projects / moodle.git / blame
? search:
summary | shortlog | log | commit | commitdiff | tree
blob | blame (incremental) | history | HEAD
Changes no datadir error message from bad manifest to bad package
[moodle.git] / lib / accesslib.php
CommitLineData
bbbf2d40 1<?php
cee0901c 2 /**
3 * Capability session information format
bbbf2d40 4 * 2 x 2 array
5 * [context][capability]
6 * where context is the context id of the table 'context'
7 * and capability is a string defining the capability
8 * e.g.
9 *
10 * [Capabilities] => [26][mod/forum:viewpost] = 1
11 * [26][mod/forum:startdiscussion] = -8990
12 * [26][mod/forum:editallpost] = -1
13 * [273][moodle:blahblah] = 1
14 * [273][moodle:blahblahblah] = 2
15 */
bbbf2d40 16
17// permission definitions
e49e61bf 18define('CAP_INHERIT', 0);
bbbf2d40 19define('CAP_ALLOW', 1);
20define('CAP_PREVENT', -1);
21define('CAP_PROHIBIT', -1000);
22
bbbf2d40 23// context definitions
24define('CONTEXT_SYSTEM', 10);
25define('CONTEXT_PERSONAL', 20);
4b10f08b 26define('CONTEXT_USER', 30);
bbbf2d40 27define('CONTEXT_COURSECAT', 40);
28define('CONTEXT_COURSE', 50);
29define('CONTEXT_GROUP', 60);
30define('CONTEXT_MODULE', 70);
31define('CONTEXT_BLOCK', 80);
32
21b6db6e 33// capability risks - see http://docs.moodle.org/en/Hardening_new_Roles_system
34define('RISK_MANAGETRUST', 0x0001);
a6b02b65 35define('RISK_CONFIG', 0x0002);
21b6db6e 36define('RISK_XSS', 0x0004);
37define('RISK_PERSONAL', 0x0008);
38define('RISK_SPAM', 0x0010);
39
40
340ea4e8 41$context_cache = array(); // Cache of all used context objects for performance (by level and instance)
42$context_cache_id = array(); // Index to above cache by id
bbbf2d40 43
7700027f 44
e7876c1e 45/**
46 * Loads the capabilities for the default guest role to the current user in a specific context
47 * @return object
48 */
49function load_guest_role($context=NULL) {
50 global $USER;
51
52 static $guestrole;
53
54 if (!isloggedin()) {
55 return false;
56 }
57
58 if (!$sitecontext = get_context_instance(CONTEXT_SYSTEM, SITEID)) {
59 return false;
60 }
61
62 if (empty($context)) {
63 $context = $sitecontext;
64 }
65
66 if (empty($guestrole)) {
8f8ed475 67 if (!$guestrole = get_guest_role()) {
e7876c1e 68 return false;
69 }
70 }
71
eef868d1 72 if ($capabilities = get_records_select('role_capabilities',
e7876c1e 73 "roleid = $guestrole->id AND contextid = $sitecontext->id")) {
74 foreach ($capabilities as $capability) {
eef868d1 75 $USER->capabilities[$context->id][$capability->capability] = $capability->permission;
e7876c1e 76 }
77 }
78
79 return true;
80}
81
7700027f 82/**
83 * Load default not logged in role capabilities when user is not logged in
eef868d1 84 * @return bool
7700027f 85 */
20aeb4b8 86function load_notloggedin_role() {
87 global $CFG, $USER;
88
7700027f 89 if (!$sitecontext = get_context_instance(CONTEXT_SYSTEM, SITEID)) {
90 return false;
35a518c5 91 }
92
7700027f 93 if (empty($CFG->notloggedinroleid)) { // Let's set the default to the guest role
8f8ed475 94 if ($role = get_guest_role()) {
7700027f 95 set_config('notloggedinroleid', $role->id);
96 } else {
97 return false;
98 }
99 }
20aeb4b8 100
eef868d1 101 if ($capabilities = get_records_select('role_capabilities',
7700027f 102 "roleid = $CFG->notloggedinroleid AND contextid = $sitecontext->id")) {
103 foreach ($capabilities as $capability) {
eef868d1 104 $USER->capabilities[$sitecontext->id][$capability->capability] = $capability->permission;
7700027f 105 }
20aeb4b8 106 }
107
108 return true;
109}
cee0901c 110
8f8ed475 111/**
112 * Load default not logged in role capabilities when user is not logged in
eef868d1 113 * @return bool
8f8ed475 114 */
115function load_defaultuser_role() {
116 global $CFG, $USER;
117
118 if (!$sitecontext = get_context_instance(CONTEXT_SYSTEM, SITEID)) {
119 return false;
120 }
121
122 if (empty($CFG->defaultuserroleid)) { // Let's set the default to the guest role
123 if ($role = get_guest_role()) {
124 set_config('defaultuserroleid', $role->id);
125 } else {
126 return false;
127 }
128 }
129
eef868d1 130 if ($capabilities = get_records_select('role_capabilities',
8f8ed475 131 "roleid = $CFG->defaultuserroleid AND contextid = $sitecontext->id")) {
132 foreach ($capabilities as $capability) {
ca23ffdb 133 if (!isset($USER->capabilities[$sitecontext->id][$capability->capability])) { // Don't overwrite
eef868d1 134 $USER->capabilities[$sitecontext->id][$capability->capability] = $capability->permission;
ca23ffdb 135 }
8f8ed475 136 }
137
eef868d1 138 // SPECIAL EXCEPTION: If the default user role is actually a guest role, then
8f8ed475 139 // remove some capabilities so this user doesn't get confused with a REAL guest
2f089dd5 140 if (isset($USER->capabilities[$sitecontext->id]['moodle/legacy:guest']) and $USER->username != 'guest') {
eef868d1 141 unset($USER->capabilities[$sitecontext->id]['moodle/legacy:guest']);
8f8ed475 142 unset($USER->capabilities[$sitecontext->id]['moodle/course:view']); // No access to courses by default
143 }
144 }
145
146 return true;
147}
148
149
150/**
151 * Get the default guest role
152 * @return object role
153 */
154function get_guest_role() {
155 if ($roles = get_roles_with_capability('moodle/legacy:guest', CAP_ALLOW)) {
156 return array_shift($roles); // Pick the first one
157 } else {
158 return false;
159 }
160}
161
162
bbbf2d40 163/**
164 * This functions get all the course categories in proper order
0468976c 165 * @param int $context
bbbf2d40 166 * @param int $type
167 * @return array of contextids
168 */
0468976c 169function get_parent_cats($context, $type) {
eef868d1 170
98882637 171 $parents = array();
eef868d1 172
c5ddc3fd 173 switch ($type) {
98882637 174 case CONTEXT_COURSECAT:
c5ddc3fd 175 if (!$cat = get_record('course_categories','id',$context->instanceid)) {
176 break;
177 }
178
179 while (!empty($cat->parent)) {
180 if (!$context = get_context_instance(CONTEXT_COURSECAT, $cat->parent)) {
181 break;
182 }
98882637 183 $parents[] = $context->id;
184 $cat = get_record('course_categories','id',$cat->parent);
185 }
98882637 186 break;
eef868d1 187
98882637 188 case CONTEXT_COURSE:
c5ddc3fd 189 if (!$course = get_record('course', 'id', $context->instanceid)) {
190 break;
191 }
192 if (!$catinstance = get_context_instance(CONTEXT_COURSECAT, $course->category)) {
193 break;
194 }
195
98882637 196 $parents[] = $catinstance->id;
c5ddc3fd 197
198 if (!$cat = get_record('course_categories','id',$course->category)) {
199 break;
200 }
201
202 while (!empty($cat->parent)) {
203 if (!$context = get_context_instance(CONTEXT_COURSECAT, $cat->parent)) {
204 break;
205 }
98882637 206 $parents[] = $context->id;
207 $cat = get_record('course_categories','id',$cat->parent);
208 }
209 break;
eef868d1 210
98882637 211 default:
212 break;
98882637 213 }
98882637 214 return array_reverse($parents);
bbbf2d40 215}
216
217
cee0901c 218
0468976c 219/**
220 * This function checks for a capability assertion being true. If it isn't
221 * then the page is terminated neatly with a standard error message
222 * @param string $capability - name of the capability
223 * @param object $context - a context object (record from context table)
224 * @param integer $userid - a userid number
d74067e8 225 * @param bool $doanything - if false, ignore do anything
0468976c 226 * @param string $errorstring - an errorstring
d74067e8 227 * @param string $stringfile - which stringfile to get it from
0468976c 228 */
eef868d1 229function require_capability($capability, $context=NULL, $userid=NULL, $doanything=true,
d74067e8 230 $errormessage="nopermissions", $stringfile='') {
a9e1c058 231
232 global $USER;
233
234/// If the current user is not logged in, then make sure they are
235
236 if (empty($userid) and empty($USER->id)) {
aad2ba95 237 if ($context && ($context->contextlevel == CONTEXT_COURSE)) {
a9e1c058 238 require_login($context->instanceid);
11ac79ff 239 } else if ($context && ($context->contextlevel == CONTEXT_MODULE)) {
240 if ($cm = get_record('course_modules','id',$context->instanceid)) {
241 require_login($cm->course, true, $cm);
242 } else {
243 require_login();
244 }
a9e1c058 245 } else {
246 require_login();
247 }
248 }
eef868d1 249
a9e1c058 250/// OK, if they still don't have the capability then print a nice error message
251
d74067e8 252 if (!has_capability($capability, $context, $userid, $doanything)) {
0468976c 253 $capabilityname = get_capability_string($capability);
254 print_error($errormessage, $stringfile, '', $capabilityname);
255 }
256}
257
258
bbbf2d40 259/**
260 * This function returns whether the current user has the capability of performing a function
261 * For example, we can do has_capability('mod/forum:replypost',$cm) in forum
262 * only one of the 4 (moduleinstance, courseid, site, userid) would be set at 1 time
263 * This is a recursive funciton.
bbbf2d40 264 * @uses $USER
265 * @param string $capability - name of the capability
0468976c 266 * @param object $context - a context object (record from context table)
267 * @param integer $userid - a userid number
20aeb4b8 268 * @param bool $doanything - if false, ignore do anything
bbbf2d40 269 * @return bool
270 */
d74067e8 271function has_capability($capability, $context=NULL, $userid=NULL, $doanything=true) {
bbbf2d40 272
20aeb4b8 273 global $USER, $CONTEXT, $CFG;
bbbf2d40 274
a8a7300a 275 if (debugging() && !record_exists('capabilities', 'name', $capability)) {
7f7cacdf 276 debugging('Cabability "'.$capability.'" was not found! This should be fixed in code.');
a8a7300a 277 }
278
8f8ed475 279 if (empty($userid) && empty($USER->capabilities)) { // Real user, first time here
280 if (isloggedin()) {
281 load_defaultuser_role(); // All users get this by default
282 } else {
283 load_notloggedin_role(); // others get this by default
284 }
20aeb4b8 285 }
286
287 if ($userid && $userid != $USER->id) {
9425b25f 288 if (empty($USER->id) or ($userid != $USER->id)) {
289 $capabilities = load_user_capability($capability, $context, $userid);
290 } else { //$USER->id == $userid
291 $capabilities = empty($USER->capabilities) ? NULL : $USER->capabilities;
292 }
293 } else { // no userid
294 $capabilities = empty($USER->capabilities) ? NULL : $USER->capabilities;
98882637 295 }
9425b25f 296
0468976c 297 if (empty($context)) { // Use default CONTEXT if none specified
340ea4e8 298 if (empty($CONTEXT)) {
299 return false;
300 } else {
301 $context = $CONTEXT;
302 }
0468976c 303 } else { // A context was given to us
304 if (empty($CONTEXT)) {
305 $CONTEXT = $context; // Store FIRST used context in this global as future default
306 }
340ea4e8 307 }
bbbf2d40 308
20aeb4b8 309 if ($doanything) {
2d07587b 310
20aeb4b8 311 // Check site
2d07587b 312 if (empty($USER->switchrole[$context->id])) { // Ignore site setting if switchrole is active
313 $sitecontext = get_context_instance(CONTEXT_SYSTEM, SITEID);
314 if (isset($capabilities[$sitecontext->id]['moodle/site:doanything'])) {
315 return (0 < $capabilities[$sitecontext->id]['moodle/site:doanything']);
316 }
20aeb4b8 317 }
eef868d1 318
aad2ba95 319 switch ($context->contextlevel) {
eef868d1 320
20aeb4b8 321 case CONTEXT_COURSECAT:
322 // Check parent cats.
323 $parentcats = get_parent_cats($context, CONTEXT_COURSECAT);
324 foreach ($parentcats as $parentcat) {
325 if (isset($capabilities[$parentcat]['moodle/site:doanything'])) {
326 return (0 < $capabilities[$parentcat]['moodle/site:doanything']);
327 }
cee0901c 328 }
20aeb4b8 329 break;
bbbf2d40 330
20aeb4b8 331 case CONTEXT_COURSE:
332 // Check parent cat.
333 $parentcats = get_parent_cats($context, CONTEXT_COURSE);
98882637 334
20aeb4b8 335 foreach ($parentcats as $parentcat) {
336 if (isset($capabilities[$parentcat]['do_anything'])) {
337 return (0 < $capabilities[$parentcat]['do_anything']);
338 }
9425b25f 339 }
20aeb4b8 340 break;
bbbf2d40 341
20aeb4b8 342 case CONTEXT_GROUP:
343 // Find course.
344 $group = get_record('groups','id',$context->instanceid);
345 $courseinstance = get_context_instance(CONTEXT_COURSE, $group->courseid);
9425b25f 346
20aeb4b8 347 $parentcats = get_parent_cats($courseinstance, CONTEXT_COURSE);
348 foreach ($parentcats as $parentcat) {
349 if (isset($capabilities[$parentcat->id]['do_anything'])) {
350 return (0 < $capabilities[$parentcat->id]['do_anything']);
351 }
9425b25f 352 }
9425b25f 353
20aeb4b8 354 $coursecontext = '';
355 if (isset($capabilities[$courseinstance->id]['do_anything'])) {
356 return (0 < $capabilities[$courseinstance->id]['do_anything']);
357 }
9425b25f 358
20aeb4b8 359 break;
bbbf2d40 360
20aeb4b8 361 case CONTEXT_MODULE:
362 // Find course.
363 $cm = get_record('course_modules', 'id', $context->instanceid);
364 $courseinstance = get_context_instance(CONTEXT_COURSE, $cm->course);
9425b25f 365
20aeb4b8 366 if ($parentcats = get_parent_cats($courseinstance, CONTEXT_COURSE)) {
367 foreach ($parentcats as $parentcat) {
368 if (isset($capabilities[$parentcat]['do_anything'])) {
369 return (0 < $capabilities[$parentcat]['do_anything']);
370 }
cee0901c 371 }
9425b25f 372 }
98882637 373
20aeb4b8 374 if (isset($capabilities[$courseinstance->id]['do_anything'])) {
375 return (0 < $capabilities[$courseinstance->id]['do_anything']);
376 }
bbbf2d40 377
20aeb4b8 378 break;
bbbf2d40 379
20aeb4b8 380 case CONTEXT_BLOCK:
381 // 1 to 1 to course.
382 // Find course.
383 $block = get_record('block_instance','id',$context->instanceid);
384 $courseinstance = get_context_instance(CONTEXT_COURSE, $block->pageid); // needs check
9425b25f 385
20aeb4b8 386 $parentcats = get_parent_cats($courseinstance, CONTEXT_COURSE);
387 foreach ($parentcats as $parentcat) {
388 if (isset($capabilities[$parentcat]['do_anything'])) {
389 return (0 < $capabilities[$parentcat]['do_anything']);
390 }
cee0901c 391 }
9425b25f 392
20aeb4b8 393 if (isset($capabilities[$courseinstance->id]['do_anything'])) {
394 return (0 < $capabilities[$courseinstance->id]['do_anything']);
395 }
396 break;
bbbf2d40 397
20aeb4b8 398 default:
4b10f08b 399 // CONTEXT_SYSTEM: CONTEXT_PERSONAL: CONTEXT_USER:
20aeb4b8 400 // Do nothing.
401 break;
402 }
bbbf2d40 403
20aeb4b8 404 // Last: check self.
405 if (isset($capabilities[$context->id]['do_anything'])) {
406 return (0 < $capabilities[$context->id]['do_anything']);
407 }
98882637 408 }
98882637 409 // do_anything has not been set, we now look for it the normal way.
9425b25f 410 return (0 < capability_search($capability, $context, $capabilities));
bbbf2d40 411
9425b25f 412}
bbbf2d40 413
414
415/**
416 * In a separate function so that we won't have to deal with do_anything.
417 * again. Used by function has_capability.
418 * @param $capability - capability string
0468976c 419 * @param $context - the context object
bbbf2d40 420 * @param $capabilities - either $USER->capability or loaded array
421 * @return permission (int)
422 */
0468976c 423function capability_search($capability, $context, $capabilities) {
759ac72d 424
bbbf2d40 425 global $USER, $CFG;
0468976c 426
11ac79ff 427 if (!isset($context->id)) {
428 return 0;
429 }
430
0468976c 431 if (isset($capabilities[$context->id][$capability])) {
432 return ($capabilities[$context->id][$capability]);
bbbf2d40 433 }
9425b25f 434
bbbf2d40 435 /* Then, we check the cache recursively */
9425b25f 436 $permission = 0;
437
aad2ba95 438 switch ($context->contextlevel) {
bbbf2d40 439
440 case CONTEXT_SYSTEM: // by now it's a definite an inherit
441 $permission = 0;
442 break;
443
444 case CONTEXT_PERSONAL:
0468976c 445 $parentcontext = get_context_instance(CONTEXT_SYSTEM, SITEID);
446 $permission = capability_search($capability, $parentcontext, $capabilities);
bbbf2d40 447 break;
9425b25f 448
4b10f08b 449 case CONTEXT_USER:
0468976c 450 $parentcontext = get_context_instance(CONTEXT_SYSTEM, SITEID);
451 $permission = capability_search($capability, $parentcontext, $capabilities);
bbbf2d40 452 break;
9425b25f 453
bbbf2d40 454 case CONTEXT_COURSECAT: // Coursecat -> coursecat or site
455 $coursecat = get_record('course_categories','id',$context->instanceid);
0468976c 456 if (!empty($coursecat->parent)) { // return parent value if it exists
457 $parentcontext = get_context_instance(CONTEXT_COURSECAT, $coursecat->parent);
bbbf2d40 458 } else { // else return site value
0468976c 459 $parentcontext = get_context_instance(CONTEXT_SYSTEM, SITEID);
bbbf2d40 460 }
0468976c 461 $permission = capability_search($capability, $parentcontext, $capabilities);
bbbf2d40 462 break;
463
464 case CONTEXT_COURSE: // 1 to 1 to course cat
465 // find the course cat, and return its value
466 $course = get_record('course','id',$context->instanceid);
0468976c 467 $parentcontext = get_context_instance(CONTEXT_COURSECAT, $course->category);
468 $permission = capability_search($capability, $parentcontext, $capabilities);
bbbf2d40 469 break;
470
471 case CONTEXT_GROUP: // 1 to 1 to course
472 $group = get_record('groups','id',$context->instanceid);
0468976c 473 $parentcontext = get_context_instance(CONTEXT_COURSE, $group->courseid);
474 $permission = capability_search($capability, $parentcontext, $capabilities);
bbbf2d40 475 break;
476
477 case CONTEXT_MODULE: // 1 to 1 to course
478 $cm = get_record('course_modules','id',$context->instanceid);
0468976c 479 $parentcontext = get_context_instance(CONTEXT_COURSE, $cm->course);
480 $permission = capability_search($capability, $parentcontext, $capabilities);
bbbf2d40 481 break;
482
483 case CONTEXT_BLOCK: // 1 to 1 to course
484 $block = get_record('block_instance','id',$context->instanceid);
0468976c 485 $parentcontext = get_context_instance(CONTEXT_COURSE, $block->pageid); // needs check
486 $permission = capability_search($capability, $parentcontext, $capabilities);
bbbf2d40 487 break;
488
489 default:
490 error ('This is an unknown context!');
491 return false;
492 }
9425b25f 493
98882637 494 return $permission;
bbbf2d40 495}
496
497
498/**
499 * This function should be called immediately after a login, when $USER is set.
500 * It will build an array of all the capabilities at each level
501 * i.e. site/metacourse/course_category/course/moduleinstance
502 * Note we should only load capabilities if they are explicitly assigned already,
503 * we should not load all module's capability!
504 * @param $userid - the id of the user whose capabilities we want to load
505 * @return array
506 * possible just s simple 2D array with [contextid][capabilityname]
507 * [Capabilities] => [26][forum_post] = 1
508 * [26][forum_start] = -8990
509 * [26][forum_edit] = -1
510 * [273][blah blah] = 1
511 * [273][blah blah blah] = 2
512 */
0468976c 513function load_user_capability($capability='', $context ='', $userid='') {
d140ad3f 514
98882637 515 global $USER, $CFG;
bbbf2d40 516
517 if (empty($userid)) {
dc411d1b 518 if (empty($USER->id)) { // We have no user to get capabilities for
64026e8c 519 debugging('User not logged in for load_user_capability!');
dc411d1b 520 return false;
521 }
64026e8c 522 unset($USER->capabilities); // We don't want possible older capabilites hanging around
523
524 check_enrolment_plugins($USER); // Call "enrol" system to ensure that we have the correct picture
8f8ed475 525
bbbf2d40 526 $userid = $USER->id;
dc411d1b 527 $otheruserid = false;
bbbf2d40 528 } else {
64026e8c 529 if (!$user = get_record('user', 'id', $userid)) {
530 debugging('Non-existent userid in load_user_capability!');
531 return false;
532 }
533
534 check_enrolment_plugins($user); // Ensure that we have the correct picture
535
9425b25f 536 $otheruserid = $userid;
bbbf2d40 537 }
9425b25f 538
5f70bcc3 539
540/// First we generate a list of all relevant contexts of the user
541
542 $usercontexts = array();
bbbf2d40 543
0468976c 544 if ($context) { // if context is specified
eef868d1 545 $usercontexts = get_parent_contexts($context);
98882637 546 } else { // else, we load everything
5f70bcc3 547 if ($userroles = get_records('role_assignments','userid',$userid)) {
548 foreach ($userroles as $userrole) {
549 $usercontexts[] = $userrole->contextid;
550 }
98882637 551 }
5f70bcc3 552 }
553
554/// Set up SQL fragments for searching contexts
555
556 if ($usercontexts) {
0468976c 557 $listofcontexts = '('.implode(',', $usercontexts).')';
5f70bcc3 558 $searchcontexts1 = "c1.id IN $listofcontexts AND";
5f70bcc3 559 } else {
c76e095f 560 $searchcontexts1 = '';
bbbf2d40 561 }
3ca2dea5 562
64026e8c 563 if ($capability) {
564 $capsearch = " AND rc.capability = '$capability' ";
565 } else {
eef868d1 566 $capsearch ="";
64026e8c 567 }
568
e38f38c3 569/// Set up SQL fragments for timestart, timeend etc
570 $now = time();
85f101fa 571 $timesql = "AND ((ra.timestart = 0 OR ra.timestart < $now) AND (ra.timeend = 0 OR ra.timeend > $now))";
e38f38c3 572
5f70bcc3 573/// Then we use 1 giant SQL to bring out all relevant capabilities.
574/// The first part gets the capabilities of orginal role.
575/// The second part gets the capabilities of overriden roles.
bbbf2d40 576
98882637 577 $siteinstance = get_context_instance(CONTEXT_SYSTEM, SITEID);
bbbf2d40 578
c76e095f 579 $SQL = " SELECT rc.capability, c1.id, (c1.contextlevel * 100) AS aggrlevel,
bbbf2d40 580 SUM(rc.permission) AS sum
581 FROM
eef868d1 582 {$CFG->prefix}role_assignments ra,
42ac3ecf 583 {$CFG->prefix}role_capabilities rc,
584 {$CFG->prefix}context c1
bbbf2d40 585 WHERE
d4649c76 586 ra.contextid=c1.id AND
587 ra.roleid=rc.roleid AND
bbbf2d40 588 ra.userid=$userid AND
5f70bcc3 589 $searchcontexts1
eef868d1 590 rc.contextid=$siteinstance->id
98882637 591 $capsearch
e38f38c3 592 $timesql
bbbf2d40 593 GROUP BY
aad2ba95 594 rc.capability, (c1.contextlevel * 100), c1.id
bbbf2d40 595 HAVING
41811960 596 SUM(rc.permission) != 0
bbbf2d40 597 UNION
598
c76e095f 599 SELECT rc.capability, c2.id, (c1.contextlevel * 100 + c2.contextlevel) AS aggrlevel,
bbbf2d40 600 SUM(rc.permission) AS sum
601 FROM
42ac3ecf 602 {$CFG->prefix}role_assignments ra,
603 {$CFG->prefix}role_capabilities rc,
604 {$CFG->prefix}context c1,
605 {$CFG->prefix}context c2
bbbf2d40 606 WHERE
d4649c76 607 ra.contextid=c1.id AND
eef868d1 608 ra.roleid=rc.roleid AND
609 ra.userid=$userid AND
610 rc.contextid=c2.id AND
5f70bcc3 611 $searchcontexts1
5f70bcc3 612 rc.contextid != $siteinstance->id
bbbf2d40 613 $capsearch
e38f38c3 614 $timesql
eef868d1 615
bbbf2d40 616 GROUP BY
c76e095f 617 rc.capability, (c1.contextlevel * 100 + c2.contextlevel), c2.id, c1.id
bbbf2d40 618 HAVING
41811960 619 SUM(rc.permission) != 0
bbbf2d40 620 ORDER BY
75e84883 621 aggrlevel ASC
bbbf2d40 622 ";
623
98882637 624 $capabilities = array(); // Reinitialize.
75e84883 625 if (!$rs = get_recordset_sql($SQL)) {
626 error("Query failed in load_user_capability.");
627 }
5cf38a57 628
bbbf2d40 629 if ($rs && $rs->RecordCount() > 0) {
630 while (!$rs->EOF) {
75e84883 631 $array = $rs->fields;
632 $temprecord = new object;
eef868d1 633
98882637 634 foreach ($array as $key=>$val) {
75e84883 635 if ($key == 'aggrlevel') {
aad2ba95 636 $temprecord->contextlevel = $val;
75e84883 637 } else {
638 $temprecord->{$key} = $val;
639 }
98882637 640 }
bbbf2d40 641 $capabilities[] = $temprecord;
642 $rs->MoveNext();
643 }
644 }
eef868d1 645
bbbf2d40 646 /* so up to this point we should have somethign like this
aad2ba95 647 * $capabilities[1] ->contextlevel = 1000
bbbf2d40 648 ->module = SITEID
649 ->capability = do_anything
650 ->id = 1 (id is the context id)
651 ->sum = 0
eef868d1 652
aad2ba95 653 * $capabilities[2] ->contextlevel = 1000
bbbf2d40 654 ->module = SITEID
655 ->capability = post_messages
656 ->id = 1
657 ->sum = -9000
658
aad2ba95 659 * $capabilittes[3] ->contextlevel = 3000
bbbf2d40 660 ->module = course
661 ->capability = view_course_activities
662 ->id = 25
663 ->sum = 1
664
aad2ba95 665 * $capabilittes[4] ->contextlevel = 3000
bbbf2d40 666 ->module = course
667 ->capability = view_course_activities
668 ->id = 26
669 ->sum = 0 (this is another course)
eef868d1 670
aad2ba95 671 * $capabilities[5] ->contextlevel = 3050
bbbf2d40 672 ->module = course
673 ->capability = view_course_activities
674 ->id = 25 (override in course 25)
675 ->sum = -1
676 * ....
677 * now we proceed to write the session array, going from top to bottom
678 * at anypoint, we need to go up and check parent to look for prohibit
679 */
680 // print_object($capabilities);
681
682 /* This is where we write to the actualy capabilities array
683 * what we need to do from here on is
684 * going down the array from lowest level to highest level
685 * 1) recursively check for prohibit,
686 * if any, we write prohibit
687 * else, we write the value
688 * 2) at an override level, we overwrite current level
689 * if it's not set to prohibit already, and if different
690 * ........ that should be it ........
691 */
98882637 692 $usercap = array(); // for other user's capabilities
bbbf2d40 693 foreach ($capabilities as $capability) {
694
7bfa3101 695 if (!$context = get_context_instance_by_id($capability->id)) {
696 continue; // incorrect stale context
697 }
0468976c 698
41811960 699 if (!empty($otheruserid)) { // we are pulling out other user's capabilities, do not write to session
eef868d1 700
0468976c 701 if (capability_prohibits($capability->capability, $context, $capability->sum, $usercap)) {
98882637 702 $usercap[$capability->id][$capability->capability] = -9000;
703 continue;
704 }
705
eef868d1 706 $usercap[$capability->id][$capability->capability] = $capability->sum;
707
98882637 708 } else {
709
0468976c 710 if (capability_prohibits($capability->capability, $context, $capability->sum)) { // if any parent or parent's parent is set to prohibit
98882637 711 $USER->capabilities[$capability->id][$capability->capability] = -9000;
712 continue;
713 }
eef868d1 714
98882637 715 // if no parental prohibit set
716 // just write to session, i am not sure this is correct yet
717 // since 3050 shows up after 3000, and 3070 shows up after 3050,
718 // it should be ok just to overwrite like this, provided that there's no
719 // parental prohibits
720 // no point writing 0, since 0 = inherit
721 // we need to write even if it's 0, because it could be an inherit override
722 $USER->capabilities[$capability->id][$capability->capability] = $capability->sum;
723 }
bbbf2d40 724 }
eef868d1 725
bbbf2d40 726 // now we don't care about the huge array anymore, we can dispose it.
727 unset($capabilities);
eef868d1 728
dbe7e582 729 if (!empty($otheruserid)) {
eef868d1 730 return $usercap; // return the array
bbbf2d40 731 }
732 // see array in session to see what it looks like
733
734}
735
64026e8c 736/*
737 * Check all the login enrolment information for the given user object
eef868d1 738 * by querying the enrolment plugins
64026e8c 739 */
740function check_enrolment_plugins(&$user) {
741 global $CFG;
742
e4ec4e41 743 static $inprogress; // To prevent this function being called more than once in an invocation
744
218eb651 745 if (!empty($inprogress[$user->id])) {
e4ec4e41 746 return;
747 }
748
218eb651 749 $inprogress[$user->id] = true; // Set the flag
e4ec4e41 750
64026e8c 751 require_once($CFG->dirroot .'/enrol/enrol.class.php');
eef868d1 752
64026e8c 753 if (!($plugins = explode(',', $CFG->enrol_plugins_enabled))) {
754 $plugins = array($CFG->enrol);
755 }
756
757 foreach ($plugins as $plugin) {
758 $enrol = enrolment_factory::factory($plugin);
759 if (method_exists($enrol, 'setup_enrolments')) { /// Plugin supports Roles (Moodle 1.7 and later)
760 $enrol->setup_enrolments($user);
761 } else { /// Run legacy enrolment methods
762 if (method_exists($enrol, 'get_student_courses')) {
763 $enrol->get_student_courses($user);
764 }
765 if (method_exists($enrol, 'get_teacher_courses')) {
766 $enrol->get_teacher_courses($user);
767 }
768
769 /// deal with $user->students and $user->teachers stuff
770 unset($user->student);
771 unset($user->teacher);
772 }
773 unset($enrol);
774 }
e4ec4e41 775
218eb651 776 unset($inprogress[$user->id]); // Unset the flag
64026e8c 777}
778
bbbf2d40 779
780/**
781 * This is a recursive function that checks whether the capability in this
782 * context, or the parent capabilities are set to prohibit.
783 *
784 * At this point, we can probably just use the values already set in the
785 * session variable, since we are going down the level. Any prohit set in
786 * parents would already reflect in the session.
787 *
788 * @param $capability - capability name
789 * @param $sum - sum of all capabilities values
0468976c 790 * @param $context - the context object
bbbf2d40 791 * @param $array - when loading another user caps, their caps are not stored in session but an array
792 */
0468976c 793function capability_prohibits($capability, $context, $sum='', $array='') {
bbbf2d40 794 global $USER;
0468976c 795
bbbf2d40 796 if ($sum < -8000) {
797 // If this capability is set to prohibit.
798 return true;
799 }
eef868d1 800
bbbf2d40 801 if (isset($array)) {
eef868d1 802 if (isset($array[$context->id][$capability])
0468976c 803 && $array[$context->id][$capability] < -8000) {
98882637 804 return true;
eef868d1 805 }
bbbf2d40 806 } else {
98882637 807 // Else if set in session.
eef868d1 808 if (isset($USER->capabilities[$context->id][$capability])
0468976c 809 && $USER->capabilities[$context->id][$capability] < -8000) {
98882637 810 return true;
811 }
bbbf2d40 812 }
aad2ba95 813 switch ($context->contextlevel) {
eef868d1 814
bbbf2d40 815 case CONTEXT_SYSTEM:
816 // By now it's a definite an inherit.
817 return 0;
818 break;
819
820 case CONTEXT_PERSONAL:
821 $parent = get_context_instance(CONTEXT_SYSTEM, SITEID);
0468976c 822 return capability_prohibits($capability, $parent);
bbbf2d40 823 break;
824
4b10f08b 825 case CONTEXT_USER:
bbbf2d40 826 $parent = get_context_instance(CONTEXT_SYSTEM, SITEID);
0468976c 827 return capability_prohibits($capability, $parent);
bbbf2d40 828 break;
829
830 case CONTEXT_COURSECAT:
831 // Coursecat -> coursecat or site.
832 $coursecat = get_record('course_categories','id',$context->instanceid);
41811960 833 if (!empty($coursecat->parent)) {
bbbf2d40 834 // return parent value if exist.
835 $parent = get_context_instance(CONTEXT_COURSECAT, $coursecat->parent);
836 } else {
837 // Return site value.
838 $parent = get_context_instance(CONTEXT_SYSTEM, SITEID);
839 }
0468976c 840 return capability_prohibits($capability, $parent);
bbbf2d40 841 break;
842
843 case CONTEXT_COURSE:
844 // 1 to 1 to course cat.
845 // Find the course cat, and return its value.
846 $course = get_record('course','id',$context->instanceid);
847 $parent = get_context_instance(CONTEXT_COURSECAT, $course->category);
0468976c 848 return capability_prohibits($capability, $parent);
bbbf2d40 849 break;
850
851 case CONTEXT_GROUP:
852 // 1 to 1 to course.
853 $group = get_record('groups','id',$context->instanceid);
854 $parent = get_context_instance(CONTEXT_COURSE, $group->courseid);
0468976c 855 return capability_prohibits($capability, $parent);
bbbf2d40 856 break;
857
858 case CONTEXT_MODULE:
859 // 1 to 1 to course.
860 $cm = get_record('course_modules','id',$context->instanceid);
861 $parent = get_context_instance(CONTEXT_COURSE, $cm->course);
0468976c 862 return capability_prohibits($capability, $parent);
bbbf2d40 863 break;
864
865 case CONTEXT_BLOCK:
866 // 1 to 1 to course.
867 $block = get_record('block_instance','id',$context->instanceid);
868 $parent = get_context_instance(CONTEXT_COURSE, $block->pageid); // needs check
0468976c 869 return capability_prohibits($capability, $parent);
bbbf2d40 870 break;
871
872 default:
873 error ('This is an unknown context!');
874 return false;
875 }
876}
877
878
879/**
880 * A print form function. This should either grab all the capabilities from
881 * files or a central table for that particular module instance, then present
882 * them in check boxes. Only relevant capabilities should print for known
883 * context.
884 * @param $mod - module id of the mod
885 */
886function print_capabilities($modid=0) {
887 global $CFG;
eef868d1 888
bbbf2d40 889 $capabilities = array();
890
891 if ($modid) {
892 // We are in a module specific context.
893
894 // Get the mod's name.
895 // Call the function that grabs the file and parse.
896 $cm = get_record('course_modules', 'id', $modid);
897 $module = get_record('modules', 'id', $cm->module);
eef868d1 898
bbbf2d40 899 } else {
900 // Print all capabilities.
901 foreach ($capabilities as $capability) {
902 // Prints the check box component.
903 }
904 }
905}
906
907
908/**
1afecc03 909 * Installs the roles system.
910 * This function runs on a fresh install as well as on an upgrade from the old
911 * hard-coded student/teacher/admin etc. roles to the new roles system.
bbbf2d40 912 */
1afecc03 913function moodle_install_roles() {
bbbf2d40 914
1afecc03 915 global $CFG, $db;
eef868d1 916
459c1ff1 917/// Create a system wide context for assignemnt.
bbbf2d40 918 $systemcontext = $context = get_context_instance(CONTEXT_SYSTEM, SITEID);
919
1afecc03 920
459c1ff1 921/// Create default/legacy roles and capabilities.
922/// (1 legacy capability per legacy role at system level).
923
924 $adminrole = create_role(get_string('administrator'), 'admin',
925 get_string('administratordescription'), 'moodle/legacy:admin');
926 $coursecreatorrole = create_role(get_string('coursecreators'), 'coursecreator',
927 get_string('coursecreatorsdescription'), 'moodle/legacy:coursecreator');
928 $editteacherrole = create_role(get_string('defaultcourseteacher'), 'editingteacher',
929 get_string('defaultcourseteacherdescription'), 'moodle/legacy:editingteacher');
930 $noneditteacherrole = create_role(get_string('noneditingteacher'), 'teacher',
931 get_string('noneditingteacherdescription'), 'moodle/legacy:teacher');
932 $studentrole = create_role(get_string('defaultcoursestudent'), 'student',
933 get_string('defaultcoursestudentdescription'), 'moodle/legacy:student');
934 $guestrole = create_role(get_string('guest'), 'guest',
935 get_string('guestdescription'), 'moodle/legacy:guest');
936
937/// Now is the correct moment to install capabilitites - after creation of legacy roles, but before assigning of roles
938
98882637 939 if (!assign_capability('moodle/site:doanything', CAP_ALLOW, $adminrole, $systemcontext->id)) {
bbbf2d40 940 error('Could not assign moodle/site:doanything to the admin role');
941 }
250934b8 942 if (!update_capabilities()) {
943 error('Had trouble upgrading the core capabilities for the Roles System');
944 }
1afecc03 945
459c1ff1 946/// Look inside user_admin, user_creator, user_teachers, user_students and
947/// assign above new roles. If a user has both teacher and student role,
948/// only teacher role is assigned. The assignment should be system level.
949
1afecc03 950 $dbtables = $db->MetaTables('TABLES');
eef868d1 951
72da5046 952/// Set up the progress bar
953
954 $usertables = array('user_admins', 'user_coursecreators', 'user_teachers', 'user_students');
955
956 $totalcount = $progresscount = 0;
957 foreach ($usertables as $usertable) {
958 if (in_array($CFG->prefix.$usertable, $dbtables)) {
959 $totalcount += count_records($usertable);
960 }
961 }
962
963 print_progress(0, $totalcount, 5, 1, 'Processing '.$totalcount.'role assignments');
1afecc03 964
459c1ff1 965/// Upgrade the admins.
966/// Sort using id ASC, first one is primary admin.
967
1afecc03 968 if (in_array($CFG->prefix.'user_admins', $dbtables)) {
f1dcf000 969 if ($rs = get_recordset_sql('SELECT * from '.$CFG->prefix.'user_admins ORDER BY ID ASC')) {
970 while (! $rs->EOF) {
971 $admin = $rs->FetchObj();
1afecc03 972 role_assign($adminrole, $admin->userid, 0, $systemcontext->id);
72da5046 973 $progresscount++;
974 print_progress($progresscount, $totalcount, 5, 1, 'Processing '.$totalcount.'role assignments');
f1dcf000 975 $rs->MoveNext();
1afecc03 976 }
977 }
978 } else {
979 // This is a fresh install.
bbbf2d40 980 }
1afecc03 981
982
459c1ff1 983/// Upgrade course creators.
1afecc03 984 if (in_array($CFG->prefix.'user_coursecreators', $dbtables)) {
f1dcf000 985 if ($rs = get_recordset('user_coursecreators')) {
986 while (! $rs->EOF) {
987 $coursecreator = $rs->FetchObj();
56b4d70d 988 role_assign($coursecreatorrole, $coursecreator->userid, 0, $systemcontext->id);
72da5046 989 $progresscount++;
990 print_progress($progresscount, $totalcount, 5, 1, 'Processing '.$totalcount.'role assignments');
f1dcf000 991 $rs->MoveNext();
1afecc03 992 }
993 }
bbbf2d40 994 }
995
1afecc03 996
459c1ff1 997/// Upgrade editting teachers and non-editting teachers.
1afecc03 998 if (in_array($CFG->prefix.'user_teachers', $dbtables)) {
f1dcf000 999 if ($rs = get_recordset('user_teachers')) {
1000 while (! $rs->EOF) {
1001 $teacher = $rs->FetchObj();
1002
17d6a25e 1003 // populate the user_lastaccess table
ece4945b 1004 $access = new object();
17d6a25e 1005 $access->timeaccess = $teacher->timeaccess;
1006 $access->userid = $teacher->userid;
1007 $access->courseid = $teacher->course;
1008 insert_record('user_lastaccess', $access);
f1dcf000 1009
17d6a25e 1010 // assign the default student role
1afecc03 1011 $coursecontext = get_context_instance(CONTEXT_COURSE, $teacher->course); // needs cache
1012 if ($teacher->editall) { // editting teacher
1013 role_assign($editteacherrole, $teacher->userid, 0, $coursecontext->id);
1014 } else {
1015 role_assign($noneditteacherrole, $teacher->userid, 0, $coursecontext->id);
1016 }
72da5046 1017 $progresscount++;
1018 print_progress($progresscount, $totalcount, 5, 1, 'Processing '.$totalcount.'role assignments');
f1dcf000 1019
1020 $rs->MoveNext();
1afecc03 1021 }
bbbf2d40 1022 }
1023 }
1afecc03 1024
1025
459c1ff1 1026/// Upgrade students.
1afecc03 1027 if (in_array($CFG->prefix.'user_students', $dbtables)) {
f1dcf000 1028 if ($rs = get_recordset('user_students')) {
1029 while (! $rs->EOF) {
1030 $student = $rs->FetchObj();
1031
17d6a25e 1032 // populate the user_lastaccess table
f1dcf000 1033 $access = new object;
17d6a25e 1034 $access->timeaccess = $student->timeaccess;
1035 $access->userid = $student->userid;
1036 $access->courseid = $student->course;
1037 insert_record('user_lastaccess', $access);
f1dcf000 1038
17d6a25e 1039 // assign the default student role
1afecc03 1040 $coursecontext = get_context_instance(CONTEXT_COURSE, $student->course);
1041 role_assign($studentrole, $student->userid, 0, $coursecontext->id);
72da5046 1042 $progresscount++;
1043 print_progress($progresscount, $totalcount, 5, 1, 'Processing '.$totalcount.'role assignments');
f1dcf000 1044
1045 $rs->MoveNext();
1afecc03 1046 }
1047 }
bbbf2d40 1048 }
1afecc03 1049
1050
459c1ff1 1051/// Upgrade guest (only 1 entry).
1afecc03 1052 if ($guestuser = get_record('user', 'username', 'guest')) {
1053 role_assign($guestrole, $guestuser->id, 0, $systemcontext->id);
1054 }
72da5046 1055 print_progress($totalcount, $totalcount, 5, 1, 'Processing '.$totalcount.'role assignments');
1afecc03 1056
459c1ff1 1057
1058/// Insert the correct records for legacy roles
945f88ca 1059 allow_assign($adminrole, $adminrole);
1060 allow_assign($adminrole, $coursecreatorrole);
1061 allow_assign($adminrole, $noneditteacherrole);
eef868d1 1062 allow_assign($adminrole, $editteacherrole);
945f88ca 1063 allow_assign($adminrole, $studentrole);
1064 allow_assign($adminrole, $guestrole);
eef868d1 1065
945f88ca 1066 allow_assign($coursecreatorrole, $noneditteacherrole);
1067 allow_assign($coursecreatorrole, $editteacherrole);
eef868d1 1068 allow_assign($coursecreatorrole, $studentrole);
945f88ca 1069 allow_assign($coursecreatorrole, $guestrole);
eef868d1 1070
1071 allow_assign($editteacherrole, $noneditteacherrole);
1072 allow_assign($editteacherrole, $studentrole);
945f88ca 1073 allow_assign($editteacherrole, $guestrole);
eef868d1 1074
459c1ff1 1075/// Set up default permissions for overrides
945f88ca 1076 allow_override($adminrole, $adminrole);
1077 allow_override($adminrole, $coursecreatorrole);
1078 allow_override($adminrole, $noneditteacherrole);
eef868d1 1079 allow_override($adminrole, $editteacherrole);
945f88ca 1080 allow_override($adminrole, $studentrole);
eef868d1 1081 allow_override($adminrole, $guestrole);
1afecc03 1082
746a04c5 1083
459c1ff1 1084/// Delete the old user tables when we are done
1085
1086 /// XXX TODO
1087
bbbf2d40 1088}
1089
bbbf2d40 1090/**
1091 * Assign the defaults found in this capabality definition to roles that have
1092 * the corresponding legacy capabilities assigned to them.
1093 * @param $legacyperms - an array in the format (example):
1094 * 'guest' => CAP_PREVENT,
1095 * 'student' => CAP_ALLOW,
1096 * 'teacher' => CAP_ALLOW,
1097 * 'editingteacher' => CAP_ALLOW,
1098 * 'coursecreator' => CAP_ALLOW,
1099 * 'admin' => CAP_ALLOW
1100 * @return boolean - success or failure.
1101 */
1102function assign_legacy_capabilities($capability, $legacyperms) {
eef868d1 1103
bbbf2d40 1104 foreach ($legacyperms as $type => $perm) {
eef868d1 1105
bbbf2d40 1106 $systemcontext = get_context_instance(CONTEXT_SYSTEM, SITEID);
eef868d1 1107
bbbf2d40 1108 // The legacy capabilities are:
1109 // 'moodle/legacy:guest'
1110 // 'moodle/legacy:student'
1111 // 'moodle/legacy:teacher'
1112 // 'moodle/legacy:editingteacher'
1113 // 'moodle/legacy:coursecreator'
1114 // 'moodle/legacy:admin'
eef868d1 1115
2e85fffe 1116 if ($roles = get_roles_with_capability('moodle/legacy:'.$type, CAP_ALLOW)) {
1117 foreach ($roles as $role) {
1118 // Assign a site level capability.
1119 if (!assign_capability($capability, $perm, $role->id, $systemcontext->id)) {
1120 return false;
1121 }
bbbf2d40 1122 }
1123 }
1124 }
1125 return true;
1126}
1127
1128
cee0901c 1129/**
1130 * Checks to see if a capability is a legacy capability.
1131 * @param $capabilityname
1132 * @return boolean
1133 */
bbbf2d40 1134function islegacy($capabilityname) {
98882637 1135 if (strstr($capabilityname, 'legacy') === false) {
eef868d1 1136 return false;
98882637 1137 } else {
eef868d1 1138 return true;
98882637 1139 }
bbbf2d40 1140}
1141
cee0901c 1142
1143
1144/**********************************
bbbf2d40 1145 * Context Manipulation functions *
1146 **********************************/
1147
bbbf2d40 1148/**
9991d157 1149 * Create a new context record for use by all roles-related stuff
bbbf2d40 1150 * @param $level
1151 * @param $instanceid
3ca2dea5 1152 *
1153 * @return object newly created context (or existing one with a debug warning)
bbbf2d40 1154 */
aad2ba95 1155function create_context($contextlevel, $instanceid) {
3ca2dea5 1156 if (!$context = get_record('context','contextlevel',$contextlevel,'instanceid',$instanceid)) {
1157 if (!validate_context($contextlevel, $instanceid)) {
1158 debugging('Error: Invalid context creation request for level "'.s($contextlevel).'", instance "'.s($instanceid).'".');
1159 return NULL;
1160 }
1161 $context = new object();
aad2ba95 1162 $context->contextlevel = $contextlevel;
bbbf2d40 1163 $context->instanceid = $instanceid;
3ca2dea5 1164 if ($id = insert_record('context',$context)) {
1165 return get_record('context','id',$id);
1166 } else {
1167 debugging('Error: could not insert new context level "'.s($contextlevel).'", instance "'.s($instanceid).'".');
1168 return NULL;
1169 }
1170 } else {
1171 debugging('Warning: Context id "'.s($context->id).'" not created, because it already exists.');
1172 return $context;
bbbf2d40 1173 }
1174}
1175
9991d157 1176/**
1177 * Create a new context record for use by all roles-related stuff
1178 * @param $level
1179 * @param $instanceid
3ca2dea5 1180 *
1181 * @return true if properly deleted
9991d157 1182 */
1183function delete_context($contextlevel, $instanceid) {
1184 if ($context = get_context_instance($contextlevel, $instanceid)) {
1185 return delete_records('context', 'id', $context->id) &&
1186 delete_records('role_assignments', 'contextid', $context->id) &&
1187 delete_records('role_role_capabilities', 'contextid', $context->id);
1188 }
1189 return true;
1190}
1191
3ca2dea5 1192/**
1193 * Validate that object with instanceid really exists in given context level.
1194 *
1195 * return if instanceid object exists
1196 */
1197function validate_context($contextlevel, $instanceid) {
1198 switch ($contextlevel) {
1199
1200 case CONTEXT_SYSTEM:
1201 return ($instanceid == SITEID);
1202
1203 case CONTEXT_PERSONAL:
1204 return (boolean)count_records('user', 'id', $instanceid);
1205
1206 case CONTEXT_USER:
1207 return (boolean)count_records('user', 'id', $instanceid);
1208
1209 case CONTEXT_COURSECAT:
1cd3eba9 1210 if ($instanceid == 0) {
1211 return true; // site course category
1212 }
3ca2dea5 1213 return (boolean)count_records('course_categories', 'id', $instanceid);
1214
1215 case CONTEXT_COURSE:
1216 return (boolean)count_records('course', 'id', $instanceid);
1217
1218 case CONTEXT_GROUP:
1219 return (boolean)count_records('groups', 'id', $instanceid);
1220
1221 case CONTEXT_MODULE:
1222 return (boolean)count_records('course_modules', 'id', $instanceid);
1223
1224 case CONTEXT_BLOCK:
1225 return (boolean)count_records('block_instance', 'id', $instanceid);
1226
1227 default:
1228 return false;
1229 }
1230}
bbbf2d40 1231
1232/**
1233 * Get the context instance as an object. This function will create the
1234 * context instance if it does not exist yet.
1235 * @param $level
1236 * @param $instance
1237 */
aad2ba95 1238function get_context_instance($contextlevel=NULL, $instance=SITEID) {
e5605780 1239
51195e6f 1240 global $context_cache, $context_cache_id, $CONTEXT;
a36a3a3f 1241 static $allowed_contexts = array(CONTEXT_SYSTEM, CONTEXT_PERSONAL, CONTEXT_USER, CONTEXT_COURSECAT, CONTEXT_COURSE, CONTEXT_GROUP, CONTEXT_MODULE, CONTEXT_BLOCK);
d9a35e12 1242
340ea4e8 1243/// If no level is supplied then return the current global context if there is one
aad2ba95 1244 if (empty($contextlevel)) {
340ea4e8 1245 if (empty($CONTEXT)) {
a36a3a3f 1246 //fatal error, code must be fixed
1247 error("Error: get_context_instance() called without a context");
340ea4e8 1248 } else {
1249 return $CONTEXT;
1250 }
e5605780 1251 }
1252
a36a3a3f 1253/// check allowed context levels
1254 if (!in_array($contextlevel, $allowed_contexts)) {
7bfa3101 1255 // fatal error, code must be fixed - probably typo or switched parameters
a36a3a3f 1256 error('Error: get_context_instance() called with incorrect context level "'.s($contextlevel).'"');
1257 }
1258
340ea4e8 1259/// Check the cache
aad2ba95 1260 if (isset($context_cache[$contextlevel][$instance])) { // Already cached
1261 return $context_cache[$contextlevel][$instance];
e5605780 1262 }
1263
340ea4e8 1264/// Get it from the database, or create it
aad2ba95 1265 if (!$context = get_record('context', 'contextlevel', $contextlevel, 'instanceid', $instance)) {
1266 create_context($contextlevel, $instance);
1267 $context = get_record('context', 'contextlevel', $contextlevel, 'instanceid', $instance);
e5605780 1268 }
1269
ccfc5ecc 1270/// Only add to cache if context isn't empty.
1271 if (!empty($context)) {
aad2ba95 1272 $context_cache[$contextlevel][$instance] = $context; // Cache it for later
ccfc5ecc 1273 $context_cache_id[$context->id] = $context; // Cache it for later
1274 }
0468976c 1275
bbbf2d40 1276 return $context;
1277}
1278
cee0901c 1279
340ea4e8 1280/**
1281 * Get a context instance as an object, from a given id.
1282 * @param $id
1283 */
1284function get_context_instance_by_id($id) {
1285
d9a35e12 1286 global $context_cache, $context_cache_id;
1287
340ea4e8 1288 if (isset($context_cache_id[$id])) { // Already cached
75e84883 1289 return $context_cache_id[$id];
340ea4e8 1290 }
1291
1292 if ($context = get_record('context', 'id', $id)) { // Update the cache and return
aad2ba95 1293 $context_cache[$context->contextlevel][$context->instanceid] = $context;
340ea4e8 1294 $context_cache_id[$context->id] = $context;
1295 return $context;
1296 }
1297
1298 return false;
1299}
1300
bbbf2d40 1301
8737be58 1302/**
1303 * Get the local override (if any) for a given capability in a role in a context
1304 * @param $roleid
0468976c 1305 * @param $contextid
1306 * @param $capability
8737be58 1307 */
1308function get_local_override($roleid, $contextid, $capability) {
1309 return get_record('role_capabilities', 'roleid', $roleid, 'capability', $capability, 'contextid', $contextid);
1310}
1311
1312
bbbf2d40 1313
1314/************************************
1315 * DB TABLE RELATED FUNCTIONS *
1316 ************************************/
1317
cee0901c 1318/**
bbbf2d40 1319 * function that creates a role
1320 * @param name - role name
31f26796 1321 * @param shortname - role short name
bbbf2d40 1322 * @param description - role description
1323 * @param legacy - optional legacy capability
1324 * @return id or false
1325 */
8420bee9 1326function create_role($name, $shortname, $description, $legacy='') {
eef868d1 1327
98882637 1328 // check for duplicate role name
eef868d1 1329
98882637 1330 if ($role = get_record('role','name', $name)) {
eef868d1 1331 error('there is already a role with this name!');
98882637 1332 }
eef868d1 1333
31f26796 1334 if ($role = get_record('role','shortname', $shortname)) {
eef868d1 1335 error('there is already a role with this shortname!');
31f26796 1336 }
1337
b5959f30 1338 $role = new object();
98882637 1339 $role->name = $name;
31f26796 1340 $role->shortname = $shortname;
98882637 1341 $role->description = $description;
eef868d1 1342
8420bee9 1343 //find free sortorder number
1344 $role->sortorder = count_records('role');
1345 while (get_record('role','sortorder', $role->sortorder)) {
1346 $role->sortorder += 1;
b5959f30 1347 }
1348
eef868d1 1349 $context = get_context_instance(CONTEXT_SYSTEM, SITEID);
1350
98882637 1351 if ($id = insert_record('role', $role)) {
eef868d1 1352 if ($legacy) {
1353 assign_capability($legacy, CAP_ALLOW, $id, $context->id);
98882637 1354 }
eef868d1 1355
ec7a8b79 1356 /// By default, users with role:manage at site level
1357 /// should be able to assign users to this new role, and override this new role's capabilities
eef868d1 1358
ec7a8b79 1359 // find all admin roles
e46c0987 1360 if ($adminroles = get_roles_with_capability('moodle/role:manage', CAP_ALLOW, $context)) {
1361 // foreach admin role
1362 foreach ($adminroles as $arole) {
1363 // write allow_assign and allow_overrid
1364 allow_assign($arole->id, $id);
eef868d1 1365 allow_override($arole->id, $id);
e46c0987 1366 }
ec7a8b79 1367 }
eef868d1 1368
98882637 1369 return $id;
1370 } else {
eef868d1 1371 return false;
98882637 1372 }
eef868d1 1373
bbbf2d40 1374}
1375
8420bee9 1376/**
1377 * function that deletes a role and cleanups up after it
1378 * @param roleid - id of role to delete
1379 * @return success
1380 */
1381function delete_role($roleid) {
1382 $success = true;
1383
1384// first unssign all users
1385 if (!role_unassign($roleid)) {
1386 debugging("Error while unassigning all users from role with ID $roleid!");
1387 $success = false;
1388 }
1389
1390// cleanup all references to this role, ignore errors
1391 if ($success) {
1392 delete_records('role_capabilities', 'roleid', $roleid);
1393 delete_records('role_allow_assign', 'roleid', $roleid);
1394 delete_records('role_allow_assign', 'allowassign', $roleid);
1395 delete_records('role_allow_override', 'roleid', $roleid);
1396 delete_records('role_allow_override', 'allowoverride', $roleid);
1397 delete_records('role_names', 'roleid', $roleid);
1398 }
1399
1400// finally delete the role itself
1401 if ($success and !delete_records('role', 'id', $roleid)) {
ece4945b 1402 debugging("Could not delete role record with ID $roleid!");
8420bee9 1403 $success = false;
1404 }
1405
1406 return $success;
1407}
1408
bbbf2d40 1409/**
1410 * Function to write context specific overrides, or default capabilities.
1411 * @param module - string name
1412 * @param capability - string name
1413 * @param contextid - context id
1414 * @param roleid - role id
1415 * @param permission - int 1,-1 or -1000
1416 */
e7876c1e 1417function assign_capability($capability, $permission, $roleid, $contextid, $overwrite=false) {
eef868d1 1418
98882637 1419 global $USER;
eef868d1 1420
98882637 1421 if (empty($permission) || $permission == 0) { // if permission is not set
eef868d1 1422 unassign_capability($capability, $roleid, $contextid);
98882637 1423 }
eef868d1 1424
2e85fffe 1425 $existing = get_record('role_capabilities', 'contextid', $contextid, 'roleid', $roleid, 'capability', $capability);
e7876c1e 1426
1427 if ($existing and !$overwrite) { // We want to keep whatever is there already
1428 return true;
1429 }
1430
bbbf2d40 1431 $cap = new object;
1432 $cap->contextid = $contextid;
1433 $cap->roleid = $roleid;
1434 $cap->capability = $capability;
1435 $cap->permission = $permission;
1436 $cap->timemodified = time();
9db12da7 1437 $cap->modifierid = empty($USER->id) ? 0 : $USER->id;
e7876c1e 1438
1439 if ($existing) {
1440 $cap->id = $existing->id;
1441 return update_record('role_capabilities', $cap);
1442 } else {
1443 return insert_record('role_capabilities', $cap);
1444 }
bbbf2d40 1445}
1446
1447
1448/**
1449 * Unassign a capability from a role.
1450 * @param $roleid - the role id
1451 * @param $capability - the name of the capability
1452 * @return boolean - success or failure
1453 */
1454function unassign_capability($capability, $roleid, $contextid=NULL) {
eef868d1 1455
98882637 1456 if (isset($contextid)) {
1457 $status = delete_records('role_capabilities', 'capability', $capability,
1458 'roleid', $roleid, 'contextid', $contextid);
1459 } else {
1460 $status = delete_records('role_capabilities', 'capability', $capability,
1461 'roleid', $roleid);
1462 }
1463 return $status;
bbbf2d40 1464}
1465
1466
1467/**
759ac72d 1468 * Get the roles that have a given capability assigned to it. This function
1469 * does not resolve the actual permission of the capability. It just checks
1470 * for assignment only.
bbbf2d40 1471 * @param $capability - capability name (string)
1472 * @param $permission - optional, the permission defined for this capability
1473 * either CAP_ALLOW, CAP_PREVENT or CAP_PROHIBIT
1474 * @return array or role objects
1475 */
ec7a8b79 1476function get_roles_with_capability($capability, $permission=NULL, $context='') {
1477
bbbf2d40 1478 global $CFG;
eef868d1 1479
ec7a8b79 1480 if ($context) {
1481 if ($contexts = get_parent_contexts($context)) {
1482 $listofcontexts = '('.implode(',', $contexts).')';
1483 } else {
1484 $sitecontext = get_context_instance(CONTEXT_SYSTEM, SITEID);
eef868d1 1485 $listofcontexts = '('.$sitecontext->id.')'; // must be site
1486 }
42ac3ecf 1487 $contextstr = "AND (rc.contextid = '$context->id' OR rc.contextid IN $listofcontexts)";
ec7a8b79 1488 } else {
1489 $contextstr = '';
1490 }
eef868d1 1491
1492 $selectroles = "SELECT r.*
42ac3ecf 1493 FROM {$CFG->prefix}role r,
1494 {$CFG->prefix}role_capabilities rc
bbbf2d40 1495 WHERE rc.capability = '$capability'
ec7a8b79 1496 AND rc.roleid = r.id $contextstr";
bbbf2d40 1497
1498 if (isset($permission)) {
1499 $selectroles .= " AND rc.permission = '$permission'";
1500 }
1501 return get_records_sql($selectroles);
1502}
1503
1504
1505/**
a9e1c058 1506 * This function makes a role-assignment (a role for a user or group in a particular context)
bbbf2d40 1507 * @param $roleid - the role of the id
1508 * @param $userid - userid
1509 * @param $groupid - group id
1510 * @param $contextid - id of the context
1511 * @param $timestart - time this assignment becomes effective
1512 * @param $timeend - time this assignemnt ceases to be effective
1513 * @uses $USER
1514 * @return id - new id of the assigment
1515 */
f44152f4 1516function role_assign($roleid, $userid, $groupid, $contextid, $timestart=0, $timeend=0, $hidden=0, $enrol='manual') {
aa311411 1517 global $USER, $CFG;
bbbf2d40 1518
7eb0b60a 1519 debugging("Assign roleid $roleid userid $userid contextid $contextid", DEBUG_DEVELOPER);
bbbf2d40 1520
a9e1c058 1521/// Do some data validation
1522
bbbf2d40 1523 if (empty($roleid)) {
9d829c68 1524 debugging('Role ID not provided');
a9e1c058 1525 return false;
bbbf2d40 1526 }
1527
1528 if (empty($userid) && empty($groupid)) {
9d829c68 1529 debugging('Either userid or groupid must be provided');
a9e1c058 1530 return false;
bbbf2d40 1531 }
eef868d1 1532
7700027f 1533 if ($userid && !record_exists('user', 'id', $userid)) {
82396e5b 1534 debugging('User ID '.intval($userid).' does not exist!');
7700027f 1535 return false;
1536 }
bbbf2d40 1537
dc411d1b 1538 if ($groupid && !record_exists('groups', 'id', $groupid)) {
82396e5b 1539 debugging('Group ID '.intval($groupid).' does not exist!');
dc411d1b 1540 return false;
1541 }
1542
7700027f 1543 if (!$context = get_context_instance_by_id($contextid)) {
82396e5b 1544 debugging('Context ID '.intval($contextid).' does not exist!');
a9e1c058 1545 return false;
bbbf2d40 1546 }
1547
a9e1c058 1548 if (($timestart and $timeend) and ($timestart > $timeend)) {
9d829c68 1549 debugging('The end time can not be earlier than the start time');
a9e1c058 1550 return false;
1551 }
1552
7700027f 1553
a9e1c058 1554/// Check for existing entry
1555 if ($userid) {
7700027f 1556 $ra = get_record('role_assignments', 'roleid', $roleid, 'contextid', $context->id, 'userid', $userid);
a9e1c058 1557 } else {
7700027f 1558 $ra = get_record('role_assignments', 'roleid', $roleid, 'contextid', $context->id, 'groupid', $groupid);
a9e1c058 1559 }
1560
9ebcb4d2 1561
a9e1c058 1562 $newra = new object;
bbbf2d40 1563
a9e1c058 1564 if (empty($ra)) { // Create a new entry
1565 $newra->roleid = $roleid;
7700027f 1566 $newra->contextid = $context->id;
a9e1c058 1567 $newra->userid = $userid;
1568 $newra->groupid = $groupid;
1569
1570 $newra->hidden = $hidden;
f44152f4 1571 $newra->enrol = $enrol;
a9e1c058 1572 $newra->timestart = $timestart;
1573 $newra->timeend = $timeend;
1574 $newra->timemodified = time();
1575 $newra->modifier = empty($USER->id) ? 0 : $USER->id;
1576
9ebcb4d2 1577 $success = insert_record('role_assignments', $newra);
a9e1c058 1578
1579 } else { // We already have one, just update it
1580
1581 $newra->id = $ra->id;
1582 $newra->hidden = $hidden;
f44152f4 1583 $newra->enrol = $enrol;
a9e1c058 1584 $newra->timestart = $timestart;
1585 $newra->timeend = $timeend;
1586 $newra->timemodified = time();
1587 $newra->modifier = empty($USER->id) ? 0 : $USER->id;
1588
9ebcb4d2 1589 $success = update_record('role_assignments', $newra);
1590 }
1591
7700027f 1592 if ($success) { /// Role was assigned, so do some other things
1593
1594 /// If the user is the current user, then reload the capabilities too.
1595 if (!empty($USER->id) && $USER->id == $userid) {
1596 load_user_capability();
1597 }
1598
0f161e1f 1599 /// Ask all the modules if anything needs to be done for this user
1600 if ($mods = get_list_of_plugins('mod')) {
1601 foreach ($mods as $mod) {
1602 include_once($CFG->dirroot.'/mod/'.$mod.'/lib.php');
1603 $functionname = $mod.'_role_assign';
1604 if (function_exists($functionname)) {
1605 $functionname($userid, $context);
1606 }
1607 }
1608 }
1609
1610 /// Make sure they have an entry in user_lastaccess for courses they can access
1611 // role_add_lastaccess_entries($userid, $context);
a9e1c058 1612 }
eef868d1 1613
4e5f3064 1614 /// now handle metacourse role assignments if in course context
aad2ba95 1615 if ($success and $context->contextlevel == CONTEXT_COURSE) {
4e5f3064 1616 if ($parents = get_records('course_meta', 'child_course', $context->instanceid)) {
1617 foreach ($parents as $parent) {
1aad4310 1618 sync_metacourse($parent->parent_course);
4e5f3064 1619 }
1620 }
1621 }
6eb4f823 1622
1623 return $success;
bbbf2d40 1624}
1625
1626
1627/**
1dc1f037 1628 * Deletes one or more role assignments. You must specify at least one parameter.
bbbf2d40 1629 * @param $roleid
1630 * @param $userid
1631 * @param $groupid
1632 * @param $contextid
1633 * @return boolean - success or failure
1634 */
1dc1f037 1635function role_unassign($roleid=0, $userid=0, $groupid=0, $contextid=0) {
d74067e8 1636
1637 global $USER, $CFG;
eef868d1 1638
4e5f3064 1639 $success = true;
d74067e8 1640
1dc1f037 1641 $args = array('roleid', 'userid', 'groupid', 'contextid');
1642 $select = array();
1643 foreach ($args as $arg) {
1644 if ($$arg) {
1645 $select[] = $arg.' = '.$$arg;
1646 }
1647 }
d74067e8 1648
1dc1f037 1649 if ($select) {
4e5f3064 1650 if ($ras = get_records_select('role_assignments', implode(' AND ', $select))) {
1651 $mods = get_list_of_plugins('mod');
1652 foreach($ras as $ra) {
86e2c51d 1653 /// infinite loop protection when deleting recursively
1654 if (!$ra = get_record('role_assignments', 'id', $ra->id)) {
1655 continue;
1656 }
4e5f3064 1657 $success = delete_records('role_assignments', 'id', $ra->id) and $success;
86e2c51d 1658
4e5f3064 1659 /// If the user is the current user, then reload the capabilities too.
1660 if (!empty($USER->id) && $USER->id == $ra->userid) {
1661 load_user_capability();
1662 }
1663 $context = get_record('context', 'id', $ra->contextid);
0f161e1f 1664
1665 /// Ask all the modules if anything needs to be done for this user
4e5f3064 1666 foreach ($mods as $mod) {
1667 include_once($CFG->dirroot.'/mod/'.$mod.'/lib.php');
1668 $functionname = $mod.'_role_unassign';
1669 if (function_exists($functionname)) {
1670 $functionname($ra->userid, $context); // watch out, $context might be NULL if something goes wrong
1671 }
1672 }
1673
1674 /// now handle metacourse role unassigment and removing from goups if in course context
aad2ba95 1675 if (!empty($context) and $context->contextlevel == CONTEXT_COURSE) {
4e5f3064 1676 //remove from groups when user has no role
1677 $roles = get_user_roles($context, $ra->userid, true);
1678 if (empty($roles)) {
1679 if ($groups = get_groups($context->instanceid, $ra->userid)) {
1680 foreach ($groups as $group) {
1681 delete_records('groups_members', 'groupid', $group->id, 'userid', $ra->userid);
1682 }
1683 }
1684 }
1aad4310 1685 //unassign roles in metacourses if needed
4e5f3064 1686 if ($parents = get_records('course_meta', 'child_course', $context->instanceid)) {
1687 foreach ($parents as $parent) {
1aad4310 1688 sync_metacourse($parent->parent_course);
0f161e1f 1689 }
1690 }
0f161e1f 1691 }
1692 }
d74067e8 1693 }
1dc1f037 1694 }
4e5f3064 1695
1696 return $success;
bbbf2d40 1697}
1698
eef868d1 1699/*
1700 * A convenience function to take care of the common case where you
b963384f 1701 * just want to enrol someone using the default role into a course
1702 *
1703 * @param object $course
1704 * @param object $user
1705 * @param string $enrol - the plugin used to do this enrolment
1706 */
1707function enrol_into_course($course, $user, $enrol) {
1708
1709 if ($course->enrolperiod) {
1710 $timestart = time();
1711 $timeend = time() + $course->enrolperiod;
1712 } else {
1713 $timestart = $timeend = 0;
1714 }
1715
1716 if ($role = get_default_course_role($course)) {
c4381ef5 1717
1718 $context = get_context_instance(CONTEXT_COURSE, $course->id);
1719
e2183037 1720 if (!role_assign($role->id, $user->id, 0, $context->id, $timestart, $timeend, 0, $enrol)) {
b963384f 1721 return false;
1722 }
eef868d1 1723
b963384f 1724 email_welcome_message_to_user($course, $user);
eef868d1 1725
b963384f 1726 add_to_log($course->id, 'course', 'enrol', 'view.php?id='.$course->id, $user->id);
1727
1728 return true;
1729 }
1730
1731 return false;
1732}
1733
0f161e1f 1734/**
1735 * Add last access times to user_lastaccess as required
1736 * @param $userid
1737 * @param $context
1738 * @return boolean - success or failure
1739 */
1740function role_add_lastaccess_entries($userid, $context) {
1741
1742 global $USER, $CFG;
1743
aad2ba95 1744 if (empty($context->contextlevel)) {
0f161e1f 1745 return false;
1746 }
1747
1748 $lastaccess = new object; // Reusable object below
1749 $lastaccess->userid = $userid;
1750 $lastaccess->timeaccess = 0;
1751
aad2ba95 1752 switch ($context->contextlevel) {
0f161e1f 1753
1754 case CONTEXT_SYSTEM: // For the whole site
1755 if ($courses = get_record('course')) {
1756 foreach ($courses as $course) {
1757 $lastaccess->courseid = $course->id;
1758 role_set_lastaccess($lastaccess);
1759 }
1760 }
1761 break;
1762
1763 case CONTEXT_CATEGORY: // For a whole category
1764 if ($courses = get_record('course', 'category', $context->instanceid)) {
1765 foreach ($courses as $course) {
1766 $lastaccess->courseid = $course->id;
1767 role_set_lastaccess($lastaccess);
1768 }
1769 }
1770 if ($categories = get_record('course_categories', 'parent', $context->instanceid)) {
1771 foreach ($categories as $category) {
1772 $subcontext = get_context_instance(CONTEXT_CATEGORY, $category->id);
1773 role_add_lastaccess_entries($userid, $subcontext);
1774 }
1775 }
1776 break;
eef868d1 1777
0f161e1f 1778
1779 case CONTEXT_COURSE: // For a whole course
1780 if ($course = get_record('course', 'id', $context->instanceid)) {
1781 $lastaccess->courseid = $course->id;
1782 role_set_lastaccess($lastaccess);
1783 }
1784 break;
1785 }
1786}
1787
1788/**
1789 * Delete last access times from user_lastaccess as required
1790 * @param $userid
1791 * @param $context
1792 * @return boolean - success or failure
1793 */
1794function role_remove_lastaccess_entries($userid, $context) {
1795
1796 global $USER, $CFG;
1797
1798}
1799
bbbf2d40 1800
1801/**
1802 * Loads the capability definitions for the component (from file). If no
1803 * capabilities are defined for the component, we simply return an empty array.
1804 * @param $component - examples: 'moodle', 'mod/forum', 'block/quiz_results'
1805 * @return array of capabilities
1806 */
1807function load_capability_def($component) {
1808 global $CFG;
1809
1810 if ($component == 'moodle') {
1811 $defpath = $CFG->libdir.'/db/access.php';
1812 $varprefix = 'moodle';
1813 } else {
0c4d9f49 1814 $compparts = explode('/', $component);
eef868d1 1815
0c4d9f49 1816 if ($compparts[0] == 'block') {
1817 // Blocks are an exception. Blocks directory is 'blocks', and not
1818 // 'block'. So we need to jump through hoops.
1819 $defpath = $CFG->dirroot.'/'.$compparts[0].
1820 's/'.$compparts[1].'/db/access.php';
1821 $varprefix = $compparts[0].'_'.$compparts[1];
1822 } else {
1823 $defpath = $CFG->dirroot.'/'.$component.'/db/access.php';
1824 $varprefix = str_replace('/', '_', $component);
1825 }
bbbf2d40 1826 }
1827 $capabilities = array();
eef868d1 1828
bbbf2d40 1829 if (file_exists($defpath)) {
1830 require_once($defpath);
1831 $capabilities = ${$varprefix.'_capabilities'};
1832 }
1833 return $capabilities;
1834}
1835
1836
1837/**
1838 * Gets the capabilities that have been cached in the database for this
1839 * component.
1840 * @param $component - examples: 'moodle', 'mod/forum', 'block/quiz_results'
1841 * @return array of capabilities
1842 */
1843function get_cached_capabilities($component='moodle') {
1844 if ($component == 'moodle') {
1845 $storedcaps = get_records_select('capabilities',
1846 "name LIKE 'moodle/%:%'");
1847 } else {
1848 $storedcaps = get_records_select('capabilities',
1849 "name LIKE '$component:%'");
1850 }
1851 return $storedcaps;
1852}
1853
1854
1855/**
1856 * Updates the capabilities table with the component capability definitions.
1857 * If no parameters are given, the function updates the core moodle
1858 * capabilities.
1859 *
1860 * Note that the absence of the db/access.php capabilities definition file
1861 * will cause any stored capabilities for the component to be removed from
eef868d1 1862 * the database.
bbbf2d40 1863 *
1864 * @param $component - examples: 'moodle', 'mod/forum', 'block/quiz_results'
1865 * @return boolean
1866 */
1867function update_capabilities($component='moodle') {
eef868d1 1868
bbbf2d40 1869 $storedcaps = array();
be4486da 1870
1871 $filecaps = load_capability_def($component);
bbbf2d40 1872 $cachedcaps = get_cached_capabilities($component);
1873 if ($cachedcaps) {
1874 foreach ($cachedcaps as $cachedcap) {
1875 array_push($storedcaps, $cachedcap->name);
be4486da 1876 // update risk bitmasks in existing capabilitites if needed
1877 if (array_key_exists($cachedcap->name, $filecaps)) {
1878 if (!array_key_exists('riskbitmask', $filecaps[$cachedcap->name])) {
2b531945 1879 $filecaps[$cachedcap->name]['riskbitmask'] = 0; // no risk if not specified
be4486da 1880 }
1881 if ($cachedcap->riskbitmask != $filecaps[$cachedcap->name]['riskbitmask']) {
1882 $updatecap = new object;
1883 $updatecap->id = $cachedcap->id;
1884 $updatecap->riskbitmask = $filecaps[$cachedcap->name]['riskbitmask'];
1885 if (!update_record('capabilities', $updatecap)) {
1886 return false;
1887 }
1888 }
1889 }
bbbf2d40 1890 }
1891 }
be4486da 1892
bbbf2d40 1893 // Are there new capabilities in the file definition?
1894 $newcaps = array();
eef868d1 1895
bbbf2d40 1896 foreach ($filecaps as $filecap => $def) {
eef868d1 1897 if (!$storedcaps ||
bbbf2d40 1898 ($storedcaps && in_array($filecap, $storedcaps) === false)) {
2b531945 1899 if (!array_key_exists('riskbitmask', $def)) {
1900 $def['riskbitmask'] = 0; // no risk if not specified
1901 }
bbbf2d40 1902 $newcaps[$filecap] = $def;
1903 }
1904 }
1905 // Add new capabilities to the stored definition.
1906 foreach ($newcaps as $capname => $capdef) {
1907 $capability = new object;
1908 $capability->name = $capname;
1909 $capability->captype = $capdef['captype'];
1910 $capability->contextlevel = $capdef['contextlevel'];
1911 $capability->component = $component;
be4486da 1912 $capability->riskbitmask = $capdef['riskbitmask'];
eef868d1 1913
bbbf2d40 1914 if (!insert_record('capabilities', $capability, false, 'id')) {
1915 return false;
1916 }
eef868d1 1917
bbbf2d40 1918 // Do we need to assign the new capabilities to roles that have the
1919 // legacy capabilities moodle/legacy:* as well?
1920 if (isset($capdef['legacy']) && is_array($capdef['legacy']) &&
1921 !assign_legacy_capabilities($capname, $capdef['legacy'])) {
2e85fffe 1922 notify('Could not assign legacy capabilities for '.$capname);
bbbf2d40 1923 }
1924 }
1925 // Are there any capabilities that have been removed from the file
1926 // definition that we need to delete from the stored capabilities and
1927 // role assignments?
1928 capabilities_cleanup($component, $filecaps);
eef868d1 1929
bbbf2d40 1930 return true;
1931}
1932
1933
1934/**
1935 * Deletes cached capabilities that are no longer needed by the component.
1936 * Also unassigns these capabilities from any roles that have them.
1937 * @param $component - examples: 'moodle', 'mod/forum', 'block/quiz_results'
1938 * @param $newcapdef - array of the new capability definitions that will be
1939 * compared with the cached capabilities
1940 * @return int - number of deprecated capabilities that have been removed
1941 */
1942function capabilities_cleanup($component, $newcapdef=NULL) {
eef868d1 1943
bbbf2d40 1944 $removedcount = 0;
eef868d1 1945
bbbf2d40 1946 if ($cachedcaps = get_cached_capabilities($component)) {
1947 foreach ($cachedcaps as $cachedcap) {
1948 if (empty($newcapdef) ||
1949 array_key_exists($cachedcap->name, $newcapdef) === false) {
eef868d1 1950
bbbf2d40 1951 // Remove from capabilities cache.
1952 if (!delete_records('capabilities', 'name', $cachedcap->name)) {
1953 error('Could not delete deprecated capability '.$cachedcap->name);
1954 } else {
1955 $removedcount++;
1956 }
1957 // Delete from roles.
1958 if($roles = get_roles_with_capability($cachedcap->name)) {
1959 foreach($roles as $role) {
46943f7b 1960 if (!unassign_capability($cachedcap->name, $role->id)) {
bbbf2d40 1961 error('Could not unassign deprecated capability '.
1962 $cachedcap->name.' from role '.$role->name);
1963 }
1964 }
1965 }
1966 } // End if.
1967 }
1968 }
1969 return $removedcount;
1970}
1971
1972
1973
cee0901c 1974/****************
1975 * UI FUNCTIONS *
1976 ****************/
bbbf2d40 1977
1978
1979/**
1980 * prints human readable context identifier.
1981 */
0468976c 1982function print_context_name($context) {
340ea4e8 1983
ec0810ee 1984 $name = '';
aad2ba95 1985 switch ($context->contextlevel) {
ec0810ee 1986
bbbf2d40 1987 case CONTEXT_SYSTEM: // by now it's a definite an inherit
ec0810ee 1988 $name = get_string('site');
340ea4e8 1989 break;
bbbf2d40 1990
1991 case CONTEXT_PERSONAL:
ec0810ee 1992 $name = get_string('personal');
340ea4e8 1993 break;
1994
4b10f08b 1995 case CONTEXT_USER:
ec0810ee 1996 if ($user = get_record('user', 'id', $context->instanceid)) {
1997 $name = get_string('user').': '.fullname($user);
1998 }
340ea4e8 1999 break;
2000
bbbf2d40 2001 case CONTEXT_COURSECAT: // Coursecat -> coursecat or site
ec0810ee 2002 if ($category = get_record('course_categories', 'id', $context->instanceid)) {
2003 $name = get_string('category').': '.$category->name;
2004 }
340ea4e8 2005 break;
bbbf2d40 2006
2007 case CONTEXT_COURSE: // 1 to 1 to course cat
ec0810ee 2008 if ($course = get_record('course', 'id', $context->instanceid)) {
2009 $name = get_string('course').': '.$course->fullname;
2010 }
340ea4e8 2011 break;
bbbf2d40 2012
2013 case CONTEXT_GROUP: // 1 to 1 to course
ec0810ee 2014 if ($group = get_record('groups', 'id', $context->instanceid)) {
2015 $name = get_string('group').': '.$group->name;
2016 }
340ea4e8 2017 break;
bbbf2d40 2018
2019 case CONTEXT_MODULE: // 1 to 1 to course
98882637 2020 if ($cm = get_record('course_modules','id',$context->instanceid)) {
2021 if ($module = get_record('modules','id',$cm->module)) {
2022 if ($mod = get_record($module->name, 'id', $cm->instance)) {
ec0810ee 2023 $name = get_string('activitymodule').': '.$mod->name;
98882637 2024 }
ec0810ee 2025 }
2026 }
340ea4e8 2027 break;
bbbf2d40 2028
2029 case CONTEXT_BLOCK: // 1 to 1 to course
98882637 2030 if ($blockinstance = get_record('block_instance','id',$context->instanceid)) {
2031 if ($block = get_record('block','id',$blockinstance->blockid)) {
91be52d7 2032 global $CFG;
2033 require_once("$CFG->dirroot/blocks/moodleblock.class.php");
2034 require_once("$CFG->dirroot/blocks/$block->name/block_$block->name.php");
2035 $blockname = "block_$block->name";
2036 if ($blockobject = new $blockname()) {
2037 $name = $blockobject->title.' ('.get_string('block').')';
2038 }
ec0810ee 2039 }
2040 }
340ea4e8 2041 break;
bbbf2d40 2042
2043 default:
2044 error ('This is an unknown context!');
340ea4e8 2045 return false;
2046
2047 }
340ea4e8 2048 return $name;
bbbf2d40 2049}
2050
2051
2052/**
eef868d1 2053 * Extracts the relevant capabilities given a contextid.
bbbf2d40 2054 * All case based, example an instance of forum context.
2055 * Will fetch all forum related capabilities, while course contexts
2056 * Will fetch all capabilities
0468976c 2057 * @param object context
bbbf2d40 2058 * @return array();
2059 *
2060 * capabilities
2061 * `name` varchar(150) NOT NULL,
2062 * `captype` varchar(50) NOT NULL,
2063 * `contextlevel` int(10) NOT NULL,
2064 * `component` varchar(100) NOT NULL,
2065 */
0468976c 2066function fetch_context_capabilities($context) {
eef868d1 2067
98882637 2068 global $CFG;
bbbf2d40 2069
2070 $sort = 'ORDER BY contextlevel,component,id'; // To group them sensibly for display
eef868d1 2071
aad2ba95 2072 switch ($context->contextlevel) {
bbbf2d40 2073
98882637 2074 case CONTEXT_SYSTEM: // all
2075 $SQL = "select * from {$CFG->prefix}capabilities";
bbbf2d40 2076 break;
2077
2078 case CONTEXT_PERSONAL:
0a8a95c9 2079 $SQL = "select * from {$CFG->prefix}capabilities where contextlevel = ".CONTEXT_PERSONAL;
bbbf2d40 2080 break;
eef868d1 2081
4b10f08b 2082 case CONTEXT_USER:
2083 $SQL = "select * from {$CFG->prefix}capabilities where contextlevel = ".CONTEXT_USER;
bbbf2d40 2084 break;
eef868d1 2085
bbbf2d40 2086 case CONTEXT_COURSECAT: // all
98882637 2087 $SQL = "select * from {$CFG->prefix}capabilities";
bbbf2d40 2088 break;
2089
2090 case CONTEXT_COURSE: // all
98882637 2091 $SQL = "select * from {$CFG->prefix}capabilities";
bbbf2d40 2092 break;
2093
2094 case CONTEXT_GROUP: // group caps
2095 break;
2096
2097 case CONTEXT_MODULE: // mod caps
98882637 2098 $cm = get_record('course_modules', 'id', $context->instanceid);
2099 $module = get_record('modules', 'id', $cm->module);
eef868d1 2100
98882637 2101 $SQL = "select * from {$CFG->prefix}capabilities where contextlevel = ".CONTEXT_MODULE."
2102 and component = 'mod/$module->name'";
bbbf2d40 2103 break;
2104
2105 case CONTEXT_BLOCK: // block caps
98882637 2106 $cb = get_record('block_instance', 'id', $context->instanceid);
2107 $block = get_record('block', 'id', $cb->blockid);
eef868d1 2108
98882637 2109 $SQL = "select * from {$CFG->prefix}capabilities where contextlevel = ".CONTEXT_BLOCK."
2110 and component = 'block/$block->name'";
bbbf2d40 2111 break;
2112
2113 default:
2114 return false;
2115 }
2116
16e2e2f3 2117 if (!$records = get_records_sql($SQL.' '.$sort)) {
2118 $records = array();
2119 }
759ac72d 2120 $contextindependentcaps = fetch_context_independent_capabilities();
2121 $records = array_merge($records, $contextindependentcaps);
69eb59f2 2122
2123 // special sorting of core system capabiltites and enrollments
aad2ba95 2124 if ($context->contextlevel == CONTEXT_SYSTEM) {
69eb59f2 2125 $first = array();
2126 foreach ($records as $key=>$record) {
2127 if (preg_match('|^moodle/|', $record->name) and $record->contextlevel == CONTEXT_SYSTEM) {
2128 $first[$key] = $record;
2129 unset($records[$key]);
2130 } else if (count($first)){
2131 break;
2132 }
2133 }
2134 if (count($first)) {
2135 $records = $first + $records; // merge the two arrays keeping the keys
2136 }
2137 }
2138 // end of special sorting
bbbf2d40 2139 return $records;
eef868d1 2140
bbbf2d40 2141}
2142
2143
759ac72d 2144/**
2145 * Gets the context-independent capabilities that should be overrridable in
2146 * any context.
2147 * @return array of capability records from the capabilities table.
2148 */
2149function fetch_context_independent_capabilities() {
eef868d1 2150
759ac72d 2151 $contextindependentcaps = array(
2152 'moodle/site:accessallgroups'
2153 );
2154
2155 $records = array();
eef868d1 2156
759ac72d 2157 foreach ($contextindependentcaps as $capname) {
2158 $record = get_record('capabilities', 'name', $capname);
2159 array_push($records, $record);
2160 }
2161 return $records;
2162}
2163
2164
bbbf2d40 2165/**
2166 * This function pulls out all the resolved capabilities (overrides and
759ac72d 2167 * defaults) of a role used in capability overrides in contexts at a given
bbbf2d40 2168 * context.
0a8a95c9 2169 * @param obj $context
bbbf2d40 2170 * @param int $roleid
dc558690 2171 * @param bool self - if set to true, resolve till this level, else stop at immediate parent level
bbbf2d40 2172 * @return array
2173 */
1648afb2 2174function role_context_capabilities($roleid, $context, $cap='') {
dc558690 2175 global $CFG;
eef868d1 2176
8521d83a 2177 $contexts = get_parent_contexts($context);
2178 $contexts[] = $context->id;
98882637 2179 $contexts = '('.implode(',', $contexts).')';
eef868d1 2180
1648afb2 2181 if ($cap) {
e4697bf7 2182 $search = " AND rc.capability = '$cap' ";
1648afb2 2183 } else {
eef868d1 2184 $search = '';
1648afb2 2185 }
eef868d1 2186
2187 $SQL = "SELECT rc.*
2188 FROM {$CFG->prefix}role_capabilities rc,
dc558690 2189 {$CFG->prefix}context c
2190 WHERE rc.contextid in $contexts
2191 AND rc.roleid = $roleid
2192 AND rc.contextid = c.id $search
aad2ba95 2193 ORDER BY c.contextlevel DESC,
eef868d1 2194 rc.capability DESC";
759ac72d 2195
98882637 2196 $capabilities = array();
eef868d1 2197
4729012f 2198 if ($records = get_records_sql($SQL)) {
2199 // We are traversing via reverse order.
2200 foreach ($records as $record) {
2201 // If not set yet (i.e. inherit or not set at all), or currently we have a prohibit
2202 if (!isset($capabilities[$record->capability]) || $record->permission<-500) {
2203 $capabilities[$record->capability] = $record->permission;
eef868d1 2204 }
4729012f 2205 }
98882637 2206 }
2207 return $capabilities;
bbbf2d40 2208}
2209
bbbf2d40 2210/**
eef868d1 2211 * Recursive function which, given a context, find all parent context ids,
bbbf2d40 2212 * and return the array in reverse order, i.e. parent first, then grand
2213 * parent, etc.
2214 * @param object $context
2215 * @return array()
2216 */
bbbf2d40 2217function get_parent_contexts($context) {
759ac72d 2218
aad2ba95 2219 switch ($context->contextlevel) {
bbbf2d40 2220
2221 case CONTEXT_SYSTEM: // no parent
957861f7 2222 return array();
bbbf2d40 2223 break;
2224
2225 case CONTEXT_PERSONAL:
957861f7 2226 if (!$parent = get_context_instance(CONTEXT_SYSTEM, SITEID)) {
2227 return array();
2228 } else {
2229 return array($parent->id);
2230 }
bbbf2d40 2231 break;
eef868d1 2232
4b10f08b 2233 case CONTEXT_USER:
957861f7 2234 if (!$parent = get_context_instance(CONTEXT_SYSTEM, SITEID)) {
2235 return array();
2236 } else {
2237 return array($parent->id);
2238 }
bbbf2d40 2239 break;
eef868d1 2240
bbbf2d40 2241 case CONTEXT_COURSECAT: // Coursecat -> coursecat or site
957861f7 2242 if (!$coursecat = get_record('course_categories','id',$context->instanceid)) {
2243 return array();
2244 }
c5ddc3fd 2245 if (!empty($coursecat->parent)) { // return parent value if exist
bbbf2d40 2246 $parent = get_context_instance(CONTEXT_COURSECAT, $coursecat->parent);
2247 return array_merge(array($parent->id), get_parent_contexts($parent));
2248 } else { // else return site value
2249 $parent = get_context_instance(CONTEXT_SYSTEM, SITEID);
2250 return array($parent->id);
2251 }
2252 break;
2253
2254 case CONTEXT_COURSE: // 1 to 1 to course cat
957861f7 2255 if (!$course = get_record('course','id',$context->instanceid)) {
2256 return array();
2257 }
2258 if (!empty($course->category)) {
2259 $parent = get_context_instance(CONTEXT_COURSECAT, $course->category);
2260 return array_merge(array($parent->id), get_parent_contexts($parent));
2261 } else {
2262 return array();
2263 }
bbbf2d40 2264 break;
2265
2266 case CONTEXT_GROUP: // 1 to 1 to course
957861f7 2267 if (!$group = get_record('groups','id',$context->instanceid)) {
2268 return array();
2269 }
2270 if ($parent = get_context_instance(CONTEXT_COURSE, $group->courseid)) {
2271 return array_merge(array($parent->id), get_parent_contexts($parent));
2272 } else {
2273 return array();
2274 }
bbbf2d40 2275 break;
2276
2277 case CONTEXT_MODULE: // 1 to 1 to course
957861f7 2278 if (!$cm = get_record('course_modules','id',$context->instanceid)) {
2279 return array();
2280 }
2281 if ($parent = get_context_instance(CONTEXT_COURSE, $cm->course)) {
2282 return array_merge(array($parent->id), get_parent_contexts($parent));
2283 } else {
2284 return array();
2285 }
bbbf2d40 2286 break;
2287
2288 case CONTEXT_BLOCK: // 1 to 1 to course
957861f7 2289 if (!$block = get_record('block_instance','id',$context->instanceid)) {
2290 return array();
2291 }
2292 if ($parent = get_context_instance(CONTEXT_COURSE, $block->pageid)) {
2293 return array_merge(array($parent->id), get_parent_contexts($parent));
2294 } else {
2295 return array();
2296 }
bbbf2d40 2297 break;
2298
2299 default:
957861f7 2300 error('This is an unknown context!');
bbbf2d40 2301 return false;
2302 }
bbbf2d40 2303}
2304
759ac72d 2305
2306/**
2307 * Gets a string for sql calls, searching for stuff in this context or above
ea8158c1 2308 * @param object $context
2309 * @return string
2310 */
2311function get_related_contexts_string($context) {
2312 if ($parents = get_parent_contexts($context)) {
eef868d1 2313 return (' IN ('.$context->id.','.implode(',', $parents).')');
ea8158c1 2314 } else {
2315 return (' ='.$context->id);
2316 }
2317}
759ac72d 2318
2319
bbbf2d40 2320/**
2321 * This function gets the capability of a role in a given context.
2322 * It is needed when printing override forms.
2323 * @param int $contextid
bbbf2d40 2324 * @param string $capability
2325 * @param array $capabilities - array loaded using role_context_capabilities
2326 * @return int (allow, prevent, prohibit, inherit)
2327 */
bbbf2d40 2328function get_role_context_capability($contextid, $capability, $capabilities) {
759ac72d 2329 if (isset($capabilities[$contextid][$capability])) {
2330 return $capabilities[$contextid][$capability];
2331 }
2332 else {
2333 return false;
2334 }
bbbf2d40 2335}
2336
2337
cee0901c 2338/**
2339 * Returns the human-readable, translated version of the capability.
2340 * Basically a big switch statement.
2341 * @param $capabilityname - e.g. mod/choice:readresponses
2342 */
ceb83c70 2343function get_capability_string($capabilityname) {
eef868d1 2344
cee0901c 2345 // Typical capabilityname is mod/choice:readresponses
ceb83c70 2346
2347 $names = split('/', $capabilityname);
2348 $stringname = $names[1]; // choice:readresponses
eef868d1 2349 $components = split(':', $stringname);
ceb83c70 2350 $componentname = $components[0]; // choice
98882637 2351
2352 switch ($names[0]) {
2353 case 'mod':
ceb83c70 2354 $string = get_string($stringname, $componentname);
98882637 2355 break;
eef868d1 2356
98882637 2357 case 'block':
ceb83c70 2358 $string = get_string($stringname, 'block_'.$componentname);
98882637 2359 break;
ceb83c70 2360
98882637 2361 case 'moodle':
ceb83c70 2362 $string = get_string($stringname, 'role');
98882637 2363 break;
eef868d1 2364
98882637 2365 case 'enrol':
ceb83c70 2366 $string = get_string($stringname, 'enrol_'.$componentname);
eef868d1 2367 break;
2368
98882637 2369 default:
ceb83c70 2370 $string = get_string($stringname);
eef868d1 2371 break;
2372
98882637 2373 }
ceb83c70 2374 return $string;
bbbf2d40 2375}
2376
2377
cee0901c 2378/**
2379 * This gets the mod/block/course/core etc strings.
2380 * @param $component
2381 * @param $contextlevel
2382 */
bbbf2d40 2383function get_component_string($component, $contextlevel) {
2384
98882637 2385 switch ($contextlevel) {
bbbf2d40 2386
98882637 2387 case CONTEXT_SYSTEM:
be382aaf 2388 if (preg_match('|^enrol/|', $component)) {
2389 $langname = str_replace('/', '_', $component);
2390 $string = get_string('enrolname', $langname);
f3652521 2391 } else if (preg_match('|^block/|', $component)) {
2392 $langname = str_replace('/', '_', $component);
2393 $string = get_string('blockname', $langname);
69eb59f2 2394 } else {
2395 $string = get_string('coresystem');
2396 }
bbbf2d40 2397 break;
2398
2399 case CONTEXT_PERSONAL:
98882637 2400 $string = get_string('personal');
bbbf2d40 2401 break;
2402
4b10f08b 2403 case CONTEXT_USER:
98882637 2404 $string = get_string('users');
bbbf2d40 2405 break;
2406
2407 case CONTEXT_COURSECAT:
98882637 2408 $string = get_string('categories');
bbbf2d40 2409 break;
2410
2411 case CONTEXT_COURSE:
98882637 2412 $string = get_string('course');
bbbf2d40 2413 break;
2414
2415 case CONTEXT_GROUP:
98882637 2416 $string = get_string('group');
bbbf2d40 2417 break;
2418
2419 case CONTEXT_MODULE:
98882637 2420 $string = get_string('modulename', basename($component));
bbbf2d40 2421 break;
2422
2423 case CONTEXT_BLOCK:
98882637 2424 $string = get_string('blockname', 'block_'.$component.'.php');
bbbf2d40 2425 break;
2426
2427 default:
2428 error ('This is an unknown context!');
2429 return false;
eef868d1 2430
98882637 2431 }
98882637 2432 return $string;
bbbf2d40 2433}
cee0901c 2434
759ac72d 2435/**
2436 * Gets the list of roles assigned to this context and up (parents)
945f88ca 2437 * @param object $context
2438 * @return array
2439 */
e4dd3222 2440function get_roles_used_in_context($context) {
2441
2442 global $CFG;
2d9965e1 2443 $contextlist = get_related_contexts_string($context);
eef868d1 2444
759ac72d 2445 $sql = "SELECT DISTINCT r.id,
2446 r.name,
2447 r.shortname,
2448 r.sortorder
2449 FROM {$CFG->prefix}role_assignments ra,
eef868d1 2450 {$CFG->prefix}role r
2451 WHERE r.id = ra.roleid
759ac72d 2452 AND ra.contextid $contextlist
2453 ORDER BY r.sortorder ASC";
eef868d1 2454
759ac72d 2455 return get_records_sql($sql);
e4dd3222 2456}
2457
eef868d1 2458/** this function is used to print roles column in user profile page.
945f88ca 2459 * @param int userid
2460 * @param int contextid
2461 * @return string
2462 */
0a8a95c9 2463function get_user_roles_in_context($userid, $contextid){
2464 global $CFG;
eef868d1 2465
0a8a95c9 2466 $rolestring = '';
2467 $SQL = 'select * from '.$CFG->prefix.'role_assignments ra, '.$CFG->prefix.'role r where ra.userid='.$userid.' and ra.contextid='.$contextid.' and ra.roleid = r.id';
2468 if ($roles = get_records_sql($SQL)) {
2469 foreach ($roles as $userrole) {
2470 $rolestring .= '<a href="'.$CFG->wwwroot.'/user/index.php?contextid='.$userrole->contextid.'&amp;roleid='.$userrole->roleid.'">'.$userrole->name.'</a>, ';
eef868d1 2471 }
2472
0a8a95c9 2473 }
2474 return rtrim($rolestring, ', ');
2475}
68c52526 2476
2477
945f88ca 2478/**
2479 * Checks if a user can override capabilities of a particular role in this context
2480 * @param object $context
2481 * @param int targetroleid - the id of the role you want to override
2482 * @return boolean
2483 */
68c52526 2484function user_can_override($context, $targetroleid) {
2485 // first check if user has override capability
2486 // if not return false;
2487 if (!has_capability('moodle/role:override', $context)) {
eef868d1 2488 return false;
68c52526 2489 }
2490 // pull out all active roles of this user from this context(or above)
c0614051 2491 if ($userroles = get_user_roles($context)) {
2492 foreach ($userroles as $userrole) {
2493 // if any in the role_allow_override table, then it's ok
2494 if (get_record('role_allow_override', 'roleid', $userrole->roleid, 'allowoverride', $targetroleid)) {
2495 return true;
2496 }
68c52526 2497 }
2498 }
eef868d1 2499
68c52526 2500 return false;
eef868d1 2501
68c52526 2502}
2503
945f88ca 2504/**
2505 * Checks if a user can assign users to a particular role in this context
2506 * @param object $context
2507 * @param int targetroleid - the id of the role you want to assign users to
2508 * @return boolean
2509 */
68c52526 2510function user_can_assign($context, $targetroleid) {
eef868d1 2511
68c52526 2512 // first check if user has override capability
2513 // if not return false;
2514 if (!has_capability('moodle/role:assign', $context)) {
eef868d1 2515 return false;
68c52526 2516 }
2517 // pull out all active roles of this user from this context(or above)
c0614051 2518 if ($userroles = get_user_roles($context)) {
2519 foreach ($userroles as $userrole) {
2520 // if any in the role_allow_override table, then it's ok
2521 if (get_record('role_allow_assign', 'roleid', $userrole->roleid, 'allowassign', $targetroleid)) {
2522 return true;
2523 }
68c52526 2524 }
2525 }
eef868d1 2526
2527 return false;
68c52526 2528}
2529
ece4945b 2530/** Returns all site roles in correct sort order.
2531 *
2532 */
2533function get_all_roles() {
2534 return get_records('role', '', '', 'sortorder ASC');
2535}
2536
945f88ca 2537/**
2538 * gets all the user roles assigned in this context, or higher contexts
2539 * this is mainly used when checking if a user can assign a role, or overriding a role
2540 * i.e. we need to know what this user holds, in order to verify against allow_assign and
2541 * allow_override tables
2542 * @param object $context
2543 * @param int $userid
2544 * @return array
2545 */
5b630667 2546function get_user_roles($context, $userid=0, $checkparentcontexts=true) {
68c52526 2547
2548 global $USER, $CFG, $db;
c0614051 2549
2550 if (empty($userid)) {
2551 if (empty($USER->id)) {
2552 return array();
2553 }
2554 $userid = $USER->id;
2555 }
2556
5b630667 2557 if ($checkparentcontexts && ($parents = get_parent_contexts($context))) {
2558 $contexts = ' ra.contextid IN ('.implode(',' , $parents).','.$context->id.')';
c0614051 2559 } else {
5b630667 2560 $contexts = ' ra.contextid = \''.$context->id.'\'';
c0614051 2561 }
2562
31f26796 2563 return get_records_sql('SELECT ra.*, r.name, r.shortname
5b630667 2564 FROM '.$CFG->prefix.'role_assignments ra,
ec6eb110 2565 '.$CFG->prefix.'role r,
2566 '.$CFG->prefix.'context c
c0614051 2567 WHERE ra.userid = '.$userid.
5b630667 2568 ' AND ra.roleid = r.id
ec6eb110 2569 AND ra.contextid = c.id
eef868d1 2570 AND '.$contexts.
ece4945b 2571 ' ORDER BY c.contextlevel DESC, r.sortorder ASC');
68c52526 2572}
2573
945f88ca 2574/**
eef868d1 2575 * Creates a record in the allow_override table
945f88ca 2576 * @param int sroleid - source roleid
2577 * @param int troleid - target roleid
2578 * @return int - id or false
2579 */
2580function allow_override($sroleid, $troleid) {
ece4945b 2581 $record = new object();
945f88ca 2582 $record->roleid = $sroleid;
2583 $record->allowoverride = $troleid;
2584 return insert_record('role_allow_override', $record);
2585}
2586
2587/**
eef868d1 2588 * Creates a record in the allow_assign table
945f88ca 2589 * @param int sroleid - source roleid
2590 * @param int troleid - target roleid
2591 * @return int - id or false
2592 */
2593function allow_assign($sroleid, $troleid) {
ff64aaea 2594 $record = new object;
945f88ca 2595 $record->roleid = $sroleid;
2596 $record->allowassign = $troleid;
2597 return insert_record('role_allow_assign', $record);
2598}
2599
2600/**
ff64aaea 2601 * Gets a list of roles that this user can assign in this context
945f88ca 2602 * @param object $context
2603 * @return array
2604 */
2605function get_assignable_roles ($context) {
2606
945f88ca 2607 $options = array();
ff64aaea 2608
ece4945b 2609 if ($roles = get_all_roles()) {
ff64aaea 2610 foreach ($roles as $role) {
2611 if (user_can_assign($context, $role->id)) {
65b0c132 2612 $options[$role->id] = strip_tags(format_string($role->name, true));
ff64aaea 2613 }
945f88ca 2614 }
2615 }
2616 return $options;
2617}
2618
2619/**
ff64aaea 2620 * Gets a list of roles that this user can override in this context
945f88ca 2621 * @param object $context
2622 * @return array
2623 */
2624function get_overridable_roles ($context) {
2625
945f88ca 2626 $options = array();
ff64aaea 2627
ece4945b 2628 if ($roles = get_all_roles()) {
ff64aaea 2629 foreach ($roles as $role) {
2630 if (user_can_override($context, $role->id)) {
65b0c132 2631 $options[$role->id] = strip_tags(format_string($role->name, true));
ff64aaea 2632 }
945f88ca 2633 }
ff64aaea 2634 }
eef868d1 2635
2636 return $options;
945f88ca 2637}
1648afb2 2638
b963384f 2639/*
2640 * Returns a role object that is the default role for new enrolments
2641 * in a given course
2642 *
eef868d1 2643 * @param object $course
b963384f 2644 * @return object $role
2645 */
2646function get_default_course_role($course) {
2647 global $CFG;
2648
2649/// First let's take the default role the course may have
2650 if (!empty($course->defaultrole)) {
2651 if ($role = get_record('role', 'id', $course->defaultrole)) {
2652 return $role;
2653 }
2654 }
2655
2656/// Otherwise the site setting should tell us
2657 if ($CFG->defaultcourseroleid) {
2658 if ($role = get_record('role', 'id', $CFG->defaultcourseroleid)) {
2659 return $role;
2660 }
2661 }
2662
2663/// It's unlikely we'll get here, but just in case, try and find a student role
2664 if ($studentroles = get_roles_with_capability('moodle/legacy:student', CAP_ALLOW)) {
2665 return array_shift($studentroles); /// Take the first one
2666 }
2667
2668 return NULL;
2669}
2670
1648afb2 2671
2672/**
2673 * who has this capability in this context
2674 * does not handling user level resolving!!!
2675 * i.e 1 person has 2 roles 1 allow, 1 prevent, this will not work properly
2676 * @param $context - object
2677 * @param $capability - string capability
2678 * @param $fields - fields to be pulled
2679 * @param $sort - the sort order
04417640 2680 * @param $limitfrom - number of records to skip (offset)
eef868d1 2681 * @param $limitnum - number of records to fetch
1c45e42e 2682 * @param $groups - single group or array of groups - group(s) user is in
71dea306 2683 * @param $exceptions - list of users to exclude
1648afb2 2684 */
eef868d1 2685function get_users_by_capability($context, $capability, $fields='', $sort='',
1d546bb1 2686 $limitfrom='', $limitnum='', $groups='', $exceptions='', $doanything=true) {
1648afb2 2687 global $CFG;
eef868d1 2688
64026e8c 2689/// Sorting out groups
1c45e42e 2690 if ($groups) {
71dea306 2691 $groupjoin = 'INNER JOIN '.$CFG->prefix.'groups_members gm ON gm.userid = ra.userid';
eef868d1 2692
1c45e42e 2693 if (is_array($groups)) {
a05708ad 2694 $groupsql = 'AND gm.groupid IN ('.implode(',', $groups).')';
1c45e42e 2695 } else {
eef868d1 2696 $groupsql = 'AND gm.groupid = '.$groups;
1c45e42e 2697 }
2698 } else {
2699 $groupjoin = '';
eef868d1 2700 $groupsql = '';
1c45e42e 2701 }
eef868d1 2702
64026e8c 2703/// Sorting out exceptions
5081e786 2704 $exceptionsql = $exceptions ? "AND u.id NOT IN ($exceptions)" : '';
64026e8c 2705
2706/// Set up default fields
2707 if (empty($fields)) {
5b630667 2708 $fields = 'u.*, ul.timeaccess as lastaccess, ra.hidden';
64026e8c 2709 }
2710
2711/// Set up default sort
2712 if (empty($sort)) {
2713 $sort = 'ul.timeaccess';
2714 }
2715
eef868d1 2716 $sortby = $sort ? " ORDER BY $sort " : '';
2717
64026e8c 2718/// If context is a course, then construct sql for ul
aad2ba95 2719 if ($context->contextlevel == CONTEXT_COURSE) {
71dea306 2720 $courseid = $context->instanceid;
f00b7f8d 2721 $coursesql = "AND (ul.courseid = $courseid OR ul.courseid IS NULL)";
5081e786 2722 } else {
2723 $coursesql = '';
71dea306 2724 }
64026e8c 2725
2726/// Sorting out roles with this capability set
9d829c68 2727 if ($possibleroles = get_roles_with_capability($capability, CAP_ALLOW, $context)) {
1d546bb1 2728 if (!$doanything) {
3ca2dea5 2729 if (!$sitecontext = get_context_instance(CONTEXT_SYSTEM, SITEID)) {
1d546bb1 2730 return false; // Something is seriously wrong
2731 }
2732 $doanythingroles = get_roles_with_capability('moodle/site:doanything', CAP_ALLOW, $sitecontext);
e836a7dd 2733 }
e836a7dd 2734
9d829c68 2735 $validroleids = array();
e836a7dd 2736 foreach ($possibleroles as $possiblerole) {
1d546bb1 2737 if (!$doanything) {
2738 if (isset($doanythingroles[$possiblerole->id])) { // We don't want these included
2739 continue;
2740 }
e836a7dd 2741 }
bccdf227 2742 if ($caps = role_context_capabilities($possiblerole->id, $context, $capability)) { // resolved list
2743 if (isset($caps[$capability]) && $caps[$capability] > 0) { // resolved capability > 0
2744 $validroleids[] = $possiblerole->id;
2745 }
9d829c68 2746 }
1648afb2 2747 }
1d546bb1 2748 if (empty($validroleids)) {
2749 return false;
2750 }
9d829c68 2751 $roleids = '('.implode(',', $validroleids).')';
2752 } else {
2753 return false; // No need to continue, since no roles have this capability set
eef868d1 2754 }
64026e8c 2755
2756/// Construct the main SQL
71dea306 2757 $select = " SELECT $fields";
eef868d1 2758 $from = " FROM {$CFG->prefix}user u
2759 INNER JOIN {$CFG->prefix}role_assignments ra ON ra.userid = u.id
0a3e9703 2760 INNER JOIN {$CFG->prefix}role r ON r.id = ra.roleid
71dea306 2761 LEFT OUTER JOIN {$CFG->prefix}user_lastaccess ul ON ul.userid = u.id
2762 $groupjoin";
eef868d1 2763 $where = " WHERE ra.contextid ".get_related_contexts_string($context)."
2764 AND u.deleted = 0
2765 AND ra.roleid in $roleids
71dea306 2766 $exceptionsql
2767 $coursesql
2768 $groupsql";
2769
eef868d1 2770 return get_records_sql($select.$from.$where.$sortby, $limitfrom, $limitnum);
1648afb2 2771}
7700027f 2772
ab5c9044 2773/**
2774 * gets all the users assigned this role in this context or higher
2775 * @param int roleid
2776 * @param int contextid
2777 * @param bool parent if true, get list of users assigned in higher context too
2778 * @return array()
2779 */
bac2f88a 2780function get_role_users($roleid, $context, $parent=false, $fields='u.*') {
ab5c9044 2781 global $CFG;
eef868d1 2782
ab5c9044 2783 if ($parent) {
2784 if ($contexts = get_parent_contexts($context)) {
2785 $parentcontexts = 'r.contextid IN ('.implode(',', $contexts).')';
2786 } else {
eef868d1 2787 $parentcontexts = '';
ab5c9044 2788 }
2789 } else {
eef868d1 2790 $parentcontexts = '';
2791 }
2792
bac2f88a 2793 $SQL = "select $fields
eef868d1 2794 from {$CFG->prefix}role_assignments r,
2795 {$CFG->prefix}user u
2796 where (r.contextid = $context->id $parentcontexts)
2797 and r.roleid = $roleid
ab5c9044 2798 and u.id = r.userid"; // join now so that we can just use fullname() later
eef868d1 2799
ab5c9044 2800 return get_records_sql($SQL);
2801}
2802
bac2f88a 2803/**
2804 * Counts all the users assigned this role in this context or higher
2805 * @param int roleid
2806 * @param int contextid
2807 * @param bool parent if true, get list of users assigned in higher context too
2808 * @return array()
2809 */
2810function count_role_users($roleid, $context, $parent=false) {
2811 global $CFG;
2812
2813 if ($parent) {
2814 if ($contexts = get_parent_contexts($context)) {
2815 $parentcontexts = 'r.contextid IN ('.implode(',', $contexts).')';
2816 } else {
2817 $parentcontexts = '';
2818 }
2819 } else {
2820 $parentcontexts = '';
2821 }
2822
2823 $SQL = "SELECT count(*)
2824 FROM {$CFG->prefix}role_assignments r
2825 WHERE (r.contextid = $context->id $parentcontexts)
2826 AND r.roleid = $roleid";
2827
2828 return count_records_sql($SQL);
2829}
2830
eef868d1 2831/**
d76a5a7f 2832 * This function gets the list of courses that this user has a particular capability in
2833 * This is not the most efficient way of doing this
2834 * @param string capability
2835 * @param int $userid
2836 * @return array
2837 */
2838function get_user_capability_course($capability, $userid='') {
eef868d1 2839
d76a5a7f 2840 global $USER;
2841 if (!$userid) {
eef868d1 2842 $userid = $USER->id;
d76a5a7f 2843 }
eef868d1 2844
d76a5a7f 2845 $usercourses = array();
2846 $courses = get_records_select('course', '', '', 'id, id');
eef868d1 2847
d76a5a7f 2848 foreach ($courses as $course) {
2849 if (has_capability($capability, get_context_capability(CONTEXT_COURSE, $course->id))) {
2850 $usercourses[] = $course;
2851 }
2852 }
eef868d1 2853 return $usercourses;
e38f38c3 2854}
2855
2856
2857/** This function finds the roles assigned directly to this context only
2858 * i.e. no parents role
2859 * @param object $context
2860 * @return array
2861 */
2862function get_roles_on_exact_context($context) {
b5959f30 2863
e38f38c3 2864 global $CFG;
49293027 2865
b5959f30 2866 return get_records_sql("SELECT DISTINCT r.*
e38f38c3 2867 FROM {$CFG->prefix}role_assignments ra,
2868 {$CFG->prefix}role r
2869 WHERE ra.roleid = r.id
2870 AND ra.contextid = $context->id");
b5959f30 2871
49293027 2872}
2873
b5959f30 2874/*
3a52e764 2875 * Switches the current user to another role for the current session and only
b5959f30 2876 * in the given context. If roleid is not valid (eg 0) or the current user
2877 * doesn't have permissions to be switching roles then the user's session
3a52e764 2878 * is compltely reset to have their normal roles.
2879 * @param integer $roleid
2880 * @param object $context
2881 * @return bool
2882 */
2883function role_switch($roleid, $context) {
2884 global $USER;
2885
2886 global $db;
2887
2888/// If we can't use this or are already using it or no role was specified then bail completely and reset
b5959f30 2889 if (empty($roleid) || !has_capability('moodle/role:switchroles', $context)
2d07587b 2890 || !empty($USER->switchrole[$context->id]) || !confirm_sesskey()) {
2891 load_user_capability('', $context); // Reset all permissions for this context to normal
2892 unset($USER->switchrole[$context->id]); // Delete old capabilities
3a52e764 2893 return true;
2894 }
2895
2896/// We're allowed to switch but can we switch to the specified role? Use assignable roles to check.
2897 if (!$roles = get_assignable_roles($context)) {
2898 return false;
2899 }
2900
2901 if (empty($roles[$roleid])) { /// We can't switch to this particular role
2902 return false;
2903 }
2904
2905 if (!$sitecontext = get_context_instance(CONTEXT_SYSTEM, SITEID)) {
2906 return false;
2907 }
2908
2909/// We have a valid roleid that this user can switch to, so let's set up the session
2910
2d07587b 2911 $USER->switchrole[$context->id] = $roleid; // So we know later what state we are in
3a52e764 2912
2913 unset($USER->capabilities[$context->id]); // Delete old capabilities
2914
2915 if ($capabilities = get_records_select('role_capabilities', "roleid = $roleid AND contextid = $sitecontext->id")) {
2916 foreach ($capabilities as $capability) {
2917 $USER->capabilities[$context->id][$capability->capability] = $capability->permission;
2918 }
2919 }
2920
2d07587b 2921/// Add some permissions we are really going to always need, even if the role doesn't have them!
3a52e764 2922
2923 $USER->capabilities[$context->id]['moodle/course:view'] = CAP_ALLOW;
2924
2925 return true;
2926
2927}
2928
2929
49293027 2930// get any role that has an override on exact context
2931function get_roles_with_override_on_context($context) {
b5959f30 2932
49293027 2933 global $CFG;
b5959f30 2934
49293027 2935 return get_records_sql("SELECT DISTINCT r.*
2936 FROM {$CFG->prefix}role_capabilities rc,
2937 {$CFG->prefix}role r
2938 WHERE rc.roleid = r.id
2939 AND rc.contextid = $context->id");
2940}
2941
2942// get all capabilities for this role on this context (overrids)
2943function get_capabilities_from_role_on_context($role, $context) {
b5959f30 2944
49293027 2945 global $CFG;
b5959f30 2946
2947 return get_records_sql("SELECT *
49293027 2948 FROM {$CFG->prefix}role_capabilities
2949 WHERE contextid = $context->id
2950 AND roleid = $role->id");
01e52ac7 2951}
2952
5b5781f4 2953// find out which roles has assignment on this context
2954function get_roles_with_assignment_on_context($context) {
ece4945b 2955
5b5781f4 2956 global $CFG;
ece4945b 2957
5b5781f4 2958 return get_records_sql("SELECT DISTINCT r.*
2959 FROM {$CFG->prefix}role_assignments ra,
2960 {$CFG->prefix}role r
2961 WHERE ra.roleid = r.id
2962 AND ra.contextid = $context->id");
2963}
2964
2965
2966
01e52ac7 2967/* find all user assignemnt of users for this role, on this context
2968 */
2969function get_users_from_role_on_context($role, $context) {
b5959f30 2970
01e52ac7 2971 global $CFG;
b5959f30 2972
01e52ac7 2973 return get_records_sql("SELECT *
2974 FROM {$CFG->prefix}role_assignments
2975 WHERE contextid = $context->id
b5959f30 2976 AND roleid = $role->id");
01e52ac7 2977}
3a52e764 2978
f3652521 2979?>
Moodle official production repository