbf2d40 414 * @param $capabilities - either $USER->capability or loaded array
415 * @return permission (int)
416 */
0468976c 417function capability_search($capability, $context, $capabilities) {
759ac72d 418
bbbf2d40 419 global $USER, $CFG;
0468976c 420
0468976c 421 if (isset($capabilities[$context->id][$capability])) {
ea82d6b6 422 debugging("Found $capability in context $context->id at level $context->aggregatelevel: ".$capabilities[$context->id][$capability], E_ALL);
0468976c 423 return ($capabilities[$context->id][$capability]);
bbbf2d40 424 }
9425b25f 425
bbbf2d40 426 /* Then, we check the cache recursively */
9425b25f 427 $permission = 0;
428
d140ad3f 429 switch ($context->aggregatelevel) {
bbbf2d40 430
431 case CONTEXT_SYSTEM: // by now it's a definite an inherit
432 $permission = 0;
433 break;
434
435 case CONTEXT_PERSONAL:
0468976c 436 $parentcontext = get_context_instance(CONTEXT_SYSTEM, SITEID);
437 $permission = capability_search($capability, $parentcontext, $capabilities);
bbbf2d40 438 break;
9425b25f 439
4b10f08b 440 case CONTEXT_USER:
0468976c 441 $parentcontext = get_context_instance(CONTEXT_SYSTEM, SITEID);
442 $permission = capability_search($capability, $parentcontext, $capabilities);
bbbf2d40 443 break;
9425b25f 444
bbbf2d40 445 case CONTEXT_COURSECAT: // Coursecat -> coursecat or site
446 $coursecat = get_record('course_categories','id',$context->instanceid);
0468976c 447 if (!empty($coursecat->parent)) { // return parent value if it exists
448 $parentcontext = get_context_instance(CONTEXT_COURSECAT, $coursecat->parent);
bbbf2d40 449 } else { // else return site value
0468976c 450 $parentcontext = get_context_instance(CONTEXT_SYSTEM, SITEID);
bbbf2d40 451 }
0468976c 452 $permission = capability_search($capability, $parentcontext, $capabilities);
bbbf2d40 453 break;
454
455 case CONTEXT_COURSE: // 1 to 1 to course cat
456 // find the course cat, and return its value
457 $course = get_record('course','id',$context->instanceid);
0468976c 458 $parentcontext = get_context_instance(CONTEXT_COURSECAT, $course->category);
459 $permission = capability_search($capability, $parentcontext, $capabilities);
bbbf2d40 460 break;
461
462 case CONTEXT_GROUP: // 1 to 1 to course
463 $group = get_record('groups','id',$context->instanceid);
0468976c 464 $parentcontext = get_context_instance(CONTEXT_COURSE, $group->courseid);
465 $permission = capability_search($capability, $parentcontext, $capabilities);
bbbf2d40 466 break;
467
468 case CONTEXT_MODULE: // 1 to 1 to course
469 $cm = get_record('course_modules','id',$context->instanceid);
0468976c 470 $parentcontext = get_context_instance(CONTEXT_COURSE, $cm->course);
471 $permission = capability_search($capability, $parentcontext, $capabilities);
bbbf2d40 472 break;
473
474 case CONTEXT_BLOCK: // 1 to 1 to course
475 $block = get_record('block_instance','id',$context->instanceid);
0468976c 476 $parentcontext = get_context_instance(CONTEXT_COURSE, $block->pageid); // needs check
477 $permission = capability_search($capability, $parentcontext, $capabilities);
bbbf2d40 478 break;
479
480 default:
481 error ('This is an unknown context!');
482 return false;
483 }
ea82d6b6 484 debugging("Found $capability recursively from context $context->id at level $context->aggregatelevel: $permission", E_ALL);
9425b25f 485
98882637 486 return $permission;
bbbf2d40 487}
488
489
490/**
491 * This function should be called immediately after a login, when $USER is set.
492 * It will build an array of all the capabilities at each level
493 * i.e. site/metacourse/course_category/course/moduleinstance
494 * Note we should only load capabilities if they are explicitly assigned already,
495 * we should not load all module's capability!
496 * @param $userid - the id of the user whose capabilities we want to load
497 * @return array
498 * possible just s simple 2D array with [contextid][capabilityname]
499 * [Capabilities] => [26][forum_post] = 1
500 * [26][forum_start] = -8990
501 * [26][forum_edit] = -1
502 * [273][blah blah] = 1
503 * [273][blah blah blah] = 2
504 */
0468976c 505function load_user_capability($capability='', $context ='', $userid='') {
d140ad3f 506
98882637 507 global $USER, $CFG;
bbbf2d40 508
509 if (empty($userid)) {
dc411d1b 510 if (empty($USER->id)) { // We have no user to get capabilities for
64026e8c 511 debugging('User not logged in for load_user_capability!');
dc411d1b 512 return false;
513 }
64026e8c 514 unset($USER->capabilities); // We don't want possible older capabilites hanging around
515
516 check_enrolment_plugins($USER); // Call "enrol" system to ensure that we have the correct picture
8f8ed475 517
bbbf2d40 518 $userid = $USER->id;
dc411d1b 519 $otheruserid = false;
bbbf2d40 520 } else {
64026e8c 521 if (!$user = get_record('user', 'id', $userid)) {
522 debugging('Non-existent userid in load_user_capability!');
523 return false;
524 }
525
526 check_enrolment_plugins($user); // Ensure that we have the correct picture
527
9425b25f 528 $otheruserid = $userid;
bbbf2d40 529 }
9425b25f 530
5f70bcc3 531
532/// First we generate a list of all relevant contexts of the user
533
534 $usercontexts = array();
bbbf2d40 535
0468976c 536 if ($context) { // if context is specified
eef868d1 537 $usercontexts = get_parent_contexts($context);
98882637 538 } else { // else, we load everything
5f70bcc3 539 if ($userroles = get_records('role_assignments','userid',$userid)) {
540 foreach ($userroles as $userrole) {
541 $usercontexts[] = $userrole->contextid;
542 }
98882637 543 }
5f70bcc3 544 }
545
546/// Set up SQL fragments for searching contexts
547
548 if ($usercontexts) {
0468976c 549 $listofcontexts = '('.implode(',', $usercontexts).')';
5f70bcc3 550 $searchcontexts1 = "c1.id IN $listofcontexts AND";
551 $searchcontexts2 = "c2.id IN $listofcontexts AND";
552 } else {
553 $listofcontexts = $searchcontexts1 = $searchcontexts2 = '';
bbbf2d40 554 }
0468976c 555
64026e8c 556 if ($capability) {
557 $capsearch = " AND rc.capability = '$capability' ";
558 } else {
eef868d1 559 $capsearch ="";
64026e8c 560 }
561
e38f38c3 562/// Set up SQL fragments for timestart, timeend etc
563 $now = time();
85f101fa 564 $timesql = "AND ((ra.timestart = 0 OR ra.timestart < $now) AND (ra.timeend = 0 OR ra.timeend > $now))";
e38f38c3 565
5f70bcc3 566/// Then we use 1 giant SQL to bring out all relevant capabilities.
567/// The first part gets the capabilities of orginal role.
568/// The second part gets the capabilities of overriden roles.
bbbf2d40 569
98882637 570 $siteinstance = get_context_instance(CONTEXT_SYSTEM, SITEID);
bbbf2d40 571
75e84883 572 $SQL = " SELECT rc.capability, c1.id, (c1.aggregatelevel * 100) AS aggrlevel,
bbbf2d40 573 SUM(rc.permission) AS sum
574 FROM
eef868d1 575 {$CFG->prefix}role_assignments ra,
42ac3ecf 576 {$CFG->prefix}role_capabilities rc,
577 {$CFG->prefix}context c1
bbbf2d40 578 WHERE
d4649c76 579 ra.contextid=c1.id AND
580 ra.roleid=rc.roleid AND
bbbf2d40 581 ra.userid=$userid AND
5f70bcc3 582 $searchcontexts1
eef868d1 583 rc.contextid=$siteinstance->id
98882637 584 $capsearch
e38f38c3 585 $timesql
bbbf2d40 586 GROUP BY
0be16c1d 587 rc.capability, (c1.aggregatelevel * 100), c1.id
bbbf2d40 588 HAVING
41811960 589 SUM(rc.permission) != 0
bbbf2d40 590 UNION
591
75e84883 592 SELECT rc.capability, c1.id, (c1.aggregatelevel * 100 + c2.aggregatelevel) AS aggrlevel,
bbbf2d40 593 SUM(rc.permission) AS sum
594 FROM
42ac3ecf 595 {$CFG->prefix}role_assignments ra,
596 {$CFG->prefix}role_capabilities rc,
597 {$CFG->prefix}context c1,
598 {$CFG->prefix}context c2
bbbf2d40 599 WHERE
d4649c76 600 ra.contextid=c1.id AND
eef868d1 601 ra.roleid=rc.roleid AND
602 ra.userid=$userid AND
603 rc.contextid=c2.id AND
5f70bcc3 604 $searchcontexts1
605 $searchcontexts2
606 rc.contextid != $siteinstance->id
bbbf2d40 607 $capsearch
e38f38c3 608 $timesql
eef868d1 609
bbbf2d40 610 GROUP BY
0be16c1d 611 rc.capability, (c1.aggregatelevel * 100 + c2.aggregatelevel), c1.id
bbbf2d40 612 HAVING
41811960 613 SUM(rc.permission) != 0
bbbf2d40 614 ORDER BY
75e84883 615 aggrlevel ASC
bbbf2d40 616 ";
617
98882637 618 $capabilities = array(); // Reinitialize.
75e84883 619 if (!$rs = get_recordset_sql($SQL)) {
620 error("Query failed in load_user_capability.");
621 }
5cf38a57 622
bbbf2d40 623 if ($rs && $rs->RecordCount() > 0) {
624 while (!$rs->EOF) {
75e84883 625 $array = $rs->fields;
626 $temprecord = new object;
eef868d1 627
98882637 628 foreach ($array as $key=>$val) {
75e84883 629 if ($key == 'aggrlevel') {
630 $temprecord->aggregatelevel = $val;
631 } else {
632 $temprecord->{$key} = $val;
633 }
98882637 634 }
bbbf2d40 635 $capabilities[] = $temprecord;
636 $rs->MoveNext();
637 }
638 }
eef868d1 639
bbbf2d40 640 /* so up to this point we should have somethign like this
41811960 641 * $capabilities[1] ->aggregatelevel = 1000
bbbf2d40 642 ->module = SITEID
643 ->capability = do_anything
644 ->id = 1 (id is the context id)
645 ->sum = 0
eef868d1 646
41811960 647 * $capabilities[2] ->aggregatelevel = 1000
bbbf2d40 648 ->module = SITEID
649 ->capability = post_messages
650 ->id = 1
651 ->sum = -9000
652
41811960 653 * $capabilittes[3] ->aggregatelevel = 3000
bbbf2d40 654 ->module = course
655 ->capability = view_course_activities
656 ->id = 25
657 ->sum = 1
658
41811960 659 * $capabilittes[4] ->aggregatelevel = 3000
bbbf2d40 660 ->module = course
661 ->capability = view_course_activities
662 ->id = 26
663 ->sum = 0 (this is another course)
eef868d1 664
41811960 665 * $capabilities[5] ->aggregatelevel = 3050
bbbf2d40 666 ->module = course
667 ->capability = view_course_activities
668 ->id = 25 (override in course 25)
669 ->sum = -1
670 * ....
671 * now we proceed to write the session array, going from top to bottom
672 * at anypoint, we need to go up and check parent to look for prohibit
673 */
674 // print_object($capabilities);
675
676 /* This is where we write to the actualy capabilities array
677 * what we need to do from here on is
678 * going down the array from lowest level to highest level
679 * 1) recursively check for prohibit,
680 * if any, we write prohibit
681 * else, we write the value
682 * 2) at an override level, we overwrite current level
683 * if it's not set to prohibit already, and if different
684 * ........ that should be it ........
685 */
98882637 686 $usercap = array(); // for other user's capabilities
bbbf2d40 687 foreach ($capabilities as $capability) {
688
0468976c 689 $context = get_context_instance_by_id($capability->id);
690
41811960 691 if (!empty($otheruserid)) { // we are pulling out other user's capabilities, do not write to session
eef868d1 692
0468976c 693 if (capability_prohibits($capability->capability, $context, $capability->sum, $usercap)) {
98882637 694 $usercap[$capability->id][$capability->capability] = -9000;
695 continue;
696 }
697
eef868d1 698 $usercap[$capability->id][$capability->capability] = $capability->sum;
699
98882637 700 } else {
701
0468976c 702 if (capability_prohibits($capability->capability, $context, $capability->sum)) { // if any parent or parent's parent is set to prohibit
98882637 703 $USER->capabilities[$capability->id][$capability->capability] = -9000;
704 continue;
705 }
eef868d1 706
98882637 707 // if no parental prohibit set
708 // just write to session, i am not sure this is correct yet
709 // since 3050 shows up after 3000, and 3070 shows up after 3050,
710 // it should be ok just to overwrite like this, provided that there's no
711 // parental prohibits
712 // no point writing 0, since 0 = inherit
713 // we need to write even if it's 0, because it could be an inherit override
714 $USER->capabilities[$capability->id][$capability->capability] = $capability->sum;
715 }
bbbf2d40 716 }
eef868d1 717
bbbf2d40 718 // now we don't care about the huge array anymore, we can dispose it.
719 unset($capabilities);
eef868d1 720
dbe7e582 721 if (!empty($otheruserid)) {
eef868d1 722 return $usercap; // return the array
bbbf2d40 723 }
724 // see array in session to see what it looks like
725
726}
727
64026e8c 728/*
729 * Check all the login enrolment information for the given user object
eef868d1 730 * by querying the enrolment plugins
64026e8c 731 */
732function check_enrolment_plugins(&$user) {
733 global $CFG;
734
735 require_once($CFG->dirroot .'/enrol/enrol.class.php');
eef868d1 736
64026e8c 737 if (!($plugins = explode(',', $CFG->enrol_plugins_enabled))) {
738 $plugins = array($CFG->enrol);
739 }
740
741 foreach ($plugins as $plugin) {
742 $enrol = enrolment_factory::factory($plugin);
743 if (method_exists($enrol, 'setup_enrolments')) { /// Plugin supports Roles (Moodle 1.7 and later)
744 $enrol->setup_enrolments($user);
745 } else { /// Run legacy enrolment methods
746 if (method_exists($enrol, 'get_student_courses')) {
747 $enrol->get_student_courses($user);
748 }
749 if (method_exists($enrol, 'get_teacher_courses')) {
750 $enrol->get_teacher_courses($user);
751 }
752
753 /// deal with $user->students and $user->teachers stuff
754 unset($user->student);
755 unset($user->teacher);
756 }
757 unset($enrol);
758 }
759}
760
bbbf2d40 761
762/**
763 * This is a recursive function that checks whether the capability in this
764 * context, or the parent capabilities are set to prohibit.
765 *
766 * At this point, we can probably just use the values already set in the
767 * session variable, since we are going down the level. Any prohit set in
768 * parents would already reflect in the session.
769 *
770 * @param $capability - capability name
771 * @param $sum - sum of all capabilities values
0468976c 772 * @param $context - the context object
bbbf2d40 773 * @param $array - when loading another user caps, their caps are not stored in session but an array
774 */
0468976c 775function capability_prohibits($capability, $context, $sum='', $array='') {
bbbf2d40 776 global $USER;
0468976c 777
bbbf2d40 778 if ($sum < -8000) {
779 // If this capability is set to prohibit.
780 return true;
781 }
eef868d1 782
bbbf2d40 783 if (isset($array)) {
eef868d1 784 if (isset($array[$context->id][$capability])
0468976c 785 && $array[$context->id][$capability] < -8000) {
98882637 786 return true;
eef868d1 787 }
bbbf2d40 788 } else {
98882637 789 // Else if set in session.
eef868d1 790 if (isset($USER->capabilities[$context->id][$capability])
0468976c 791 && $USER->capabilities[$context->id][$capability] < -8000) {
98882637 792 return true;
793 }
bbbf2d40 794 }
d140ad3f 795 switch ($context->aggregatelevel) {
eef868d1 796
bbbf2d40 797 case CONTEXT_SYSTEM:
798 // By now it's a definite an inherit.
799 return 0;
800 break;
801
802 case CONTEXT_PERSONAL:
803 $parent = get_context_instance(CONTEXT_SYSTEM, SITEID);
0468976c 804 return capability_prohibits($capability, $parent);
bbbf2d40 805 break;
806
4b10f08b 807 case CONTEXT_USER:
bbbf2d40 808 $parent = get_context_instance(CONTEXT_SYSTEM, SITEID);
0468976c 809 return capability_prohibits($capability, $parent);
bbbf2d40 810 break;
811
812 case CONTEXT_COURSECAT:
813 // Coursecat -> coursecat or site.
814 $coursecat = get_record('course_categories','id',$context->instanceid);
41811960 815 if (!empty($coursecat->parent)) {
bbbf2d40 816 // return parent value if exist.
817 $parent = get_context_instance(CONTEXT_COURSECAT, $coursecat->parent);
818 } else {
819 // Return site value.
820 $parent = get_context_instance(CONTEXT_SYSTEM, SITEID);
821 }
0468976c 822 return capability_prohibits($capability, $parent);
bbbf2d40 823 break;
824
825 case CONTEXT_COURSE:
826 // 1 to 1 to course cat.
827 // Find the course cat, and return its value.
828 $course = get_record('course','id',$context->instanceid);
829 $parent = get_context_instance(CONTEXT_COURSECAT, $course->category);
0468976c 830 return capability_prohibits($capability, $parent);
bbbf2d40 831 break;
832
833 case CONTEXT_GROUP:
834 // 1 to 1 to course.
835 $group = get_record('groups','id',$context->instanceid);
836 $parent = get_context_instance(CONTEXT_COURSE, $group->courseid);
0468976c 837 return capability_prohibits($capability, $parent);
bbbf2d40 838 break;
839
840 case CONTEXT_MODULE:
841 // 1 to 1 to course.
842 $cm = get_record('course_modules','id',$context->instanceid);
843 $parent = get_context_instance(CONTEXT_COURSE, $cm->course);
0468976c 844 return capability_prohibits($capability, $parent);
bbbf2d40 845 break;
846
847 case CONTEXT_BLOCK:
848 // 1 to 1 to course.
849 $block = get_record('block_instance','id',$context->instanceid);
850 $parent = get_context_instance(CONTEXT_COURSE, $block->pageid); // needs check
0468976c 851 return capability_prohibits($capability, $parent);
bbbf2d40 852 break;
853
854 default:
855 error ('This is an unknown context!');
856 return false;
857 }
858}
859
860
861/**
862 * A print form function. This should either grab all the capabilities from
863 * files or a central table for that particular module instance, then present
864 * them in check boxes. Only relevant capabilities should print for known
865 * context.
866 * @param $mod - module id of the mod
867 */
868function print_capabilities($modid=0) {
869 global $CFG;
eef868d1 870
bbbf2d40 871 $capabilities = array();
872
873 if ($modid) {
874 // We are in a module specific context.
875
876 // Get the mod's name.
877 // Call the function that grabs the file and parse.
878 $cm = get_record('course_modules', 'id', $modid);
879 $module = get_record('modules', 'id', $cm->module);
eef868d1 880
bbbf2d40 881 } else {
882 // Print all capabilities.
883 foreach ($capabilities as $capability) {
884 // Prints the check box component.
885 }
886 }
887}
888
889
890/**
1afecc03 891 * Installs the roles system.
892 * This function runs on a fresh install as well as on an upgrade from the old
893 * hard-coded student/teacher/admin etc. roles to the new roles system.
bbbf2d40 894 */
1afecc03 895function moodle_install_roles() {
bbbf2d40 896
1afecc03 897 global $CFG, $db;
eef868d1 898
bbbf2d40 899 // Create a system wide context for assignemnt.
900 $systemcontext = $context = get_context_instance(CONTEXT_SYSTEM, SITEID);
901
1afecc03 902
903 // Create default/legacy roles and capabilities.
904 // (1 legacy capability per legacy role at system level).
eef868d1 905 $adminrole = create_role(get_string('administrator'), 'admin', get_string('administratordescription'), 'moodle/legacy:admin');
98882637 906 if (!assign_capability('moodle/site:doanything', CAP_ALLOW, $adminrole, $systemcontext->id)) {
bbbf2d40 907 error('Could not assign moodle/site:doanything to the admin role');
908 }
eef868d1 909 $coursecreatorrole = create_role(get_string('coursecreators'), 'coursecreator', get_string('coursecreatorsdescription'), 'moodle/legacy:coursecreator');
910 $editteacherrole = create_role(get_string('defaultcourseteacher'), 'editingteacher', get_string('defaultcourseteacherdescription'), 'moodle/legacy:editingteacher');
911 $noneditteacherrole = create_role(get_string('noneditingteacher'), 'teacher', get_string('noneditingteacherdescription'), 'moodle/legacy:teacher');
31f26796 912 $studentrole = create_role(get_string('defaultcoursestudent'), 'student', get_string('defaultcoursestudentdescription'), 'moodle/legacy:student');
913 $guestrole = create_role(get_string('guest'), 'guest', get_string('guestdescription'), 'moodle/legacy:guest');
1afecc03 914
915
916 // Look inside user_admin, user_creator, user_teachers, user_students and
917 // assign above new roles. If a user has both teacher and student role,
918 // only teacher role is assigned. The assignment should be system level.
919 $dbtables = $db->MetaTables('TABLES');
eef868d1 920
1afecc03 921
98882637 922 /**
bbbf2d40 923 * Upgrade the admins.
1afecc03 924 * Sort using id ASC, first one is primary admin.
bbbf2d40 925 */
1afecc03 926 if (in_array($CFG->prefix.'user_admins', $dbtables)) {
eef868d1 927 if ($useradmins = get_records_sql('SELECT * from '.$CFG->prefix.'user_admins ORDER BY ID ASC')) {
1afecc03 928 foreach ($useradmins as $admin) {
929 role_assign($adminrole, $admin->userid, 0, $systemcontext->id);
930 }
931 }
932 } else {
933 // This is a fresh install.
bbbf2d40 934 }
1afecc03 935
936
bbbf2d40 937 /**
938 * Upgrade course creators.
939 */
1afecc03 940 if (in_array($CFG->prefix.'user_coursecreators', $dbtables)) {
941 if ($usercoursecreators = get_records('user_coursecreators')) {
942 foreach ($usercoursecreators as $coursecreator) {
56b4d70d 943 role_assign($coursecreatorrole, $coursecreator->userid, 0, $systemcontext->id);
1afecc03 944 }
945 }
bbbf2d40 946 }
947
1afecc03 948
bbbf2d40 949 /**
950 * Upgrade editting teachers and non-editting teachers.
951 */
1afecc03 952 if (in_array($CFG->prefix.'user_teachers', $dbtables)) {
953 if ($userteachers = get_records('user_teachers')) {
954 foreach ($userteachers as $teacher) {
17d6a25e 955 // populate the user_lastaccess table
956 unset($access);
957 $access->timeaccess = $teacher->timeaccess;
958 $access->userid = $teacher->userid;
959 $access->courseid = $teacher->course;
960 insert_record('user_lastaccess', $access);
961 // assign the default student role
1afecc03 962 $coursecontext = get_context_instance(CONTEXT_COURSE, $teacher->course); // needs cache
963 if ($teacher->editall) { // editting teacher
964 role_assign($editteacherrole, $teacher->userid, 0, $coursecontext->id);
965 } else {
966 role_assign($noneditteacherrole, $teacher->userid, 0, $coursecontext->id);
967 }
968 }
bbbf2d40 969 }
970 }
1afecc03 971
972
bbbf2d40 973 /**
974 * Upgrade students.
975 */
1afecc03 976 if (in_array($CFG->prefix.'user_students', $dbtables)) {
977 if ($userstudents = get_records('user_students')) {
eef868d1 978 foreach ($userstudents as $student) {
17d6a25e 979 // populate the user_lastaccess table
980 unset($access);
981 $access->timeaccess = $student->timeaccess;
982 $access->userid = $student->userid;
983 $access->courseid = $student->course;
984 insert_record('user_lastaccess', $access);
985 // assign the default student role
1afecc03 986 $coursecontext = get_context_instance(CONTEXT_COURSE, $student->course);
987 role_assign($studentrole, $student->userid, 0, $coursecontext->id);
988 }
989 }
bbbf2d40 990 }
1afecc03 991
992
bbbf2d40 993 /**
994 * Upgrade guest (only 1 entry).
995 */
1afecc03 996 if ($guestuser = get_record('user', 'username', 'guest')) {
997 role_assign($guestrole, $guestuser->id, 0, $systemcontext->id);
998 }
999
945f88ca 1000 /**
eef868d1 1001 * Insert the correct records for legacy roles
945f88ca 1002 */
1003 allow_assign($adminrole, $adminrole);
1004 allow_assign($adminrole, $coursecreatorrole);
1005 allow_assign($adminrole, $noneditteacherrole);
eef868d1 1006 allow_assign($adminrole, $editteacherrole);
945f88ca 1007 allow_assign($adminrole, $studentrole);
1008 allow_assign($adminrole, $guestrole);
eef868d1 1009
945f88ca 1010 allow_assign($coursecreatorrole, $noneditteacherrole);
1011 allow_assign($coursecreatorrole, $editteacherrole);
eef868d1 1012 allow_assign($coursecreatorrole, $studentrole);
945f88ca 1013 allow_assign($coursecreatorrole, $guestrole);
eef868d1 1014
1015 allow_assign($editteacherrole, $noneditteacherrole);
1016 allow_assign($editteacherrole, $studentrole);
945f88ca 1017 allow_assign($editteacherrole, $guestrole);
eef868d1 1018
945f88ca 1019 /// overrides
1020 allow_override($adminrole, $adminrole);
1021 allow_override($adminrole, $coursecreatorrole);
1022 allow_override($adminrole, $noneditteacherrole);
eef868d1 1023 allow_override($adminrole, $editteacherrole);
945f88ca 1024 allow_override($adminrole, $studentrole);
eef868d1 1025 allow_override($adminrole, $guestrole);
1afecc03 1026
746a04c5 1027
1afecc03 1028 // Should we delete the tables after we are done? Not yet.
bbbf2d40 1029}
1030
bbbf2d40 1031/**
1032 * Assign the defaults found in this capabality definition to roles that have
1033 * the corresponding legacy capabilities assigned to them.
1034 * @param $legacyperms - an array in the format (example):
1035 * 'guest' => CAP_PREVENT,
1036 * 'student' => CAP_ALLOW,
1037 * 'teacher' => CAP_ALLOW,
1038 * 'editingteacher' => CAP_ALLOW,
1039 * 'coursecreator' => CAP_ALLOW,
1040 * 'admin' => CAP_ALLOW
1041 * @return boolean - success or failure.
1042 */
1043function assign_legacy_capabilities($capability, $legacyperms) {
eef868d1 1044
bbbf2d40 1045 foreach ($legacyperms as $type => $perm) {
eef868d1 1046
bbbf2d40 1047 $systemcontext = get_context_instance(CONTEXT_SYSTEM, SITEID);
eef868d1 1048
bbbf2d40 1049 // The legacy capabilities are:
1050 // 'moodle/legacy:guest'
1051 // 'moodle/legacy:student'
1052 // 'moodle/legacy:teacher'
1053 // 'moodle/legacy:editingteacher'
1054 // 'moodle/legacy:coursecreator'
1055 // 'moodle/legacy:admin'
eef868d1 1056
2e85fffe 1057 if ($roles = get_roles_with_capability('moodle/legacy:'.$type, CAP_ALLOW)) {
1058 foreach ($roles as $role) {
1059 // Assign a site level capability.
1060 if (!assign_capability($capability, $perm, $role->id, $systemcontext->id)) {
1061 return false;
1062 }
bbbf2d40 1063 }
1064 }
1065 }
1066 return true;
1067}
1068
1069
cee0901c 1070/**
1071 * Checks to see if a capability is a legacy capability.
1072 * @param $capabilityname
1073 * @return boolean
1074 */
bbbf2d40 1075function islegacy($capabilityname) {
98882637 1076 if (strstr($capabilityname, 'legacy') === false) {
eef868d1 1077 return false;
98882637 1078 } else {
eef868d1 1079 return true;
98882637 1080 }
bbbf2d40 1081}
1082
cee0901c 1083
1084
1085/**********************************
bbbf2d40 1086 * Context Manipulation functions *
1087 **********************************/
1088
bbbf2d40 1089/**
1090 * This should be called prolly everytime a user, group, module, course,
1091 * coursecat or site is set up maybe?
1092 * @param $level
1093 * @param $instanceid
1094 */
d140ad3f 1095function create_context($aggregatelevel, $instanceid) {
1096 if (!get_record('context','aggregatelevel',$aggregatelevel,'instanceid',$instanceid)) {
bbbf2d40 1097 $context = new object;
d140ad3f 1098 $context->aggregatelevel = $aggregatelevel;
bbbf2d40 1099 $context->instanceid = $instanceid;
1100 return insert_record('context',$context);
1101 }
1102}
1103
1104
1105/**
1106 * Get the context instance as an object. This function will create the
1107 * context instance if it does not exist yet.
1108 * @param $level
1109 * @param $instance
1110 */
d140ad3f 1111function get_context_instance($aggregatelevel=NULL, $instance=SITEID) {
e5605780 1112
51195e6f 1113 global $context_cache, $context_cache_id, $CONTEXT;
d9a35e12 1114
340ea4e8 1115/// If no level is supplied then return the current global context if there is one
d140ad3f 1116 if (empty($aggregatelevel)) {
340ea4e8 1117 if (empty($CONTEXT)) {
ea82d6b6 1118 debugging("Error: get_context_instance() called without a context");
340ea4e8 1119 } else {
1120 return $CONTEXT;
1121 }
e5605780 1122 }
1123
340ea4e8 1124/// Check the cache
d140ad3f 1125 if (isset($context_cache[$aggregatelevel][$instance])) { // Already cached
1126 return $context_cache[$aggregatelevel][$instance];
e5605780 1127 }
1128
340ea4e8 1129/// Get it from the database, or create it
d140ad3f 1130 if (!$context = get_record('context', 'aggregatelevel', $aggregatelevel, 'instanceid', $instance)) {
1131 create_context($aggregatelevel, $instance);
1132 $context = get_record('context', 'aggregatelevel', $aggregatelevel, 'instanceid', $instance);
e5605780 1133 }
1134
ccfc5ecc 1135/// Only add to cache if context isn't empty.
1136 if (!empty($context)) {
1137 $context_cache[$aggregatelevel][$instance] = $context; // Cache it for later
1138 $context_cache_id[$context->id] = $context; // Cache it for later
1139 }
0468976c 1140
bbbf2d40 1141 return $context;
1142}
1143
cee0901c 1144
340ea4e8 1145/**
1146 * Get a context instance as an object, from a given id.
1147 * @param $id
1148 */
1149function get_context_instance_by_id($id) {
1150
d9a35e12 1151 global $context_cache, $context_cache_id;
1152
340ea4e8 1153 if (isset($context_cache_id[$id])) { // Already cached
75e84883 1154 return $context_cache_id[$id];
340ea4e8 1155 }
1156
1157 if ($context = get_record('context', 'id', $id)) { // Update the cache and return
d140ad3f 1158 $context_cache[$context->aggregatelevel][$context->instanceid] = $context;
340ea4e8 1159 $context_cache_id[$context->id] = $context;
1160 return $context;
1161 }
1162
1163 return false;
1164}
1165
bbbf2d40 1166
8737be58 1167/**
1168 * Get the local override (if any) for a given capability in a role in a context
1169 * @param $roleid
0468976c 1170 * @param $contextid
1171 * @param $capability
8737be58 1172 */
1173function get_local_override($roleid, $contextid, $capability) {
1174 return get_record('role_capabilities', 'roleid', $roleid, 'capability', $capability, 'contextid', $contextid);
1175}
1176
1177
bbbf2d40 1178
1179/************************************
1180 * DB TABLE RELATED FUNCTIONS *
1181 ************************************/
1182
cee0901c 1183/**
bbbf2d40 1184 * function that creates a role
1185 * @param name - role name
31f26796 1186 * @param shortname - role short name
bbbf2d40 1187 * @param description - role description
1188 * @param legacy - optional legacy capability
1189 * @return id or false
1190 */
b5959f30 1191function create_role($name, $shortname, $description, $legacy='', $sortorder = -1) {
eef868d1 1192
98882637 1193 // check for duplicate role name
eef868d1 1194
98882637 1195 if ($role = get_record('role','name', $name)) {
eef868d1 1196 error('there is already a role with this name!');
98882637 1197 }
eef868d1 1198
31f26796 1199 if ($role = get_record('role','shortname', $shortname)) {
eef868d1 1200 error('there is already a role with this shortname!');
31f26796 1201 }
1202
b5959f30 1203 $role = new object();
98882637 1204 $role->name = $name;
31f26796 1205 $role->shortname = $shortname;
98882637 1206 $role->description = $description;
eef868d1 1207
b5959f30 1208 if ($sortorder = -1) {
1209 $role->sortorder = count_records('role');
1210 } else {
1211 $role->sortorder = $sortorder;
1212 }
1213
eef868d1 1214 $context = get_context_instance(CONTEXT_SYSTEM, SITEID);
1215
98882637 1216 if ($id = insert_record('role', $role)) {
eef868d1 1217 if ($legacy) {
1218 assign_capability($legacy, CAP_ALLOW, $id, $context->id);
98882637 1219 }
eef868d1 1220
ec7a8b79 1221 /// By default, users with role:manage at site level
1222 /// should be able to assign users to this new role, and override this new role's capabilities
eef868d1 1223
ec7a8b79 1224 // find all admin roles
e46c0987 1225 if ($adminroles = get_roles_with_capability('moodle/role:manage', CAP_ALLOW, $context)) {
1226 // foreach admin role
1227 foreach ($adminroles as $arole) {
1228 // write allow_assign and allow_overrid
1229 allow_assign($arole->id, $id);
eef868d1 1230 allow_override($arole->id, $id);
e46c0987 1231 }
ec7a8b79 1232 }
eef868d1 1233
98882637 1234 return $id;
1235 } else {
eef868d1 1236 return false;
98882637 1237 }
eef868d1 1238
bbbf2d40 1239}
1240
1241/**
1242 * Function to write context specific overrides, or default capabilities.
1243 * @param module - string name
1244 * @param capability - string name
1245 * @param contextid - context id
1246 * @param roleid - role id
1247 * @param permission - int 1,-1 or -1000
1248 */
e7876c1e 1249function assign_capability($capability, $permission, $roleid, $contextid, $overwrite=false) {
eef868d1 1250
98882637 1251 global $USER;
eef868d1 1252
98882637 1253 if (empty($permission) || $permission == 0) { // if permission is not set
eef868d1 1254 unassign_capability($capability, $roleid, $contextid);
98882637 1255 }
eef868d1 1256
2e85fffe 1257 $existing = get_record('role_capabilities', 'contextid', $contextid, 'roleid', $roleid, 'capability', $capability);
e7876c1e 1258
1259 if ($existing and !$overwrite) { // We want to keep whatever is there already
1260 return true;
1261 }
1262
bbbf2d40 1263 $cap = new object;
1264 $cap->contextid = $contextid;
1265 $cap->roleid = $roleid;
1266 $cap->capability = $capability;
1267 $cap->permission = $permission;
1268 $cap->timemodified = time();
9db12da7 1269 $cap->modifierid = empty($USER->id) ? 0 : $USER->id;
e7876c1e 1270
1271 if ($existing) {
1272 $cap->id = $existing->id;
1273 return update_record('role_capabilities', $cap);
1274 } else {
1275 return insert_record('role_capabilities', $cap);
1276 }
bbbf2d40 1277}
1278
1279
1280/**
1281 * Unassign a capability from a role.
1282 * @param $roleid - the role id
1283 * @param $capability - the name of the capability
1284 * @return boolean - success or failure
1285 */
1286function unassign_capability($capability, $roleid, $contextid=NULL) {
eef868d1 1287
98882637 1288 if (isset($contextid)) {
1289 $status = delete_records('role_capabilities', 'capability', $capability,
1290 'roleid', $roleid, 'contextid', $contextid);
1291 } else {
1292 $status = delete_records('role_capabilities', 'capability', $capability,
1293 'roleid', $roleid);
1294 }
1295 return $status;
bbbf2d40 1296}
1297
1298
1299/**
759ac72d 1300 * Get the roles that have a given capability assigned to it. This function
1301 * does not resolve the actual permission of the capability. It just checks
1302 * for assignment only.
bbbf2d40 1303 * @param $capability - capability name (string)
1304 * @param $permission - optional, the permission defined for this capability
1305 * either CAP_ALLOW, CAP_PREVENT or CAP_PROHIBIT
1306 * @return array or role objects
1307 */
ec7a8b79 1308function get_roles_with_capability($capability, $permission=NULL, $context='') {
1309
bbbf2d40 1310 global $CFG;
eef868d1 1311
ec7a8b79 1312 if ($context) {
1313 if ($contexts = get_parent_contexts($context)) {
1314 $listofcontexts = '('.implode(',', $contexts).')';
1315 } else {
1316 $sitecontext = get_context_instance(CONTEXT_SYSTEM, SITEID);
eef868d1 1317 $listofcontexts = '('.$sitecontext->id.')'; // must be site
1318 }
42ac3ecf 1319 $contextstr = "AND (rc.contextid = '$context->id' OR rc.contextid IN $listofcontexts)";
ec7a8b79 1320 } else {
1321 $contextstr = '';
1322 }
eef868d1 1323
1324 $selectroles = "SELECT r.*
42ac3ecf 1325 FROM {$CFG->prefix}role r,
1326 {$CFG->prefix}role_capabilities rc
bbbf2d40 1327 WHERE rc.capability = '$capability'
ec7a8b79 1328 AND rc.roleid = r.id $contextstr";
bbbf2d40 1329
1330 if (isset($permission)) {
1331 $selectroles .= " AND rc.permission = '$permission'";
1332 }
1333 return get_records_sql($selectroles);
1334}
1335
1336
1337/**
a9e1c058 1338 * This function makes a role-assignment (a role for a user or group in a particular context)
bbbf2d40 1339 * @param $roleid - the role of the id
1340 * @param $userid - userid
1341 * @param $groupid - group id
1342 * @param $contextid - id of the context
1343 * @param $timestart - time this assignment becomes effective
1344 * @param $timeend - time this assignemnt ceases to be effective
1345 * @uses $USER
1346 * @return id - new id of the assigment
1347 */
f44152f4 1348function role_assign($roleid, $userid, $groupid, $contextid, $timestart=0, $timeend=0, $hidden=0, $enrol='manual') {
aa311411 1349 global $USER, $CFG;
bbbf2d40 1350
ea82d6b6 1351 debugging("Assign roleid $roleid userid $userid contextid $contextid", E_ALL);
bbbf2d40 1352
a9e1c058 1353/// Do some data validation
1354
bbbf2d40 1355 if (empty($roleid)) {
9d829c68 1356 debugging('Role ID not provided');
a9e1c058 1357 return false;
bbbf2d40 1358 }
1359
1360 if (empty($userid) && empty($groupid)) {
9d829c68 1361 debugging('Either userid or groupid must be provided');
a9e1c058 1362 return false;
bbbf2d40 1363 }
eef868d1 1364
7700027f 1365 if ($userid && !record_exists('user', 'id', $userid)) {
82396e5b 1366 debugging('User ID '.intval($userid).' does not exist!');
7700027f 1367 return false;
1368 }
bbbf2d40 1369
dc411d1b 1370 if ($groupid && !record_exists('groups', 'id', $groupid)) {
82396e5b 1371 debugging('Group ID '.intval($groupid).' does not exist!');
dc411d1b 1372 return false;
1373 }
1374
7700027f 1375 if (!$context = get_context_instance_by_id($contextid)) {
82396e5b 1376 debugging('Context ID '.intval($contextid).' does not exist!');
a9e1c058 1377 return false;
bbbf2d40 1378 }
1379
a9e1c058 1380 if (($timestart and $timeend) and ($timestart > $timeend)) {
9d829c68 1381 debugging('The end time can not be earlier than the start time');
a9e1c058 1382 return false;
1383 }
1384
7700027f 1385
a9e1c058 1386/// Check for existing entry
1387 if ($userid) {
7700027f 1388 $ra = get_record('role_assignments', 'roleid', $roleid, 'contextid', $context->id, 'userid', $userid);
a9e1c058 1389 } else {
7700027f 1390 $ra = get_record('role_assignments', 'roleid', $roleid, 'contextid', $context->id, 'groupid', $groupid);
a9e1c058 1391 }
1392
9ebcb4d2 1393
a9e1c058 1394 $newra = new object;
bbbf2d40 1395
a9e1c058 1396 if (empty($ra)) { // Create a new entry
1397 $newra->roleid = $roleid;
7700027f 1398 $newra->contextid = $context->id;
a9e1c058 1399 $newra->userid = $userid;
1400 $newra->groupid = $groupid;
1401
1402 $newra->hidden = $hidden;
f44152f4 1403 $newra->enrol = $enrol;
a9e1c058 1404 $newra->timestart = $timestart;
1405 $newra->timeend = $timeend;
1406 $newra->timemodified = time();
1407 $newra->modifier = empty($USER->id) ? 0 : $USER->id;
1408
9ebcb4d2 1409 $success = insert_record('role_assignments', $newra);
a9e1c058 1410
1411 } else { // We already have one, just update it
1412
1413 $newra->id = $ra->id;
1414 $newra->hidden = $hidden;
f44152f4 1415 $newra->enrol = $enrol;
a9e1c058 1416 $newra->timestart = $timestart;
1417 $newra->timeend = $timeend;
1418 $newra->timemodified = time();
1419 $newra->modifier = empty($USER->id) ? 0 : $USER->id;
1420
9ebcb4d2 1421 $success = update_record('role_assignments', $newra);
1422 }
1423
7700027f 1424 if ($success) { /// Role was assigned, so do some other things
1425
1426 /// If the user is the current user, then reload the capabilities too.
1427 if (!empty($USER->id) && $USER->id == $userid) {
1428 load_user_capability();
1429 }
1430
0f161e1f 1431 /// Ask all the modules if anything needs to be done for this user
1432 if ($mods = get_list_of_plugins('mod')) {
1433 foreach ($mods as $mod) {
1434 include_once($CFG->dirroot.'/mod/'.$mod.'/lib.php');
1435 $functionname = $mod.'_role_assign';
1436 if (function_exists($functionname)) {
1437 $functionname($userid, $context);
1438 }
1439 }
1440 }
1441
1442 /// Make sure they have an entry in user_lastaccess for courses they can access
1443 // role_add_lastaccess_entries($userid, $context);
a9e1c058 1444 }
eef868d1 1445
4e5f3064 1446 /// now handle metacourse role assignments if in course context
1447 if ($success and $context->aggregatelevel == CONTEXT_COURSE) {
1448 if ($parents = get_records('course_meta', 'child_course', $context->instanceid)) {
1449 foreach ($parents as $parent) {
1aad4310 1450 sync_metacourse($parent->parent_course);
4e5f3064 1451 }
1452 }
1453 }
6eb4f823 1454
1455 return $success;
bbbf2d40 1456}
1457
1458
1459/**
1dc1f037 1460 * Deletes one or more role assignments. You must specify at least one parameter.
bbbf2d40 1461 * @param $roleid
1462 * @param $userid
1463 * @param $groupid
1464 * @param $contextid
1465 * @return boolean - success or failure
1466 */
1dc1f037 1467function role_unassign($roleid=0, $userid=0, $groupid=0, $contextid=0) {
d74067e8 1468
1469 global $USER, $CFG;
eef868d1 1470
4e5f3064 1471 $success = true;
d74067e8 1472
1dc1f037 1473 $args = array('roleid', 'userid', 'groupid', 'contextid');
1474 $select = array();
1475 foreach ($args as $arg) {
1476 if ($$arg) {
1477 $select[] = $arg.' = '.$$arg;
1478 }
1479 }
d74067e8 1480
1dc1f037 1481 if ($select) {
4e5f3064 1482 if ($ras = get_records_select('role_assignments', implode(' AND ', $select))) {
1483 $mods = get_list_of_plugins('mod');
1484 foreach($ras as $ra) {
86e2c51d 1485 /// infinite loop protection when deleting recursively
1486 if (!$ra = get_record('role_assignments', 'id', $ra->id)) {
1487 continue;
1488 }
4e5f3064 1489 $success = delete_records('role_assignments', 'id', $ra->id) and $success;
86e2c51d 1490
4e5f3064 1491 /// If the user is the current user, then reload the capabilities too.
1492 if (!empty($USER->id) && $USER->id == $ra->userid) {
1493 load_user_capability();
1494 }
1495 $context = get_record('context', 'id', $ra->contextid);
0f161e1f 1496
1497 /// Ask all the modules if anything needs to be done for this user
4e5f3064 1498 foreach ($mods as $mod) {
1499 include_once($CFG->dirroot.'/mod/'.$mod.'/lib.php');
1500 $functionname = $mod.'_role_unassign';
1501 if (function_exists($functionname)) {
1502 $functionname($ra->userid, $context); // watch out, $context might be NULL if something goes wrong
1503 }
1504 }
1505
1506 /// now handle metacourse role unassigment and removing from goups if in course context
1507 if (!empty($context) and $context->aggregatelevel == CONTEXT_COURSE) {
1508 //remove from groups when user has no role
1509 $roles = get_user_roles($context, $ra->userid, true);
1510 if (empty($roles)) {
1511 if ($groups = get_groups($context->instanceid, $ra->userid)) {
1512 foreach ($groups as $group) {
1513 delete_records('groups_members', 'groupid', $group->id, 'userid', $ra->userid);
1514 }
1515 }
1516 }
1aad4310 1517 //unassign roles in metacourses if needed
4e5f3064 1518 if ($parents = get_records('course_meta', 'child_course', $context->instanceid)) {
1519 foreach ($parents as $parent) {
1aad4310 1520 sync_metacourse($parent->parent_course);
0f161e1f 1521 }
1522 }
0f161e1f 1523 }
1524 }
d74067e8 1525 }
1dc1f037 1526 }
4e5f3064 1527
1528 return $success;
bbbf2d40 1529}
1530
eef868d1 1531/*
1532 * A convenience function to take care of the common case where you
b963384f 1533 * just want to enrol someone using the default role into a course
1534 *
1535 * @param object $course
1536 * @param object $user
1537 * @param string $enrol - the plugin used to do this enrolment
1538 */
1539function enrol_into_course($course, $user, $enrol) {
1540
1541 if ($course->enrolperiod) {
1542 $timestart = time();
1543 $timeend = time() + $course->enrolperiod;
1544 } else {
1545 $timestart = $timeend = 0;
1546 }
1547
1548 if ($role = get_default_course_role($course)) {
c4381ef5 1549
1550 $context = get_context_instance(CONTEXT_COURSE, $course->id);
1551
b963384f 1552 if (role_assign($role->id, $user->id, 0, $context->id, $timestart, $timeend, 0, $enrol)) {
1553 return false;
1554 }
eef868d1 1555
b963384f 1556 email_welcome_message_to_user($course, $user);
eef868d1 1557
b963384f 1558 add_to_log($course->id, 'course', 'enrol', 'view.php?id='.$course->id, $user->id);
1559
1560 return true;
1561 }
1562
1563 return false;
1564}
1565
0f161e1f 1566/**
1567 * Add last access times to user_lastaccess as required
1568 * @param $userid
1569 * @param $context
1570 * @return boolean - success or failure
1571 */
1572function role_add_lastaccess_entries($userid, $context) {
1573
1574 global $USER, $CFG;
1575
1576 if (empty($context->aggregatelevel)) {
1577 return false;
1578 }
1579
1580 $lastaccess = new object; // Reusable object below
1581 $lastaccess->userid = $userid;
1582 $lastaccess->timeaccess = 0;
1583
1584 switch ($context->aggregatelevel) {
1585
1586 case CONTEXT_SYSTEM: // For the whole site
1587 if ($courses = get_record('course')) {
1588 foreach ($courses as $course) {
1589 $lastaccess->courseid = $course->id;
1590 role_set_lastaccess($lastaccess);
1591 }
1592 }
1593 break;
1594
1595 case CONTEXT_CATEGORY: // For a whole category
1596 if ($courses = get_record('course', 'category', $context->instanceid)) {
1597 foreach ($courses as $course) {
1598 $lastaccess->courseid = $course->id;
1599 role_set_lastaccess($lastaccess);
1600 }
1601 }
1602 if ($categories = get_record('course_categories', 'parent', $context->instanceid)) {
1603 foreach ($categories as $category) {
1604 $subcontext = get_context_instance(CONTEXT_CATEGORY, $category->id);
1605 role_add_lastaccess_entries($userid, $subcontext);
1606 }
1607 }
1608 break;
eef868d1 1609
0f161e1f 1610
1611 case CONTEXT_COURSE: // For a whole course
1612 if ($course = get_record('course', 'id', $context->instanceid)) {
1613 $lastaccess->courseid = $course->id;
1614 role_set_lastaccess($lastaccess);
1615 }
1616 break;
1617 }
1618}
1619
1620/**
1621 * Delete last access times from user_lastaccess as required
1622 * @param $userid
1623 * @param $context
1624 * @return boolean - success or failure
1625 */
1626function role_remove_lastaccess_entries($userid, $context) {
1627
1628 global $USER, $CFG;
1629
1630}
1631
bbbf2d40 1632
1633/**
1634 * Loads the capability definitions for the component (from file). If no
1635 * capabilities are defined for the component, we simply return an empty array.
1636 * @param $component - examples: 'moodle', 'mod/forum', 'block/quiz_results'
1637 * @return array of capabilities
1638 */
1639function load_capability_def($component) {
1640 global $CFG;
1641
1642 if ($component == 'moodle') {
1643 $defpath = $CFG->libdir.'/db/access.php';
1644 $varprefix = 'moodle';
1645 } else {
0c4d9f49 1646 $compparts = explode('/', $component);
eef868d1 1647
0c4d9f49 1648 if ($compparts[0] == 'block') {
1649 // Blocks are an exception. Blocks directory is 'blocks', and not
1650 // 'block'. So we need to jump through hoops.
1651 $defpath = $CFG->dirroot.'/'.$compparts[0].
1652 's/'.$compparts[1].'/db/access.php';
1653 $varprefix = $compparts[0].'_'.$compparts[1];
1654 } else {
1655 $defpath = $CFG->dirroot.'/'.$component.'/db/access.php';
1656 $varprefix = str_replace('/', '_', $component);
1657 }
bbbf2d40 1658 }
1659 $capabilities = array();
eef868d1 1660
bbbf2d40 1661 if (file_exists($defpath)) {
1662 require_once($defpath);
1663 $capabilities = ${$varprefix.'_capabilities'};
1664 }
1665 return $capabilities;
1666}
1667
1668
1669/**
1670 * Gets the capabilities that have been cached in the database for this
1671 * component.
1672 * @param $component - examples: 'moodle', 'mod/forum', 'block/quiz_results'
1673 * @return array of capabilities
1674 */
1675function get_cached_capabilities($component='moodle') {
1676 if ($component == 'moodle') {
1677 $storedcaps = get_records_select('capabilities',
1678 "name LIKE 'moodle/%:%'");
1679 } else {
1680 $storedcaps = get_records_select('capabilities',
1681 "name LIKE '$component:%'");
1682 }
1683 return $storedcaps;
1684}
1685
1686
1687/**
1688 * Updates the capabilities table with the component capability definitions.
1689 * If no parameters are given, the function updates the core moodle
1690 * capabilities.
1691 *
1692 * Note that the absence of the db/access.php capabilities definition file
1693 * will cause any stored capabilities for the component to be removed from
eef868d1 1694 * the database.
bbbf2d40 1695 *
1696 * @param $component - examples: 'moodle', 'mod/forum', 'block/quiz_results'
1697 * @return boolean
1698 */
1699function update_capabilities($component='moodle') {
eef868d1 1700
bbbf2d40 1701 $storedcaps = array();
be4486da 1702
1703 $filecaps = load_capability_def($component);
bbbf2d40 1704 $cachedcaps = get_cached_capabilities($component);
1705 if ($cachedcaps) {
1706 foreach ($cachedcaps as $cachedcap) {
1707 array_push($storedcaps, $cachedcap->name);
be4486da 1708 // update risk bitmasks in existing capabilitites if needed
1709 if (array_key_exists($cachedcap->name, $filecaps)) {
1710 if (!array_key_exists('riskbitmask', $filecaps[$cachedcap->name])) {
2b531945 1711 $filecaps[$cachedcap->name]['riskbitmask'] = 0; // no risk if not specified
be4486da 1712 }
1713 if ($cachedcap->riskbitmask != $filecaps[$cachedcap->name]['riskbitmask']) {
1714 $updatecap = new object;
1715 $updatecap->id = $cachedcap->id;
1716 $updatecap->riskbitmask = $filecaps[$cachedcap->name]['riskbitmask'];
1717 if (!update_record('capabilities', $updatecap)) {
1718 return false;
1719 }
1720 }
1721 }
bbbf2d40 1722 }
1723 }
be4486da 1724
bbbf2d40 1725 // Are there new capabilities in the file definition?
1726 $newcaps = array();
eef868d1 1727
bbbf2d40 1728 foreach ($filecaps as $filecap => $def) {
eef868d1 1729 if (!$storedcaps ||
bbbf2d40 1730 ($storedcaps && in_array($filecap, $storedcaps) === false)) {
2b531945 1731 if (!array_key_exists('riskbitmask', $def)) {
1732 $def['riskbitmask'] = 0; // no risk if not specified
1733 }
bbbf2d40 1734 $newcaps[$filecap] = $def;
1735 }
1736 }
1737 // Add new capabilities to the stored definition.
1738 foreach ($newcaps as $capname => $capdef) {
1739 $capability = new object;
1740 $capability->name = $capname;
1741 $capability->captype = $capdef['captype'];
1742 $capability->contextlevel = $capdef['contextlevel'];
1743 $capability->component = $component;
be4486da 1744 $capability->riskbitmask = $capdef['riskbitmask'];
eef868d1 1745
bbbf2d40 1746 if (!insert_record('capabilities', $capability, false, 'id')) {
1747 return false;
1748 }
eef868d1 1749
ab5c9044 1750 global $db;
1751 $db->debug= 999;
bbbf2d40 1752 // Do we need to assign the new capabilities to roles that have the
1753 // legacy capabilities moodle/legacy:* as well?
1754 if (isset($capdef['legacy']) && is_array($capdef['legacy']) &&
1755 !assign_legacy_capabilities($capname, $capdef['legacy'])) {
2e85fffe 1756 notify('Could not assign legacy capabilities for '.$capname);
bbbf2d40 1757 }
1758 }
1759 // Are there any capabilities that have been removed from the file
1760 // definition that we need to delete from the stored capabilities and
1761 // role assignments?
1762 capabilities_cleanup($component, $filecaps);
eef868d1 1763
bbbf2d40 1764 return true;
1765}
1766
1767
1768/**
1769 * Deletes cached capabilities that are no longer needed by the component.
1770 * Also unassigns these capabilities from any roles that have them.
1771 * @param $component - examples: 'moodle', 'mod/forum', 'block/quiz_results'
1772 * @param $newcapdef - array of the new capability definitions that will be
1773 * compared with the cached capabilities
1774 * @return int - number of deprecated capabilities that have been removed
1775 */
1776function capabilities_cleanup($component, $newcapdef=NULL) {
eef868d1 1777
bbbf2d40 1778 $removedcount = 0;
eef868d1 1779
bbbf2d40 1780 if ($cachedcaps = get_cached_capabilities($component)) {
1781 foreach ($cachedcaps as $cachedcap) {
1782 if (empty($newcapdef) ||
1783 array_key_exists($cachedcap->name, $newcapdef) === false) {
eef868d1 1784
bbbf2d40 1785 // Remove from capabilities cache.
1786 if (!delete_records('capabilities', 'name', $cachedcap->name)) {
1787 error('Could not delete deprecated capability '.$cachedcap->name);
1788 } else {
1789 $removedcount++;
1790 }
1791 // Delete from roles.
1792 if($roles = get_roles_with_capability($cachedcap->name)) {
1793 foreach($roles as $role) {
46943f7b 1794 if (!unassign_capability($cachedcap->name, $role->id)) {
bbbf2d40 1795 error('Could not unassign deprecated capability '.
1796 $cachedcap->name.' from role '.$role->name);
1797 }
1798 }
1799 }
1800 } // End if.
1801 }
1802 }
1803 return $removedcount;
1804}
1805
1806
1807
cee0901c 1808/****************
1809 * UI FUNCTIONS *
1810 ****************/
bbbf2d40 1811
1812
1813/**
1814 * prints human readable context identifier.
1815 */
0468976c 1816function print_context_name($context) {
340ea4e8 1817
ec0810ee 1818 $name = '';
d140ad3f 1819 switch ($context->aggregatelevel) {
ec0810ee 1820
bbbf2d40 1821 case CONTEXT_SYSTEM: // by now it's a definite an inherit
ec0810ee 1822 $name = get_string('site');
340ea4e8 1823 break;
bbbf2d40 1824
1825 case CONTEXT_PERSONAL:
ec0810ee 1826 $name = get_string('personal');
340ea4e8 1827 break;
1828
4b10f08b 1829 case CONTEXT_USER:
ec0810ee 1830 if ($user = get_record('user', 'id', $context->instanceid)) {
1831 $name = get_string('user').': '.fullname($user);
1832 }
340ea4e8 1833 break;
1834
bbbf2d40 1835 case CONTEXT_COURSECAT: // Coursecat -> coursecat or site
ec0810ee 1836 if ($category = get_record('course_categories', 'id', $context->instanceid)) {
1837 $name = get_string('category').': '.$category->name;
1838 }
340ea4e8 1839 break;
bbbf2d40 1840
1841 case CONTEXT_COURSE: // 1 to 1 to course cat
ec0810ee 1842 if ($course = get_record('course', 'id', $context->instanceid)) {
1843 $name = get_string('course').': '.$course->fullname;
1844 }
340ea4e8 1845 break;
bbbf2d40 1846
1847 case CONTEXT_GROUP: // 1 to 1 to course
ec0810ee 1848 if ($group = get_record('groups', 'id', $context->instanceid)) {
1849 $name = get_string('group').': '.$group->name;
1850 }
340ea4e8 1851 break;
bbbf2d40 1852
1853 case CONTEXT_MODULE: // 1 to 1 to course
98882637 1854 if ($cm = get_record('course_modules','id',$context->instanceid)) {
1855 if ($module = get_record('modules','id',$cm->module)) {
1856 if ($mod = get_record($module->name, 'id', $cm->instance)) {
ec0810ee 1857 $name = get_string('activitymodule').': '.$mod->name;
98882637 1858 }
ec0810ee 1859 }
1860 }
340ea4e8 1861 break;
bbbf2d40 1862
1863 case CONTEXT_BLOCK: // 1 to 1 to course
98882637 1864 if ($blockinstance = get_record('block_instance','id',$context->instanceid)) {
1865 if ($block = get_record('block','id',$blockinstance->blockid)) {
91be52d7 1866 global $CFG;
1867 require_once("$CFG->dirroot/blocks/moodleblock.class.php");
1868 require_once("$CFG->dirroot/blocks/$block->name/block_$block->name.php");
1869 $blockname = "block_$block->name";
1870 if ($blockobject = new $blockname()) {
1871 $name = $blockobject->title.' ('.get_string('block').')';
1872 }
ec0810ee 1873 }
1874 }
340ea4e8 1875 break;
bbbf2d40 1876
1877 default:
1878 error ('This is an unknown context!');
340ea4e8 1879 return false;
1880
1881 }
340ea4e8 1882 return $name;
bbbf2d40 1883}
1884
1885
1886/**
eef868d1 1887 * Extracts the relevant capabilities given a contextid.
bbbf2d40 1888 * All case based, example an instance of forum context.
1889 * Will fetch all forum related capabilities, while course contexts
1890 * Will fetch all capabilities
0468976c 1891 * @param object context
bbbf2d40 1892 * @return array();
1893 *
1894 * capabilities
1895 * `name` varchar(150) NOT NULL,
1896 * `captype` varchar(50) NOT NULL,
1897 * `contextlevel` int(10) NOT NULL,
1898 * `component` varchar(100) NOT NULL,
1899 */
0468976c 1900function fetch_context_capabilities($context) {
eef868d1 1901
98882637 1902 global $CFG;
bbbf2d40 1903
1904 $sort = 'ORDER BY contextlevel,component,id'; // To group them sensibly for display
eef868d1 1905
d140ad3f 1906 switch ($context->aggregatelevel) {
bbbf2d40 1907
98882637 1908 case CONTEXT_SYSTEM: // all
1909 $SQL = "select * from {$CFG->prefix}capabilities";
bbbf2d40 1910 break;
1911
1912 case CONTEXT_PERSONAL:
0a8a95c9 1913 $SQL = "select * from {$CFG->prefix}capabilities where contextlevel = ".CONTEXT_PERSONAL;
bbbf2d40 1914 break;
eef868d1 1915
4b10f08b 1916 case CONTEXT_USER:
1917 $SQL = "select * from {$CFG->prefix}capabilities where contextlevel = ".CONTEXT_USER;
bbbf2d40 1918 break;
eef868d1 1919
bbbf2d40 1920 case CONTEXT_COURSECAT: // all
98882637 1921 $SQL = "select * from {$CFG->prefix}capabilities";
bbbf2d40 1922 break;
1923
1924 case CONTEXT_COURSE: // all
98882637 1925 $SQL = "select * from {$CFG->prefix}capabilities";
bbbf2d40 1926 break;
1927
1928 case CONTEXT_GROUP: // group caps
1929 break;
1930
1931 case CONTEXT_MODULE: // mod caps
98882637 1932 $cm = get_record('course_modules', 'id', $context->instanceid);
1933 $module = get_record('modules', 'id', $cm->module);
eef868d1 1934
98882637 1935 $SQL = "select * from {$CFG->prefix}capabilities where contextlevel = ".CONTEXT_MODULE."
1936 and component = 'mod/$module->name'";
bbbf2d40 1937 break;
1938
1939 case CONTEXT_BLOCK: // block caps
98882637 1940 $cb = get_record('block_instance', 'id', $context->instanceid);
1941 $block = get_record('block', 'id', $cb->blockid);
eef868d1 1942
98882637 1943 $SQL = "select * from {$CFG->prefix}capabilities where contextlevel = ".CONTEXT_BLOCK."
1944 and component = 'block/$block->name'";
bbbf2d40 1945 break;
1946
1947 default:
1948 return false;
1949 }
1950
1951 $records = get_records_sql($SQL.' '.$sort);
759ac72d 1952 $contextindependentcaps = fetch_context_independent_capabilities();
1953 $records = array_merge($records, $contextindependentcaps);
69eb59f2 1954
1955 // special sorting of core system capabiltites and enrollments
1956 if ($context->aggregatelevel == CONTEXT_SYSTEM) {
1957 $first = array();
1958 foreach ($records as $key=>$record) {
1959 if (preg_match('|^moodle/|', $record->name) and $record->contextlevel == CONTEXT_SYSTEM) {
1960 $first[$key] = $record;
1961 unset($records[$key]);
1962 } else if (count($first)){
1963 break;
1964 }
1965 }
1966 if (count($first)) {
1967 $records = $first + $records; // merge the two arrays keeping the keys
1968 }
1969 }
1970 // end of special sorting
bbbf2d40 1971 return $records;
eef868d1 1972
bbbf2d40 1973}
1974
1975
759ac72d 1976/**
1977 * Gets the context-independent capabilities that should be overrridable in
1978 * any context.
1979 * @return array of capability records from the capabilities table.
1980 */
1981function fetch_context_independent_capabilities() {
eef868d1 1982
759ac72d 1983 $contextindependentcaps = array(
1984 'moodle/site:accessallgroups'
1985 );
1986
1987 $records = array();
eef868d1 1988
759ac72d 1989 foreach ($contextindependentcaps as $capname) {
1990 $record = get_record('capabilities', 'name', $capname);
1991 array_push($records, $record);
1992 }
1993 return $records;
1994}
1995
1996
bbbf2d40 1997/**
1998 * This function pulls out all the resolved capabilities (overrides and
759ac72d 1999 * defaults) of a role used in capability overrides in contexts at a given
bbbf2d40 2000 * context.
0a8a95c9 2001 * @param obj $context
bbbf2d40 2002 * @param int $roleid
dc558690 2003 * @param bool self - if set to true, resolve till this level, else stop at immediate parent level
bbbf2d40 2004 * @return array
2005 */
1648afb2 2006function role_context_capabilities($roleid, $context, $cap='') {
dc558690 2007 global $CFG;
eef868d1 2008
8521d83a 2009 $contexts = get_parent_contexts($context);
2010 $contexts[] = $context->id;
98882637 2011 $contexts = '('.implode(',', $contexts).')';
eef868d1 2012
1648afb2 2013 if ($cap) {
e4697bf7 2014 $search = " AND rc.capability = '$cap' ";
1648afb2 2015 } else {
eef868d1 2016 $search = '';
1648afb2 2017 }
eef868d1 2018
2019 $SQL = "SELECT rc.*
2020 FROM {$CFG->prefix}role_capabilities rc,
dc558690 2021 {$CFG->prefix}context c
2022 WHERE rc.contextid in $contexts
2023 AND rc.roleid = $roleid
2024 AND rc.contextid = c.id $search
eef868d1 2025 ORDER BY c.aggregatelevel DESC,
2026 rc.capability DESC";
759ac72d 2027
98882637 2028 $capabilities = array();
eef868d1 2029
4729012f 2030 if ($records = get_records_sql($SQL)) {
2031 // We are traversing via reverse order.
2032 foreach ($records as $record) {
2033 // If not set yet (i.e. inherit or not set at all), or currently we have a prohibit
2034 if (!isset($capabilities[$record->capability]) || $record->permission<-500) {
2035 $capabilities[$record->capability] = $record->permission;
eef868d1 2036 }
4729012f 2037 }
98882637 2038 }
2039 return $capabilities;
bbbf2d40 2040}
2041
bbbf2d40 2042/**
eef868d1 2043 * Recursive function which, given a context, find all parent context ids,
bbbf2d40 2044 * and return the array in reverse order, i.e. parent first, then grand
2045 * parent, etc.
2046 * @param object $context
2047 * @return array()
2048 */
bbbf2d40 2049function get_parent_contexts($context) {
759ac72d 2050
d140ad3f 2051 switch ($context->aggregatelevel) {
bbbf2d40 2052
2053 case CONTEXT_SYSTEM: // no parent
957861f7 2054 return array();
bbbf2d40 2055 break;
2056
2057 case CONTEXT_PERSONAL:
957861f7 2058 if (!$parent = get_context_instance(CONTEXT_SYSTEM, SITEID)) {
2059 return array();
2060 } else {
2061 return array($parent->id);
2062 }
bbbf2d40 2063 break;
eef868d1 2064
4b10f08b 2065 case CONTEXT_USER:
957861f7 2066 if (!$parent = get_context_instance(CONTEXT_SYSTEM, SITEID)) {
2067 return array();
2068 } else {
2069 return array($parent->id);
2070 }
bbbf2d40 2071 break;
eef868d1 2072
bbbf2d40 2073 case CONTEXT_COURSECAT: // Coursecat -> coursecat or site
957861f7 2074 if (!$coursecat = get_record('course_categories','id',$context->instanceid)) {
2075 return array();
2076 }
c5ddc3fd 2077 if (!empty($coursecat->parent)) { // return parent value if exist
bbbf2d40 2078 $parent = get_context_instance(CONTEXT_COURSECAT, $coursecat->parent);
2079 return array_merge(array($parent->id), get_parent_contexts($parent));
2080 } else { // else return site value
2081 $parent = get_context_instance(CONTEXT_SYSTEM, SITEID);
2082 return array($parent->id);
2083 }
2084 break;
2085
2086 case CONTEXT_COURSE: // 1 to 1 to course cat
957861f7 2087 if (!$course = get_record('course','id',$context->instanceid)) {
2088 return array();
2089 }
2090 if (!empty($course->category)) {
2091 $parent = get_context_instance(CONTEXT_COURSECAT, $course->category);
2092 return array_merge(array($parent->id), get_parent_contexts($parent));
2093 } else {
2094 return array();
2095 }
bbbf2d40 2096 break;
2097
2098 case CONTEXT_GROUP: // 1 to 1 to course
957861f7 2099 if (!$group = get_record('groups','id',$context->instanceid)) {
2100 return array();
2101 }
2102 if ($parent = get_context_instance(CONTEXT_COURSE, $group->courseid)) {
2103 return array_merge(array($parent->id), get_parent_contexts($parent));
2104 } else {
2105 return array();
2106 }
bbbf2d40 2107 break;
2108
2109 case CONTEXT_MODULE: // 1 to 1 to course
957861f7 2110 if (!$cm = get_record('course_modules','id',$context->instanceid)) {
2111 return array();
2112 }
2113 if ($parent = get_context_instance(CONTEXT_COURSE, $cm->course)) {
2114 return array_merge(array($parent->id), get_parent_contexts($parent));
2115 } else {
2116 return array();
2117 }
bbbf2d40 2118 break;
2119
2120 case CONTEXT_BLOCK: // 1 to 1 to course
957861f7 2121 if (!$block = get_record('block_instance','id',$context->instanceid)) {
2122 return array();
2123 }
2124 if ($parent = get_context_instance(CONTEXT_COURSE, $block->pageid)) {
2125 return array_merge(array($parent->id), get_parent_contexts($parent));
2126 } else {
2127 return array();
2128 }
bbbf2d40 2129 break;
2130
2131 default:
957861f7 2132 error('This is an unknown context!');
bbbf2d40 2133 return false;
2134 }
bbbf2d40 2135}
2136
759ac72d 2137
2138/**
2139 * Gets a string for sql calls, searching for stuff in this context or above
ea8158c1 2140 * @param object $context
2141 * @return string
2142 */
2143function get_related_contexts_string($context) {
2144 if ($parents = get_parent_contexts($context)) {
eef868d1 2145 return (' IN ('.$context->id.','.implode(',', $parents).')');
ea8158c1 2146 } else {
2147 return (' ='.$context->id);
2148 }
2149}
759ac72d 2150
2151
bbbf2d40 2152/**
2153 * This function gets the capability of a role in a given context.
2154 * It is needed when printing override forms.
2155 * @param int $contextid
bbbf2d40 2156 * @param string $capability
2157 * @param array $capabilities - array loaded using role_context_capabilities
2158 * @return int (allow, prevent, prohibit, inherit)
2159 */
bbbf2d40 2160function get_role_context_capability($contextid, $capability, $capabilities) {
759ac72d 2161 if (isset($capabilities[$contextid][$capability])) {
2162 return $capabilities[$contextid][$capability];
2163 }
2164 else {
2165 return false;
2166 }
bbbf2d40 2167}
2168
2169
cee0901c 2170/**
2171 * Returns the human-readable, translated version of the capability.
2172 * Basically a big switch statement.
2173 * @param $capabilityname - e.g. mod/choice:readresponses
2174 */
ceb83c70 2175function get_capability_string($capabilityname) {
eef868d1 2176
cee0901c 2177 // Typical capabilityname is mod/choice:readresponses
ceb83c70 2178
2179 $names = split('/', $capabilityname);
2180 $stringname = $names[1]; // choice:readresponses
eef868d1 2181 $components = split(':', $stringname);
ceb83c70 2182 $componentname = $components[0]; // choice
98882637 2183
2184 switch ($names[0]) {
2185 case 'mod':
ceb83c70 2186 $string = get_string($stringname, $componentname);
98882637 2187 break;
eef868d1 2188
98882637 2189 case 'block':
ceb83c70 2190 $string = get_string($stringname, 'block_'.$componentname);
98882637 2191 break;
ceb83c70 2192
98882637 2193 case 'moodle':
ceb83c70 2194 $string = get_string($stringname, 'role');
98882637 2195 break;
eef868d1 2196
98882637 2197 case 'enrol':
ceb83c70 2198 $string = get_string($stringname, 'enrol_'.$componentname);
eef868d1 2199 break;
2200
98882637 2201 default:
ceb83c70 2202 $string = get_string($stringname);
eef868d1 2203 break;
2204
98882637 2205 }
ceb83c70 2206 return $string;
bbbf2d40 2207}
2208
2209
cee0901c 2210/**
2211 * This gets the mod/block/course/core etc strings.
2212 * @param $component
2213 * @param $contextlevel
2214 */
bbbf2d40 2215function get_component_string($component, $contextlevel) {
2216
98882637 2217 switch ($contextlevel) {
bbbf2d40 2218
98882637 2219 case CONTEXT_SYSTEM:
be382aaf 2220 if (preg_match('|^enrol/|', $component)) {
2221 $langname = str_replace('/', '_', $component);
2222 $string = get_string('enrolname', $langname);
69eb59f2 2223 } else {
2224 $string = get_string('coresystem');
2225 }
bbbf2d40 2226 break;
2227
2228 case CONTEXT_PERSONAL:
98882637 2229 $string = get_string('personal');
bbbf2d40 2230 break;
2231
4b10f08b 2232 case CONTEXT_USER:
98882637 2233 $string = get_string('users');
bbbf2d40 2234 break;
2235
2236 case CONTEXT_COURSECAT:
98882637 2237 $string = get_string('categories');
bbbf2d40 2238 break;
2239
2240 case CONTEXT_COURSE:
98882637 2241 $string = get_string('course');
bbbf2d40 2242 break;
2243
2244 case CONTEXT_GROUP:
98882637 2245 $string = get_string('group');
bbbf2d40 2246 break;
2247
2248 case CONTEXT_MODULE:
98882637 2249 $string = get_string('modulename', basename($component));
bbbf2d40 2250 break;
2251
2252 case CONTEXT_BLOCK:
98882637 2253 $string = get_string('blockname', 'block_'.$component.'.php');
bbbf2d40 2254 break;
2255
2256 default:
2257 error ('This is an unknown context!');
2258 return false;
eef868d1 2259
98882637 2260 }
98882637 2261 return $string;
bbbf2d40 2262}
cee0901c 2263
759ac72d 2264/**
2265 * Gets the list of roles assigned to this context and up (parents)
945f88ca 2266 * @param object $context
2267 * @return array
2268 */
e4dd3222 2269function get_roles_used_in_context($context) {
2270
2271 global $CFG;
2d9965e1 2272 $contextlist = get_related_contexts_string($context);
eef868d1 2273
759ac72d 2274 $sql = "SELECT DISTINCT r.id,
2275 r.name,
2276 r.shortname,
2277 r.sortorder
2278 FROM {$CFG->prefix}role_assignments ra,
eef868d1 2279 {$CFG->prefix}role r
2280 WHERE r.id = ra.roleid
759ac72d 2281 AND ra.contextid $contextlist
2282 ORDER BY r.sortorder ASC";
eef868d1 2283
759ac72d 2284 return get_records_sql($sql);
e4dd3222 2285}
2286
eef868d1 2287/** this function is used to print roles column in user profile page.
945f88ca 2288 * @param int userid
2289 * @param int contextid
2290 * @return string
2291 */
0a8a95c9 2292function get_user_roles_in_context($userid, $contextid){
2293 global $CFG;
eef868d1 2294
0a8a95c9 2295 $rolestring = '';
2296 $SQL = 'select * from '.$CFG->prefix.'role_assignments ra, '.$CFG->prefix.'role r where ra.userid='.$userid.' and ra.contextid='.$contextid.' and ra.roleid = r.id';
2297 if ($roles = get_records_sql($SQL)) {
2298 foreach ($roles as $userrole) {
2299 $rolestring .= '<a href="'.$CFG->wwwroot.'/user/index.php?contextid='.$userrole->contextid.'&amp;roleid='.$userrole->roleid.'">'.$userrole->name.'</a>, ';
eef868d1 2300 }
2301
0a8a95c9 2302 }
2303 return rtrim($rolestring, ', ');
2304}
68c52526 2305
2306
945f88ca 2307/**
2308 * Checks if a user can override capabilities of a particular role in this context
2309 * @param object $context
2310 * @param int targetroleid - the id of the role you want to override
2311 * @return boolean
2312 */
68c52526 2313function user_can_override($context, $targetroleid) {
2314 // first check if user has override capability
2315 // if not return false;
2316 if (!has_capability('moodle/role:override', $context)) {
eef868d1 2317 return false;
68c52526 2318 }
2319 // pull out all active roles of this user from this context(or above)
c0614051 2320 if ($userroles = get_user_roles($context)) {
2321 foreach ($userroles as $userrole) {
2322 // if any in the role_allow_override table, then it's ok
2323 if (get_record('role_allow_override', 'roleid', $userrole->roleid, 'allowoverride', $targetroleid)) {
2324 return true;
2325 }
68c52526 2326 }
2327 }
eef868d1 2328
68c52526 2329 return false;
eef868d1 2330
68c52526 2331}
2332
945f88ca 2333/**
2334 * Checks if a user can assign users to a particular role in this context
2335 * @param object $context
2336 * @param int targetroleid - the id of the role you want to assign users to
2337 * @return boolean
2338 */
68c52526 2339function user_can_assign($context, $targetroleid) {
eef868d1 2340
68c52526 2341 // first check if user has override capability
2342 // if not return false;
2343 if (!has_capability('moodle/role:assign', $context)) {
eef868d1 2344 return false;
68c52526 2345 }
2346 // pull out all active roles of this user from this context(or above)
c0614051 2347 if ($userroles = get_user_roles($context)) {
2348 foreach ($userroles as $userrole) {
2349 // if any in the role_allow_override table, then it's ok
2350 if (get_record('role_allow_assign', 'roleid', $userrole->roleid, 'allowassign', $targetroleid)) {
2351 return true;
2352 }
68c52526 2353 }
2354 }
eef868d1 2355
2356 return false;
68c52526 2357}
2358
945f88ca 2359/**
2360 * gets all the user roles assigned in this context, or higher contexts
2361 * this is mainly used when checking if a user can assign a role, or overriding a role
2362 * i.e. we need to know what this user holds, in order to verify against allow_assign and
2363 * allow_override tables
2364 * @param object $context
2365 * @param int $userid
2366 * @return array
2367 */
5b630667 2368function get_user_roles($context, $userid=0, $checkparentcontexts=true) {
68c52526 2369
2370 global $USER, $CFG, $db;
c0614051 2371
2372 if (empty($userid)) {
2373 if (empty($USER->id)) {
2374 return array();
2375 }
2376 $userid = $USER->id;
2377 }
2378
5b630667 2379 if ($checkparentcontexts && ($parents = get_parent_contexts($context))) {
2380 $contexts = ' ra.contextid IN ('.implode(',' , $parents).','.$context->id.')';
c0614051 2381 } else {
5b630667 2382 $contexts = ' ra.contextid = \''.$context->id.'\'';
c0614051 2383 }
2384
31f26796 2385 return get_records_sql('SELECT ra.*, r.name, r.shortname
5b630667 2386 FROM '.$CFG->prefix.'role_assignments ra,
ec6eb110 2387 '.$CFG->prefix.'role r,
2388 '.$CFG->prefix.'context c
c0614051 2389 WHERE ra.userid = '.$userid.
5b630667 2390 ' AND ra.roleid = r.id
ec6eb110 2391 AND ra.contextid = c.id
eef868d1 2392 AND '.$contexts.
ec6eb110 2393 ' ORDER BY c.aggregatelevel DESC');
68c52526 2394}
2395
945f88ca 2396/**
eef868d1 2397 * Creates a record in the allow_override table
945f88ca 2398 * @param int sroleid - source roleid
2399 * @param int troleid - target roleid
2400 * @return int - id or false
2401 */
2402function allow_override($sroleid, $troleid) {
2403 $record->roleid = $sroleid;
2404 $record->allowoverride = $troleid;
2405 return insert_record('role_allow_override', $record);
2406}
2407
2408/**
eef868d1 2409 * Creates a record in the allow_assign table
945f88ca 2410 * @param int sroleid - source roleid
2411 * @param int troleid - target roleid
2412 * @return int - id or false
2413 */
2414function allow_assign($sroleid, $troleid) {
ff64aaea 2415 $record = new object;
945f88ca 2416 $record->roleid = $sroleid;
2417 $record->allowassign = $troleid;
2418 return insert_record('role_allow_assign', $record);
2419}
2420
2421/**
ff64aaea 2422 * Gets a list of roles that this user can assign in this context
945f88ca 2423 * @param object $context
2424 * @return array
2425 */
2426function get_assignable_roles ($context) {
2427
945f88ca 2428 $options = array();
ff64aaea 2429
988ad084 2430 if ($roles = get_records('role', '', '', 'sortorder ASC')) {
ff64aaea 2431 foreach ($roles as $role) {
2432 if (user_can_assign($context, $role->id)) {
2433 $options[$role->id] = $role->name;
2434 }
945f88ca 2435 }
2436 }
2437 return $options;
2438}
2439
2440/**
ff64aaea 2441 * Gets a list of roles that this user can override in this context
945f88ca 2442 * @param object $context
2443 * @return array
2444 */
2445function get_overridable_roles ($context) {
2446
945f88ca 2447 $options = array();
ff64aaea 2448
988ad084 2449 if ($roles = get_records('role', '', '', 'sortorder ASC')) {
ff64aaea 2450 foreach ($roles as $role) {
2451 if (user_can_override($context, $role->id)) {
2452 $options[$role->id] = $role->name;
2453 }
945f88ca 2454 }
ff64aaea 2455 }
eef868d1 2456
2457 return $options;
945f88ca 2458}
1648afb2 2459
b963384f 2460/*
2461 * Returns a role object that is the default role for new enrolments
2462 * in a given course
2463 *
eef868d1 2464 * @param object $course
b963384f 2465 * @return object $role
2466 */
2467function get_default_course_role($course) {
2468 global $CFG;
2469
2470/// First let's take the default role the course may have
2471 if (!empty($course->defaultrole)) {
2472 if ($role = get_record('role', 'id', $course->defaultrole)) {
2473 return $role;
2474 }
2475 }
2476
2477/// Otherwise the site setting should tell us
2478 if ($CFG->defaultcourseroleid) {
2479 if ($role = get_record('role', 'id', $CFG->defaultcourseroleid)) {
2480 return $role;
2481 }
2482 }
2483
2484/// It's unlikely we'll get here, but just in case, try and find a student role
2485 if ($studentroles = get_roles_with_capability('moodle/legacy:student', CAP_ALLOW)) {
2486 return array_shift($studentroles); /// Take the first one
2487 }
2488
2489 return NULL;
2490}
2491
1648afb2 2492
2493/**
2494 * who has this capability in this context
2495 * does not handling user level resolving!!!
2496 * i.e 1 person has 2 roles 1 allow, 1 prevent, this will not work properly
2497 * @param $context - object
2498 * @param $capability - string capability
2499 * @param $fields - fields to be pulled
2500 * @param $sort - the sort order
04417640 2501 * @param $limitfrom - number of records to skip (offset)
eef868d1 2502 * @param $limitnum - number of records to fetch
1c45e42e 2503 * @param $groups - single group or array of groups - group(s) user is in
71dea306 2504 * @param $exceptions - list of users to exclude
1648afb2 2505 */
eef868d1 2506function get_users_by_capability($context, $capability, $fields='', $sort='',
64026e8c 2507 $limitfrom='', $limitnum='', $groups='', $exceptions='') {
1648afb2 2508 global $CFG;
eef868d1 2509
64026e8c 2510/// Sorting out groups
1c45e42e 2511 if ($groups) {
71dea306 2512 $groupjoin = 'INNER JOIN '.$CFG->prefix.'groups_members gm ON gm.userid = ra.userid';
eef868d1 2513
1c45e42e 2514 if (is_array($groups)) {
a05708ad 2515 $groupsql = 'AND gm.groupid IN ('.implode(',', $groups).')';
1c45e42e 2516 } else {
eef868d1 2517 $groupsql = 'AND gm.groupid = '.$groups;
1c45e42e 2518 }
2519 } else {
2520 $groupjoin = '';
eef868d1 2521 $groupsql = '';
1c45e42e 2522 }
eef868d1 2523
64026e8c 2524/// Sorting out exceptions
5081e786 2525 $exceptionsql = $exceptions ? "AND u.id NOT IN ($exceptions)" : '';
64026e8c 2526
2527/// Set up default fields
2528 if (empty($fields)) {
5b630667 2529 $fields = 'u.*, ul.timeaccess as lastaccess, ra.hidden';
64026e8c 2530 }
2531
2532/// Set up default sort
2533 if (empty($sort)) {
2534 $sort = 'ul.timeaccess';
2535 }
2536
eef868d1 2537 $sortby = $sort ? " ORDER BY $sort " : '';
2538
64026e8c 2539/// If context is a course, then construct sql for ul
4e5a0168 2540 if ($context->aggregatelevel == CONTEXT_COURSE) {
71dea306 2541 $courseid = $context->instanceid;
f00b7f8d 2542 $coursesql = "AND (ul.courseid = $courseid OR ul.courseid IS NULL)";
5081e786 2543 } else {
2544 $coursesql = '';
71dea306 2545 }
64026e8c 2546
2547/// Sorting out roles with this capability set
9d829c68 2548 if ($possibleroles = get_roles_with_capability($capability, CAP_ALLOW, $context)) {
2549 $validroleids = array();
2550 foreach ($possibleroles as $prole) {
2551 $caps = role_context_capabilities($prole->id, $context, $capability); // resolved list
2552 if ($caps[$capability] > 0) { // resolved capability > 0
2553 $validroleids[] = $prole->id;
2554 }
1648afb2 2555 }
9d829c68 2556 $roleids = '('.implode(',', $validroleids).')';
2557 } else {
2558 return false; // No need to continue, since no roles have this capability set
eef868d1 2559 }
64026e8c 2560
2561/// Construct the main SQL
71dea306 2562 $select = " SELECT $fields";
eef868d1 2563 $from = " FROM {$CFG->prefix}user u
2564 INNER JOIN {$CFG->prefix}role_assignments ra ON ra.userid = u.id
71dea306 2565 LEFT OUTER JOIN {$CFG->prefix}user_lastaccess ul ON ul.userid = u.id
2566 $groupjoin";
eef868d1 2567 $where = " WHERE ra.contextid ".get_related_contexts_string($context)."
2568 AND u.deleted = 0
2569 AND ra.roleid in $roleids
71dea306 2570 $exceptionsql
2571 $coursesql
2572 $groupsql";
2573
eef868d1 2574 return get_records_sql($select.$from.$where.$sortby, $limitfrom, $limitnum);
1648afb2 2575}
7700027f 2576
ab5c9044 2577/**
2578 * gets all the users assigned this role in this context or higher
2579 * @param int roleid
2580 * @param int contextid
2581 * @param bool parent if true, get list of users assigned in higher context too
2582 * @return array()
2583 */
2584function get_role_users($roleid, $context, $parent=false) {
2585 global $CFG;
eef868d1 2586
ab5c9044 2587 if ($parent) {
2588 if ($contexts = get_parent_contexts($context)) {
2589 $parentcontexts = 'r.contextid IN ('.implode(',', $contexts).')';
2590 } else {
eef868d1 2591 $parentcontexts = '';
ab5c9044 2592 }
2593 } else {
eef868d1 2594 $parentcontexts = '';
2595 }
2596
2597 $SQL = "select u.*
2598 from {$CFG->prefix}role_assignments r,
2599 {$CFG->prefix}user u
2600 where (r.contextid = $context->id $parentcontexts)
2601 and r.roleid = $roleid
ab5c9044 2602 and u.id = r.userid"; // join now so that we can just use fullname() later
eef868d1 2603
ab5c9044 2604 return get_records_sql($SQL);
2605}
2606
eef868d1 2607/**
d76a5a7f 2608 * This function gets the list of courses that this user has a particular capability in
2609 * This is not the most efficient way of doing this
2610 * @param string capability
2611 * @param int $userid
2612 * @return array
2613 */
2614function get_user_capability_course($capability, $userid='') {
eef868d1 2615
d76a5a7f 2616 global $USER;
2617 if (!$userid) {
eef868d1 2618 $userid = $USER->id;
d76a5a7f 2619 }
eef868d1 2620
d76a5a7f 2621 $usercourses = array();
2622 $courses = get_records_select('course', '', '', 'id, id');
eef868d1 2623
d76a5a7f 2624 foreach ($courses as $course) {
2625 if (has_capability($capability, get_context_capability(CONTEXT_COURSE, $course->id))) {
2626 $usercourses[] = $course;
2627 }
2628 }
eef868d1 2629 return $usercourses;
e38f38c3 2630}
2631
2632
2633/** This function finds the roles assigned directly to this context only
2634 * i.e. no parents role
2635 * @param object $context
2636 * @return array
2637 */
2638function get_roles_on_exact_context($context) {
b5959f30 2639
e38f38c3 2640 global $CFG;
49293027 2641
b5959f30 2642 return get_records_sql("SELECT DISTINCT r.*
e38f38c3 2643 FROM {$CFG->prefix}role_assignments ra,
2644 {$CFG->prefix}role r
2645 WHERE ra.roleid = r.id
2646 AND ra.contextid = $context->id");
b5959f30 2647
49293027 2648}
2649
b5959f30 2650/*
3a52e764 2651 * Switches the current user to another role for the current session and only
b5959f30 2652 * in the given context. If roleid is not valid (eg 0) or the current user
2653 * doesn't have permissions to be switching roles then the user's session
3a52e764 2654 * is compltely reset to have their normal roles.
2655 * @param integer $roleid
2656 * @param object $context
2657 * @return bool
2658 */
2659function role_switch($roleid, $context) {
2660 global $USER;
2661
2662 global $db;
2663
2664/// If we can't use this or are already using it or no role was specified then bail completely and reset
b5959f30 2665 if (empty($roleid) || !has_capability('moodle/role:switchroles', $context)
2d07587b 2666 || !empty($USER->switchrole[$context->id]) || !confirm_sesskey()) {
2667 load_user_capability('', $context); // Reset all permissions for this context to normal
2668 unset($USER->switchrole[$context->id]); // Delete old capabilities
3a52e764 2669 return true;
2670 }
2671
2672/// We're allowed to switch but can we switch to the specified role? Use assignable roles to check.
2673 if (!$roles = get_assignable_roles($context)) {
2674 return false;
2675 }
2676
2677 if (empty($roles[$roleid])) { /// We can't switch to this particular role
2678 return false;
2679 }
2680
2681 if (!$sitecontext = get_context_instance(CONTEXT_SYSTEM, SITEID)) {
2682 return false;
2683 }
2684
2685/// We have a valid roleid that this user can switch to, so let's set up the session
2686
2d07587b 2687 $USER->switchrole[$context->id] = $roleid; // So we know later what state we are in
3a52e764 2688
2689 unset($USER->capabilities[$context->id]); // Delete old capabilities
2690
2691 if ($capabilities = get_records_select('role_capabilities', "roleid = $roleid AND contextid = $sitecontext->id")) {
2692 foreach ($capabilities as $capability) {
2693 $USER->capabilities[$context->id][$capability->capability] = $capability->permission;
2694 }
2695 }
2696
2d07587b 2697/// Add some permissions we are really going to always need, even if the role doesn't have them!
3a52e764 2698
2699 $USER->capabilities[$context->id]['moodle/course:view'] = CAP_ALLOW;
2700
2701 return true;
2702
2703}
2704
2705
49293027 2706// get any role that has an override on exact context
2707function get_roles_with_override_on_context($context) {
b5959f30 2708
49293027 2709 global $CFG;
b5959f30 2710
49293027 2711 return get_records_sql("SELECT DISTINCT r.*
2712 FROM {$CFG->prefix}role_capabilities rc,
2713 {$CFG->prefix}role r
2714 WHERE rc.roleid = r.id
2715 AND rc.contextid = $context->id");
2716}
2717
2718// get all capabilities for this role on this context (overrids)
2719function get_capabilities_from_role_on_context($role, $context) {
b5959f30 2720
49293027 2721 global $CFG;
b5959f30 2722
2723 return get_records_sql("SELECT *
49293027 2724 FROM {$CFG->prefix}role_capabilities
2725 WHERE contextid = $context->id
2726 AND roleid = $role->id");
01e52ac7 2727}
2728
5b5781f4 2729// find out which roles has assignment on this context
2730function get_roles_with_assignment_on_context($context) {
2731
2732 global $CFG;
2733
2734 return get_records_sql("SELECT DISTINCT r.*
2735 FROM {$CFG->prefix}role_assignments ra,
2736 {$CFG->prefix}role r
2737 WHERE ra.roleid = r.id
2738 AND ra.contextid = $context->id");
2739}
2740
2741
2742
01e52ac7 2743/* find all user assignemnt of users for this role, on this context
2744 */
2745function get_users_from_role_on_context($role, $context) {
b5959f30 2746
01e52ac7 2747 global $CFG;
b5959f30 2748
01e52ac7 2749 return get_records_sql("SELECT *
2750 FROM {$CFG->prefix}role_assignments
2751 WHERE contextid = $context->id
b5959f30 2752 AND roleid = $role->id");
01e52ac7 2753}
3a52e764 2754
2755?>