projects / moodle.git / blame
? search:
summary | shortlog | log | commit | commitdiff | tree
blob | blame (incremental) | history | HEAD
Quick Fix. It should be 24!
[moodle.git] / lib / accesslib.php
CommitLineData
bbbf2d40 1<?php
cee0901c 2 /**
3 * Capability session information format
bbbf2d40 4 * 2 x 2 array
5 * [context][capability]
6 * where context is the context id of the table 'context'
7 * and capability is a string defining the capability
8 * e.g.
9 *
10 * [Capabilities] => [26][mod/forum:viewpost] = 1
11 * [26][mod/forum:startdiscussion] = -8990
12 * [26][mod/forum:editallpost] = -1
13 * [273][moodle:blahblah] = 1
14 * [273][moodle:blahblahblah] = 2
15 */
bbbf2d40 16
17// permission definitions
e49e61bf 18define('CAP_INHERIT', 0);
bbbf2d40 19define('CAP_ALLOW', 1);
20define('CAP_PREVENT', -1);
21define('CAP_PROHIBIT', -1000);
22
bbbf2d40 23// context definitions
24define('CONTEXT_SYSTEM', 10);
25define('CONTEXT_PERSONAL', 20);
4b10f08b 26define('CONTEXT_USER', 30);
bbbf2d40 27define('CONTEXT_COURSECAT', 40);
28define('CONTEXT_COURSE', 50);
29define('CONTEXT_GROUP', 60);
30define('CONTEXT_MODULE', 70);
31define('CONTEXT_BLOCK', 80);
32
21b6db6e 33// capability risks - see http://docs.moodle.org/en/Hardening_new_Roles_system
34define('RISK_MANAGETRUST', 0x0001);
a6b02b65 35define('RISK_CONFIG', 0x0002);
21b6db6e 36define('RISK_XSS', 0x0004);
37define('RISK_PERSONAL', 0x0008);
38define('RISK_SPAM', 0x0010);
39
40
340ea4e8 41$context_cache = array(); // Cache of all used context objects for performance (by level and instance)
42$context_cache_id = array(); // Index to above cache by id
bbbf2d40 43
7700027f 44
e7876c1e 45/**
46 * Loads the capabilities for the default guest role to the current user in a specific context
47 * @return object
48 */
49function load_guest_role($context=NULL) {
50 global $USER;
51
52 static $guestrole;
53
54 if (!isloggedin()) {
55 return false;
56 }
57
58 if (!$sitecontext = get_context_instance(CONTEXT_SYSTEM, SITEID)) {
59 return false;
60 }
61
62 if (empty($context)) {
63 $context = $sitecontext;
64 }
65
66 if (empty($guestrole)) {
8f8ed475 67 if (!$guestrole = get_guest_role()) {
e7876c1e 68 return false;
69 }
70 }
71
eef868d1 72 if ($capabilities = get_records_select('role_capabilities',
e7876c1e 73 "roleid = $guestrole->id AND contextid = $sitecontext->id")) {
74 foreach ($capabilities as $capability) {
eef868d1 75 $USER->capabilities[$context->id][$capability->capability] = $capability->permission;
e7876c1e 76 }
77 }
78
79 return true;
80}
81
7700027f 82/**
83 * Load default not logged in role capabilities when user is not logged in
eef868d1 84 * @return bool
7700027f 85 */
20aeb4b8 86function load_notloggedin_role() {
87 global $CFG, $USER;
88
7700027f 89 if (!$sitecontext = get_context_instance(CONTEXT_SYSTEM, SITEID)) {
90 return false;
35a518c5 91 }
92
7700027f 93 if (empty($CFG->notloggedinroleid)) { // Let's set the default to the guest role
8f8ed475 94 if ($role = get_guest_role()) {
7700027f 95 set_config('notloggedinroleid', $role->id);
96 } else {
97 return false;
98 }
99 }
20aeb4b8 100
eef868d1 101 if ($capabilities = get_records_select('role_capabilities',
7700027f 102 "roleid = $CFG->notloggedinroleid AND contextid = $sitecontext->id")) {
103 foreach ($capabilities as $capability) {
eef868d1 104 $USER->capabilities[$sitecontext->id][$capability->capability] = $capability->permission;
7700027f 105 }
20aeb4b8 106 }
107
108 return true;
109}
cee0901c 110
8f8ed475 111/**
112 * Load default not logged in role capabilities when user is not logged in
eef868d1 113 * @return bool
8f8ed475 114 */
115function load_defaultuser_role() {
116 global $CFG, $USER;
117
118 if (!$sitecontext = get_context_instance(CONTEXT_SYSTEM, SITEID)) {
119 return false;
120 }
121
122 if (empty($CFG->defaultuserroleid)) { // Let's set the default to the guest role
123 if ($role = get_guest_role()) {
124 set_config('defaultuserroleid', $role->id);
125 } else {
126 return false;
127 }
128 }
129
eef868d1 130 if ($capabilities = get_records_select('role_capabilities',
8f8ed475 131 "roleid = $CFG->defaultuserroleid AND contextid = $sitecontext->id")) {
132 foreach ($capabilities as $capability) {
ca23ffdb 133 if (!isset($USER->capabilities[$sitecontext->id][$capability->capability])) { // Don't overwrite
eef868d1 134 $USER->capabilities[$sitecontext->id][$capability->capability] = $capability->permission;
ca23ffdb 135 }
8f8ed475 136 }
137
eef868d1 138 // SPECIAL EXCEPTION: If the default user role is actually a guest role, then
8f8ed475 139 // remove some capabilities so this user doesn't get confused with a REAL guest
2f089dd5 140 if (isset($USER->capabilities[$sitecontext->id]['moodle/legacy:guest']) and $USER->username != 'guest') {
eef868d1 141 unset($USER->capabilities[$sitecontext->id]['moodle/legacy:guest']);
8f8ed475 142 unset($USER->capabilities[$sitecontext->id]['moodle/course:view']); // No access to courses by default
143 }
144 }
145
146 return true;
147}
148
149
150/**
151 * Get the default guest role
152 * @return object role
153 */
154function get_guest_role() {
155 if ($roles = get_roles_with_capability('moodle/legacy:guest', CAP_ALLOW)) {
156 return array_shift($roles); // Pick the first one
157 } else {
158 return false;
159 }
160}
161
162
bbbf2d40 163/**
164 * This functions get all the course categories in proper order
0468976c 165 * @param int $context
bbbf2d40 166 * @param int $type
167 * @return array of contextids
168 */
0468976c 169function get_parent_cats($context, $type) {
eef868d1 170
98882637 171 $parents = array();
eef868d1 172
c5ddc3fd 173 switch ($type) {
98882637 174 case CONTEXT_COURSECAT:
c5ddc3fd 175 if (!$cat = get_record('course_categories','id',$context->instanceid)) {
176 break;
177 }
178
179 while (!empty($cat->parent)) {
180 if (!$context = get_context_instance(CONTEXT_COURSECAT, $cat->parent)) {
181 break;
182 }
98882637 183 $parents[] = $context->id;
184 $cat = get_record('course_categories','id',$cat->parent);
185 }
98882637 186 break;
eef868d1 187
98882637 188 case CONTEXT_COURSE:
c5ddc3fd 189 if (!$course = get_record('course', 'id', $context->instanceid)) {
190 break;
191 }
192 if (!$catinstance = get_context_instance(CONTEXT_COURSECAT, $course->category)) {
193 break;
194 }
195
98882637 196 $parents[] = $catinstance->id;
c5ddc3fd 197
198 if (!$cat = get_record('course_categories','id',$course->category)) {
199 break;
200 }
201
202 while (!empty($cat->parent)) {
203 if (!$context = get_context_instance(CONTEXT_COURSECAT, $cat->parent)) {
204 break;
205 }
98882637 206 $parents[] = $context->id;
207 $cat = get_record('course_categories','id',$cat->parent);
208 }
209 break;
eef868d1 210
98882637 211 default:
212 break;
98882637 213 }
98882637 214 return array_reverse($parents);
bbbf2d40 215}
216
217
cee0901c 218
0468976c 219/**
220 * This function checks for a capability assertion being true. If it isn't
221 * then the page is terminated neatly with a standard error message
222 * @param string $capability - name of the capability
223 * @param object $context - a context object (record from context table)
224 * @param integer $userid - a userid number
d74067e8 225 * @param bool $doanything - if false, ignore do anything
0468976c 226 * @param string $errorstring - an errorstring
d74067e8 227 * @param string $stringfile - which stringfile to get it from
0468976c 228 */
eef868d1 229function require_capability($capability, $context=NULL, $userid=NULL, $doanything=true,
d74067e8 230 $errormessage="nopermissions", $stringfile='') {
a9e1c058 231
232 global $USER;
233
234/// If the current user is not logged in, then make sure they are
235
236 if (empty($userid) and empty($USER->id)) {
aad2ba95 237 if ($context && ($context->contextlevel == CONTEXT_COURSE)) {
a9e1c058 238 require_login($context->instanceid);
11ac79ff 239 } else if ($context && ($context->contextlevel == CONTEXT_MODULE)) {
240 if ($cm = get_record('course_modules','id',$context->instanceid)) {
241 require_login($cm->course, true, $cm);
242 } else {
243 require_login();
244 }
a9e1c058 245 } else {
246 require_login();
247 }
248 }
eef868d1 249
a9e1c058 250/// OK, if they still don't have the capability then print a nice error message
251
d74067e8 252 if (!has_capability($capability, $context, $userid, $doanything)) {
0468976c 253 $capabilityname = get_capability_string($capability);
254 print_error($errormessage, $stringfile, '', $capabilityname);
255 }
256}
257
258
bbbf2d40 259/**
260 * This function returns whether the current user has the capability of performing a function
261 * For example, we can do has_capability('mod/forum:replypost',$cm) in forum
262 * only one of the 4 (moduleinstance, courseid, site, userid) would be set at 1 time
263 * This is a recursive funciton.
bbbf2d40 264 * @uses $USER
265 * @param string $capability - name of the capability
0468976c 266 * @param object $context - a context object (record from context table)
267 * @param integer $userid - a userid number
20aeb4b8 268 * @param bool $doanything - if false, ignore do anything
bbbf2d40 269 * @return bool
270 */
d74067e8 271function has_capability($capability, $context=NULL, $userid=NULL, $doanything=true) {
bbbf2d40 272
20aeb4b8 273 global $USER, $CONTEXT, $CFG;
bbbf2d40 274
a8a7300a 275 if (debugging() && !record_exists('capabilities', 'name', $capability)) {
7f7cacdf 276 debugging('Cabability "'.$capability.'" was not found! This should be fixed in code.');
a8a7300a 277 }
278
8f8ed475 279 if (empty($userid) && empty($USER->capabilities)) { // Real user, first time here
280 if (isloggedin()) {
281 load_defaultuser_role(); // All users get this by default
282 } else {
283 load_notloggedin_role(); // others get this by default
284 }
20aeb4b8 285 }
286
287 if ($userid && $userid != $USER->id) {
9425b25f 288 if (empty($USER->id) or ($userid != $USER->id)) {
289 $capabilities = load_user_capability($capability, $context, $userid);
290 } else { //$USER->id == $userid
291 $capabilities = empty($USER->capabilities) ? NULL : $USER->capabilities;
292 }
293 } else { // no userid
294 $capabilities = empty($USER->capabilities) ? NULL : $USER->capabilities;
98882637 295 }
9425b25f 296
0468976c 297 if (empty($context)) { // Use default CONTEXT if none specified
340ea4e8 298 if (empty($CONTEXT)) {
299 return false;
300 } else {
301 $context = $CONTEXT;
302 }
0468976c 303 } else { // A context was given to us
304 if (empty($CONTEXT)) {
305 $CONTEXT = $context; // Store FIRST used context in this global as future default
306 }
340ea4e8 307 }
bbbf2d40 308
20aeb4b8 309 if ($doanything) {
2d07587b 310
20aeb4b8 311 // Check site
2d07587b 312 if (empty($USER->switchrole[$context->id])) { // Ignore site setting if switchrole is active
313 $sitecontext = get_context_instance(CONTEXT_SYSTEM, SITEID);
314 if (isset($capabilities[$sitecontext->id]['moodle/site:doanything'])) {
315 return (0 < $capabilities[$sitecontext->id]['moodle/site:doanything']);
316 }
20aeb4b8 317 }
eef868d1 318
aad2ba95 319 switch ($context->contextlevel) {
eef868d1 320
20aeb4b8 321 case CONTEXT_COURSECAT:
322 // Check parent cats.
323 $parentcats = get_parent_cats($context, CONTEXT_COURSECAT);
324 foreach ($parentcats as $parentcat) {
325 if (isset($capabilities[$parentcat]['moodle/site:doanything'])) {
326 return (0 < $capabilities[$parentcat]['moodle/site:doanything']);
327 }
cee0901c 328 }
20aeb4b8 329 break;
bbbf2d40 330
20aeb4b8 331 case CONTEXT_COURSE:
332 // Check parent cat.
333 $parentcats = get_parent_cats($context, CONTEXT_COURSE);
98882637 334
20aeb4b8 335 foreach ($parentcats as $parentcat) {
336 if (isset($capabilities[$parentcat]['do_anything'])) {
337 return (0 < $capabilities[$parentcat]['do_anything']);
338 }
9425b25f 339 }
20aeb4b8 340 break;
bbbf2d40 341
20aeb4b8 342 case CONTEXT_GROUP:
343 // Find course.
344 $group = get_record('groups','id',$context->instanceid);
345 $courseinstance = get_context_instance(CONTEXT_COURSE, $group->courseid);
9425b25f 346
20aeb4b8 347 $parentcats = get_parent_cats($courseinstance, CONTEXT_COURSE);
348 foreach ($parentcats as $parentcat) {
349 if (isset($capabilities[$parentcat->id]['do_anything'])) {
350 return (0 < $capabilities[$parentcat->id]['do_anything']);
351 }
9425b25f 352 }
9425b25f 353
20aeb4b8 354 $coursecontext = '';
355 if (isset($capabilities[$courseinstance->id]['do_anything'])) {
356 return (0 < $capabilities[$courseinstance->id]['do_anything']);
357 }
9425b25f 358
20aeb4b8 359 break;
bbbf2d40 360
20aeb4b8 361 case CONTEXT_MODULE:
362 // Find course.
363 $cm = get_record('course_modules', 'id', $context->instanceid);
364 $courseinstance = get_context_instance(CONTEXT_COURSE, $cm->course);
9425b25f 365
20aeb4b8 366 if ($parentcats = get_parent_cats($courseinstance, CONTEXT_COURSE)) {
367 foreach ($parentcats as $parentcat) {
368 if (isset($capabilities[$parentcat]['do_anything'])) {
369 return (0 < $capabilities[$parentcat]['do_anything']);
370 }
cee0901c 371 }
9425b25f 372 }
98882637 373
20aeb4b8 374 if (isset($capabilities[$courseinstance->id]['do_anything'])) {
375 return (0 < $capabilities[$courseinstance->id]['do_anything']);
376 }
bbbf2d40 377
20aeb4b8 378 break;
bbbf2d40 379
20aeb4b8 380 case CONTEXT_BLOCK:
381 // 1 to 1 to course.
382 // Find course.
383 $block = get_record('block_instance','id',$context->instanceid);
384 $courseinstance = get_context_instance(CONTEXT_COURSE, $block->pageid); // needs check
9425b25f 385
20aeb4b8 386 $parentcats = get_parent_cats($courseinstance, CONTEXT_COURSE);
387 foreach ($parentcats as $parentcat) {
388 if (isset($capabilities[$parentcat]['do_anything'])) {
389 return (0 < $capabilities[$parentcat]['do_anything']);
390 }
cee0901c 391 }
9425b25f 392
20aeb4b8 393 if (isset($capabilities[$courseinstance->id]['do_anything'])) {
394 return (0 < $capabilities[$courseinstance->id]['do_anything']);
395 }
396 break;
bbbf2d40 397
20aeb4b8 398 default:
4b10f08b 399 // CONTEXT_SYSTEM: CONTEXT_PERSONAL: CONTEXT_USER:
20aeb4b8 400 // Do nothing.
401 break;
402 }
bbbf2d40 403
20aeb4b8 404 // Last: check self.
405 if (isset($capabilities[$context->id]['do_anything'])) {
406 return (0 < $capabilities[$context->id]['do_anything']);
407 }
98882637 408 }
98882637 409 // do_anything has not been set, we now look for it the normal way.
9425b25f 410 return (0 < capability_search($capability, $context, $capabilities));
bbbf2d40 411
9425b25f 412}
bbbf2d40 413
414
415/**
416 * In a separate function so that we won't have to deal with do_anything.
417 * again. Used by function has_capability.
418 * @param $capability - capability string
0468976c 419 * @param $context - the context object
bbbf2d40 420 * @param $capabilities - either $USER->capability or loaded array
421 * @return permission (int)
422 */
0468976c 423function capability_search($capability, $context, $capabilities) {
759ac72d 424
bbbf2d40 425 global $USER, $CFG;
0468976c 426
11ac79ff 427 if (!isset($context->id)) {
428 return 0;
429 }
430
0468976c 431 if (isset($capabilities[$context->id][$capability])) {
7eb0b60a 432 debugging("Found $capability in context $context->id at level $context->contextlevel: ".$capabilities[$context->id][$capability], DEBUG_DEVELOPER);
0468976c 433 return ($capabilities[$context->id][$capability]);
bbbf2d40 434 }
9425b25f 435
bbbf2d40 436 /* Then, we check the cache recursively */
9425b25f 437 $permission = 0;
438
aad2ba95 439 switch ($context->contextlevel) {
bbbf2d40 440
441 case CONTEXT_SYSTEM: // by now it's a definite an inherit
442 $permission = 0;
443 break;
444
445 case CONTEXT_PERSONAL:
0468976c 446 $parentcontext = get_context_instance(CONTEXT_SYSTEM, SITEID);
447 $permission = capability_search($capability, $parentcontext, $capabilities);
bbbf2d40 448 break;
9425b25f 449
4b10f08b 450 case CONTEXT_USER:
0468976c 451 $parentcontext = get_context_instance(CONTEXT_SYSTEM, SITEID);
452 $permission = capability_search($capability, $parentcontext, $capabilities);
bbbf2d40 453 break;
9425b25f 454
bbbf2d40 455 case CONTEXT_COURSECAT: // Coursecat -> coursecat or site
456 $coursecat = get_record('course_categories','id',$context->instanceid);
0468976c 457 if (!empty($coursecat->parent)) { // return parent value if it exists
458 $parentcontext = get_context_instance(CONTEXT_COURSECAT, $coursecat->parent);
bbbf2d40 459 } else { // else return site value
0468976c 460 $parentcontext = get_context_instance(CONTEXT_SYSTEM, SITEID);
bbbf2d40 461 }
0468976c 462 $permission = capability_search($capability, $parentcontext, $capabilities);
bbbf2d40 463 break;
464
465 case CONTEXT_COURSE: // 1 to 1 to course cat
466 // find the course cat, and return its value
467 $course = get_record('course','id',$context->instanceid);
0468976c 468 $parentcontext = get_context_instance(CONTEXT_COURSECAT, $course->category);
469 $permission = capability_search($capability, $parentcontext, $capabilities);
bbbf2d40 470 break;
471
472 case CONTEXT_GROUP: // 1 to 1 to course
473 $group = get_record('groups','id',$context->instanceid);
0468976c 474 $parentcontext = get_context_instance(CONTEXT_COURSE, $group->courseid);
475 $permission = capability_search($capability, $parentcontext, $capabilities);
bbbf2d40 476 break;
477
478 case CONTEXT_MODULE: // 1 to 1 to course
479 $cm = get_record('course_modules','id',$context->instanceid);
0468976c 480 $parentcontext = get_context_instance(CONTEXT_COURSE, $cm->course);
481 $permission = capability_search($capability, $parentcontext, $capabilities);
bbbf2d40 482 break;
483
484 case CONTEXT_BLOCK: // 1 to 1 to course
485 $block = get_record('block_instance','id',$context->instanceid);
0468976c 486 $parentcontext = get_context_instance(CONTEXT_COURSE, $block->pageid); // needs check
487 $permission = capability_search($capability, $parentcontext, $capabilities);
bbbf2d40 488 break;
489
490 default:
491 error ('This is an unknown context!');
492 return false;
493 }
7eb0b60a 494 debugging("Found $capability recursively from context $context->id at level $context->contextlevel: $permission", DEBUG_DEVELOPER);
9425b25f 495
98882637 496 return $permission;
bbbf2d40 497}
498
499
500/**
501 * This function should be called immediately after a login, when $USER is set.
502 * It will build an array of all the capabilities at each level
503 * i.e. site/metacourse/course_category/course/moduleinstance
504 * Note we should only load capabilities if they are explicitly assigned already,
505 * we should not load all module's capability!
506 * @param $userid - the id of the user whose capabilities we want to load
507 * @return array
508 * possible just s simple 2D array with [contextid][capabilityname]
509 * [Capabilities] => [26][forum_post] = 1
510 * [26][forum_start] = -8990
511 * [26][forum_edit] = -1
512 * [273][blah blah] = 1
513 * [273][blah blah blah] = 2
514 */
0468976c 515function load_user_capability($capability='', $context ='', $userid='') {
d140ad3f 516
98882637 517 global $USER, $CFG;
bbbf2d40 518
519 if (empty($userid)) {
dc411d1b 520 if (empty($USER->id)) { // We have no user to get capabilities for
64026e8c 521 debugging('User not logged in for load_user_capability!');
dc411d1b 522 return false;
523 }
64026e8c 524 unset($USER->capabilities); // We don't want possible older capabilites hanging around
525
526 check_enrolment_plugins($USER); // Call "enrol" system to ensure that we have the correct picture
8f8ed475 527
bbbf2d40 528 $userid = $USER->id;
dc411d1b 529 $otheruserid = false;
bbbf2d40 530 } else {
64026e8c 531 if (!$user = get_record('user', 'id', $userid)) {
532 debugging('Non-existent userid in load_user_capability!');
533 return false;
534 }
535
536 check_enrolment_plugins($user); // Ensure that we have the correct picture
537
9425b25f 538 $otheruserid = $userid;
bbbf2d40 539 }
9425b25f 540
5f70bcc3 541
542/// First we generate a list of all relevant contexts of the user
543
544 $usercontexts = array();
bbbf2d40 545
0468976c 546 if ($context) { // if context is specified
eef868d1 547 $usercontexts = get_parent_contexts($context);
98882637 548 } else { // else, we load everything
5f70bcc3 549 if ($userroles = get_records('role_assignments','userid',$userid)) {
550 foreach ($userroles as $userrole) {
551 $usercontexts[] = $userrole->contextid;
552 }
98882637 553 }
5f70bcc3 554 }
555
556/// Set up SQL fragments for searching contexts
557
558 if ($usercontexts) {
0468976c 559 $listofcontexts = '('.implode(',', $usercontexts).')';
5f70bcc3 560 $searchcontexts1 = "c1.id IN $listofcontexts AND";
561 $searchcontexts2 = "c2.id IN $listofcontexts AND";
562 } else {
563 $listofcontexts = $searchcontexts1 = $searchcontexts2 = '';
bbbf2d40 564 }
0468976c 565
64026e8c 566 if ($capability) {
567 $capsearch = " AND rc.capability = '$capability' ";
568 } else {
eef868d1 569 $capsearch ="";
64026e8c 570 }
571
e38f38c3 572/// Set up SQL fragments for timestart, timeend etc
573 $now = time();
85f101fa 574 $timesql = "AND ((ra.timestart = 0 OR ra.timestart < $now) AND (ra.timeend = 0 OR ra.timeend > $now))";
e38f38c3 575
5f70bcc3 576/// Then we use 1 giant SQL to bring out all relevant capabilities.
577/// The first part gets the capabilities of orginal role.
578/// The second part gets the capabilities of overriden roles.
bbbf2d40 579
98882637 580 $siteinstance = get_context_instance(CONTEXT_SYSTEM, SITEID);
bbbf2d40 581
aad2ba95 582 $SQL = " SELECT rc.capability, c1.id, (c1.contextlevel * 100) AS aggrlevel,
bbbf2d40 583 SUM(rc.permission) AS sum
584 FROM
eef868d1 585 {$CFG->prefix}role_assignments ra,
42ac3ecf 586 {$CFG->prefix}role_capabilities rc,
587 {$CFG->prefix}context c1
bbbf2d40 588 WHERE
d4649c76 589 ra.contextid=c1.id AND
590 ra.roleid=rc.roleid AND
bbbf2d40 591 ra.userid=$userid AND
5f70bcc3 592 $searchcontexts1
eef868d1 593 rc.contextid=$siteinstance->id
98882637 594 $capsearch
e38f38c3 595 $timesql
bbbf2d40 596 GROUP BY
aad2ba95 597 rc.capability, (c1.contextlevel * 100), c1.id
bbbf2d40 598 HAVING
41811960 599 SUM(rc.permission) != 0
bbbf2d40 600 UNION
601
aad2ba95 602 SELECT rc.capability, c1.id, (c1.contextlevel * 100 + c2.contextlevel) AS aggrlevel,
bbbf2d40 603 SUM(rc.permission) AS sum
604 FROM
42ac3ecf 605 {$CFG->prefix}role_assignments ra,
606 {$CFG->prefix}role_capabilities rc,
607 {$CFG->prefix}context c1,
608 {$CFG->prefix}context c2
bbbf2d40 609 WHERE
d4649c76 610 ra.contextid=c1.id AND
eef868d1 611 ra.roleid=rc.roleid AND
612 ra.userid=$userid AND
613 rc.contextid=c2.id AND
5f70bcc3 614 $searchcontexts1
615 $searchcontexts2
616 rc.contextid != $siteinstance->id
bbbf2d40 617 $capsearch
e38f38c3 618 $timesql
eef868d1 619
bbbf2d40 620 GROUP BY
aad2ba95 621 rc.capability, (c1.contextlevel * 100 + c2.contextlevel), c1.id
bbbf2d40 622 HAVING
41811960 623 SUM(rc.permission) != 0
bbbf2d40 624 ORDER BY
75e84883 625 aggrlevel ASC
bbbf2d40 626 ";
627
98882637 628 $capabilities = array(); // Reinitialize.
75e84883 629 if (!$rs = get_recordset_sql($SQL)) {
630 error("Query failed in load_user_capability.");
631 }
5cf38a57 632
bbbf2d40 633 if ($rs && $rs->RecordCount() > 0) {
634 while (!$rs->EOF) {
75e84883 635 $array = $rs->fields;
636 $temprecord = new object;
eef868d1 637
98882637 638 foreach ($array as $key=>$val) {
75e84883 639 if ($key == 'aggrlevel') {
aad2ba95 640 $temprecord->contextlevel = $val;
75e84883 641 } else {
642 $temprecord->{$key} = $val;
643 }
98882637 644 }
bbbf2d40 645 $capabilities[] = $temprecord;
646 $rs->MoveNext();
647 }
648 }
eef868d1 649
bbbf2d40 650 /* so up to this point we should have somethign like this
aad2ba95 651 * $capabilities[1] ->contextlevel = 1000
bbbf2d40 652 ->module = SITEID
653 ->capability = do_anything
654 ->id = 1 (id is the context id)
655 ->sum = 0
eef868d1 656
aad2ba95 657 * $capabilities[2] ->contextlevel = 1000
bbbf2d40 658 ->module = SITEID
659 ->capability = post_messages
660 ->id = 1
661 ->sum = -9000
662
aad2ba95 663 * $capabilittes[3] ->contextlevel = 3000
bbbf2d40 664 ->module = course
665 ->capability = view_course_activities
666 ->id = 25
667 ->sum = 1
668
aad2ba95 669 * $capabilittes[4] ->contextlevel = 3000
bbbf2d40 670 ->module = course
671 ->capability = view_course_activities
672 ->id = 26
673 ->sum = 0 (this is another course)
eef868d1 674
aad2ba95 675 * $capabilities[5] ->contextlevel = 3050
bbbf2d40 676 ->module = course
677 ->capability = view_course_activities
678 ->id = 25 (override in course 25)
679 ->sum = -1
680 * ....
681 * now we proceed to write the session array, going from top to bottom
682 * at anypoint, we need to go up and check parent to look for prohibit
683 */
684 // print_object($capabilities);
685
686 /* This is where we write to the actualy capabilities array
687 * what we need to do from here on is
688 * going down the array from lowest level to highest level
689 * 1) recursively check for prohibit,
690 * if any, we write prohibit
691 * else, we write the value
692 * 2) at an override level, we overwrite current level
693 * if it's not set to prohibit already, and if different
694 * ........ that should be it ........
695 */
98882637 696 $usercap = array(); // for other user's capabilities
bbbf2d40 697 foreach ($capabilities as $capability) {
698
0468976c 699 $context = get_context_instance_by_id($capability->id);
700
41811960 701 if (!empty($otheruserid)) { // we are pulling out other user's capabilities, do not write to session
eef868d1 702
0468976c 703 if (capability_prohibits($capability->capability, $context, $capability->sum, $usercap)) {
98882637 704 $usercap[$capability->id][$capability->capability] = -9000;
705 continue;
706 }
707
eef868d1 708 $usercap[$capability->id][$capability->capability] = $capability->sum;
709
98882637 710 } else {
711
0468976c 712 if (capability_prohibits($capability->capability, $context, $capability->sum)) { // if any parent or parent's parent is set to prohibit
98882637 713 $USER->capabilities[$capability->id][$capability->capability] = -9000;
714 continue;
715 }
eef868d1 716
98882637 717 // if no parental prohibit set
718 // just write to session, i am not sure this is correct yet
719 // since 3050 shows up after 3000, and 3070 shows up after 3050,
720 // it should be ok just to overwrite like this, provided that there's no
721 // parental prohibits
722 // no point writing 0, since 0 = inherit
723 // we need to write even if it's 0, because it could be an inherit override
724 $USER->capabilities[$capability->id][$capability->capability] = $capability->sum;
725 }
bbbf2d40 726 }
eef868d1 727
bbbf2d40 728 // now we don't care about the huge array anymore, we can dispose it.
729 unset($capabilities);
eef868d1 730
dbe7e582 731 if (!empty($otheruserid)) {
eef868d1 732 return $usercap; // return the array
bbbf2d40 733 }
734 // see array in session to see what it looks like
735
736}
737
64026e8c 738/*
739 * Check all the login enrolment information for the given user object
eef868d1 740 * by querying the enrolment plugins
64026e8c 741 */
742function check_enrolment_plugins(&$user) {
743 global $CFG;
744
745 require_once($CFG->dirroot .'/enrol/enrol.class.php');
eef868d1 746
64026e8c 747 if (!($plugins = explode(',', $CFG->enrol_plugins_enabled))) {
748 $plugins = array($CFG->enrol);
749 }
750
751 foreach ($plugins as $plugin) {
752 $enrol = enrolment_factory::factory($plugin);
753 if (method_exists($enrol, 'setup_enrolments')) { /// Plugin supports Roles (Moodle 1.7 and later)
754 $enrol->setup_enrolments($user);
755 } else { /// Run legacy enrolment methods
756 if (method_exists($enrol, 'get_student_courses')) {
757 $enrol->get_student_courses($user);
758 }
759 if (method_exists($enrol, 'get_teacher_courses')) {
760 $enrol->get_teacher_courses($user);
761 }
762
763 /// deal with $user->students and $user->teachers stuff
764 unset($user->student);
765 unset($user->teacher);
766 }
767 unset($enrol);
768 }
769}
770
bbbf2d40 771
772/**
773 * This is a recursive function that checks whether the capability in this
774 * context, or the parent capabilities are set to prohibit.
775 *
776 * At this point, we can probably just use the values already set in the
777 * session variable, since we are going down the level. Any prohit set in
778 * parents would already reflect in the session.
779 *
780 * @param $capability - capability name
781 * @param $sum - sum of all capabilities values
0468976c 782 * @param $context - the context object
bbbf2d40 783 * @param $array - when loading another user caps, their caps are not stored in session but an array
784 */
0468976c 785function capability_prohibits($capability, $context, $sum='', $array='') {
bbbf2d40 786 global $USER;
0468976c 787
bbbf2d40 788 if ($sum < -8000) {
789 // If this capability is set to prohibit.
790 return true;
791 }
eef868d1 792
bbbf2d40 793 if (isset($array)) {
eef868d1 794 if (isset($array[$context->id][$capability])
0468976c 795 && $array[$context->id][$capability] < -8000) {
98882637 796 return true;
eef868d1 797 }
bbbf2d40 798 } else {
98882637 799 // Else if set in session.
eef868d1 800 if (isset($USER->capabilities[$context->id][$capability])
0468976c 801 && $USER->capabilities[$context->id][$capability] < -8000) {
98882637 802 return true;
803 }
bbbf2d40 804 }
aad2ba95 805 switch ($context->contextlevel) {
eef868d1 806
bbbf2d40 807 case CONTEXT_SYSTEM:
808 // By now it's a definite an inherit.
809 return 0;
810 break;
811
812 case CONTEXT_PERSONAL:
813 $parent = get_context_instance(CONTEXT_SYSTEM, SITEID);
0468976c 814 return capability_prohibits($capability, $parent);
bbbf2d40 815 break;
816
4b10f08b 817 case CONTEXT_USER:
bbbf2d40 818 $parent = get_context_instance(CONTEXT_SYSTEM, SITEID);
0468976c 819 return capability_prohibits($capability, $parent);
bbbf2d40 820 break;
821
822 case CONTEXT_COURSECAT:
823 // Coursecat -> coursecat or site.
824 $coursecat = get_record('course_categories','id',$context->instanceid);
41811960 825 if (!empty($coursecat->parent)) {
bbbf2d40 826 // return parent value if exist.
827 $parent = get_context_instance(CONTEXT_COURSECAT, $coursecat->parent);
828 } else {
829 // Return site value.
830 $parent = get_context_instance(CONTEXT_SYSTEM, SITEID);
831 }
0468976c 832 return capability_prohibits($capability, $parent);
bbbf2d40 833 break;
834
835 case CONTEXT_COURSE:
836 // 1 to 1 to course cat.
837 // Find the course cat, and return its value.
838 $course = get_record('course','id',$context->instanceid);
839 $parent = get_context_instance(CONTEXT_COURSECAT, $course->category);
0468976c 840 return capability_prohibits($capability, $parent);
bbbf2d40 841 break;
842
843 case CONTEXT_GROUP:
844 // 1 to 1 to course.
845 $group = get_record('groups','id',$context->instanceid);
846 $parent = get_context_instance(CONTEXT_COURSE, $group->courseid);
0468976c 847 return capability_prohibits($capability, $parent);
bbbf2d40 848 break;
849
850 case CONTEXT_MODULE:
851 // 1 to 1 to course.
852 $cm = get_record('course_modules','id',$context->instanceid);
853 $parent = get_context_instance(CONTEXT_COURSE, $cm->course);
0468976c 854 return capability_prohibits($capability, $parent);
bbbf2d40 855 break;
856
857 case CONTEXT_BLOCK:
858 // 1 to 1 to course.
859 $block = get_record('block_instance','id',$context->instanceid);
860 $parent = get_context_instance(CONTEXT_COURSE, $block->pageid); // needs check
0468976c 861 return capability_prohibits($capability, $parent);
bbbf2d40 862 break;
863
864 default:
865 error ('This is an unknown context!');
866 return false;
867 }
868}
869
870
871/**
872 * A print form function. This should either grab all the capabilities from
873 * files or a central table for that particular module instance, then present
874 * them in check boxes. Only relevant capabilities should print for known
875 * context.
876 * @param $mod - module id of the mod
877 */
878function print_capabilities($modid=0) {
879 global $CFG;
eef868d1 880
bbbf2d40 881 $capabilities = array();
882
883 if ($modid) {
884 // We are in a module specific context.
885
886 // Get the mod's name.
887 // Call the function that grabs the file and parse.
888 $cm = get_record('course_modules', 'id', $modid);
889 $module = get_record('modules', 'id', $cm->module);
eef868d1 890
bbbf2d40 891 } else {
892 // Print all capabilities.
893 foreach ($capabilities as $capability) {
894 // Prints the check box component.
895 }
896 }
897}
898
899
900/**
1afecc03 901 * Installs the roles system.
902 * This function runs on a fresh install as well as on an upgrade from the old
903 * hard-coded student/teacher/admin etc. roles to the new roles system.
bbbf2d40 904 */
1afecc03 905function moodle_install_roles() {
bbbf2d40 906
1afecc03 907 global $CFG, $db;
eef868d1 908
bbbf2d40 909 // Create a system wide context for assignemnt.
910 $systemcontext = $context = get_context_instance(CONTEXT_SYSTEM, SITEID);
911
1afecc03 912
913 // Create default/legacy roles and capabilities.
914 // (1 legacy capability per legacy role at system level).
eef868d1 915 $adminrole = create_role(get_string('administrator'), 'admin', get_string('administratordescription'), 'moodle/legacy:admin');
98882637 916 if (!assign_capability('moodle/site:doanything', CAP_ALLOW, $adminrole, $systemcontext->id)) {
bbbf2d40 917 error('Could not assign moodle/site:doanything to the admin role');
918 }
eef868d1 919 $coursecreatorrole = create_role(get_string('coursecreators'), 'coursecreator', get_string('coursecreatorsdescription'), 'moodle/legacy:coursecreator');
920 $editteacherrole = create_role(get_string('defaultcourseteacher'), 'editingteacher', get_string('defaultcourseteacherdescription'), 'moodle/legacy:editingteacher');
921 $noneditteacherrole = create_role(get_string('noneditingteacher'), 'teacher', get_string('noneditingteacherdescription'), 'moodle/legacy:teacher');
31f26796 922 $studentrole = create_role(get_string('defaultcoursestudent'), 'student', get_string('defaultcoursestudentdescription'), 'moodle/legacy:student');
923 $guestrole = create_role(get_string('guest'), 'guest', get_string('guestdescription'), 'moodle/legacy:guest');
1afecc03 924
925
926 // Look inside user_admin, user_creator, user_teachers, user_students and
927 // assign above new roles. If a user has both teacher and student role,
928 // only teacher role is assigned. The assignment should be system level.
929 $dbtables = $db->MetaTables('TABLES');
eef868d1 930
1afecc03 931
98882637 932 /**
bbbf2d40 933 * Upgrade the admins.
1afecc03 934 * Sort using id ASC, first one is primary admin.
bbbf2d40 935 */
1afecc03 936 if (in_array($CFG->prefix.'user_admins', $dbtables)) {
eef868d1 937 if ($useradmins = get_records_sql('SELECT * from '.$CFG->prefix.'user_admins ORDER BY ID ASC')) {
1afecc03 938 foreach ($useradmins as $admin) {
939 role_assign($adminrole, $admin->userid, 0, $systemcontext->id);
940 }
941 }
942 } else {
943 // This is a fresh install.
bbbf2d40 944 }
1afecc03 945
946
bbbf2d40 947 /**
948 * Upgrade course creators.
949 */
1afecc03 950 if (in_array($CFG->prefix.'user_coursecreators', $dbtables)) {
951 if ($usercoursecreators = get_records('user_coursecreators')) {
952 foreach ($usercoursecreators as $coursecreator) {
56b4d70d 953 role_assign($coursecreatorrole, $coursecreator->userid, 0, $systemcontext->id);
1afecc03 954 }
955 }
bbbf2d40 956 }
957
1afecc03 958
bbbf2d40 959 /**
960 * Upgrade editting teachers and non-editting teachers.
961 */
1afecc03 962 if (in_array($CFG->prefix.'user_teachers', $dbtables)) {
963 if ($userteachers = get_records('user_teachers')) {
964 foreach ($userteachers as $teacher) {
17d6a25e 965 // populate the user_lastaccess table
ece4945b 966 $access = new object();
17d6a25e 967 $access->timeaccess = $teacher->timeaccess;
968 $access->userid = $teacher->userid;
969 $access->courseid = $teacher->course;
970 insert_record('user_lastaccess', $access);
971 // assign the default student role
1afecc03 972 $coursecontext = get_context_instance(CONTEXT_COURSE, $teacher->course); // needs cache
973 if ($teacher->editall) { // editting teacher
974 role_assign($editteacherrole, $teacher->userid, 0, $coursecontext->id);
975 } else {
976 role_assign($noneditteacherrole, $teacher->userid, 0, $coursecontext->id);
977 }
978 }
bbbf2d40 979 }
980 }
1afecc03 981
982
bbbf2d40 983 /**
984 * Upgrade students.
985 */
1afecc03 986 if (in_array($CFG->prefix.'user_students', $dbtables)) {
987 if ($userstudents = get_records('user_students')) {
eef868d1 988 foreach ($userstudents as $student) {
17d6a25e 989 // populate the user_lastaccess table
990 unset($access);
991 $access->timeaccess = $student->timeaccess;
992 $access->userid = $student->userid;
993 $access->courseid = $student->course;
994 insert_record('user_lastaccess', $access);
995 // assign the default student role
1afecc03 996 $coursecontext = get_context_instance(CONTEXT_COURSE, $student->course);
997 role_assign($studentrole, $student->userid, 0, $coursecontext->id);
998 }
999 }
bbbf2d40 1000 }
1afecc03 1001
1002
bbbf2d40 1003 /**
1004 * Upgrade guest (only 1 entry).
1005 */
1afecc03 1006 if ($guestuser = get_record('user', 'username', 'guest')) {
1007 role_assign($guestrole, $guestuser->id, 0, $systemcontext->id);
1008 }
1009
945f88ca 1010 /**
eef868d1 1011 * Insert the correct records for legacy roles
945f88ca 1012 */
1013 allow_assign($adminrole, $adminrole);
1014 allow_assign($adminrole, $coursecreatorrole);
1015 allow_assign($adminrole, $noneditteacherrole);
eef868d1 1016 allow_assign($adminrole, $editteacherrole);
945f88ca 1017 allow_assign($adminrole, $studentrole);
1018 allow_assign($adminrole, $guestrole);
eef868d1 1019
945f88ca 1020 allow_assign($coursecreatorrole, $noneditteacherrole);
1021 allow_assign($coursecreatorrole, $editteacherrole);
eef868d1 1022 allow_assign($coursecreatorrole, $studentrole);
945f88ca 1023 allow_assign($coursecreatorrole, $guestrole);
eef868d1 1024
1025 allow_assign($editteacherrole, $noneditteacherrole);
1026 allow_assign($editteacherrole, $studentrole);
945f88ca 1027 allow_assign($editteacherrole, $guestrole);
eef868d1 1028
945f88ca 1029 /// overrides
1030 allow_override($adminrole, $adminrole);
1031 allow_override($adminrole, $coursecreatorrole);
1032 allow_override($adminrole, $noneditteacherrole);
eef868d1 1033 allow_override($adminrole, $editteacherrole);
945f88ca 1034 allow_override($adminrole, $studentrole);
eef868d1 1035 allow_override($adminrole, $guestrole);
1afecc03 1036
746a04c5 1037
1afecc03 1038 // Should we delete the tables after we are done? Not yet.
bbbf2d40 1039}
1040
bbbf2d40 1041/**
1042 * Assign the defaults found in this capabality definition to roles that have
1043 * the corresponding legacy capabilities assigned to them.
1044 * @param $legacyperms - an array in the format (example):
1045 * 'guest' => CAP_PREVENT,
1046 * 'student' => CAP_ALLOW,
1047 * 'teacher' => CAP_ALLOW,
1048 * 'editingteacher' => CAP_ALLOW,
1049 * 'coursecreator' => CAP_ALLOW,
1050 * 'admin' => CAP_ALLOW
1051 * @return boolean - success or failure.
1052 */
1053function assign_legacy_capabilities($capability, $legacyperms) {
eef868d1 1054
bbbf2d40 1055 foreach ($legacyperms as $type => $perm) {
eef868d1 1056
bbbf2d40 1057 $systemcontext = get_context_instance(CONTEXT_SYSTEM, SITEID);
eef868d1 1058
bbbf2d40 1059 // The legacy capabilities are:
1060 // 'moodle/legacy:guest'
1061 // 'moodle/legacy:student'
1062 // 'moodle/legacy:teacher'
1063 // 'moodle/legacy:editingteacher'
1064 // 'moodle/legacy:coursecreator'
1065 // 'moodle/legacy:admin'
eef868d1 1066
2e85fffe 1067 if ($roles = get_roles_with_capability('moodle/legacy:'.$type, CAP_ALLOW)) {
1068 foreach ($roles as $role) {
1069 // Assign a site level capability.
1070 if (!assign_capability($capability, $perm, $role->id, $systemcontext->id)) {
1071 return false;
1072 }
bbbf2d40 1073 }
1074 }
1075 }
1076 return true;
1077}
1078
1079
cee0901c 1080/**
1081 * Checks to see if a capability is a legacy capability.
1082 * @param $capabilityname
1083 * @return boolean
1084 */
bbbf2d40 1085function islegacy($capabilityname) {
98882637 1086 if (strstr($capabilityname, 'legacy') === false) {
eef868d1 1087 return false;
98882637 1088 } else {
eef868d1 1089 return true;
98882637 1090 }
bbbf2d40 1091}
1092
cee0901c 1093
1094
1095/**********************************
bbbf2d40 1096 * Context Manipulation functions *
1097 **********************************/
1098
bbbf2d40 1099/**
9991d157 1100 * Create a new context record for use by all roles-related stuff
bbbf2d40 1101 * @param $level
1102 * @param $instanceid
1103 */
aad2ba95 1104function create_context($contextlevel, $instanceid) {
1105 if (!get_record('context','contextlevel',$contextlevel,'instanceid',$instanceid)) {
bbbf2d40 1106 $context = new object;
aad2ba95 1107 $context->contextlevel = $contextlevel;
bbbf2d40 1108 $context->instanceid = $instanceid;
1109 return insert_record('context',$context);
1110 }
1111}
1112
9991d157 1113/**
1114 * Create a new context record for use by all roles-related stuff
1115 * @param $level
1116 * @param $instanceid
1117 */
1118function delete_context($contextlevel, $instanceid) {
1119 if ($context = get_context_instance($contextlevel, $instanceid)) {
1120 return delete_records('context', 'id', $context->id) &&
1121 delete_records('role_assignments', 'contextid', $context->id) &&
1122 delete_records('role_role_capabilities', 'contextid', $context->id);
1123 }
1124 return true;
1125}
1126
bbbf2d40 1127
1128/**
1129 * Get the context instance as an object. This function will create the
1130 * context instance if it does not exist yet.
1131 * @param $level
1132 * @param $instance
1133 */
aad2ba95 1134function get_context_instance($contextlevel=NULL, $instance=SITEID) {
e5605780 1135
51195e6f 1136 global $context_cache, $context_cache_id, $CONTEXT;
d9a35e12 1137
340ea4e8 1138/// If no level is supplied then return the current global context if there is one
aad2ba95 1139 if (empty($contextlevel)) {
340ea4e8 1140 if (empty($CONTEXT)) {
ea82d6b6 1141 debugging("Error: get_context_instance() called without a context");
340ea4e8 1142 } else {
1143 return $CONTEXT;
1144 }
e5605780 1145 }
1146
340ea4e8 1147/// Check the cache
aad2ba95 1148 if (isset($context_cache[$contextlevel][$instance])) { // Already cached
1149 return $context_cache[$contextlevel][$instance];
e5605780 1150 }
1151
340ea4e8 1152/// Get it from the database, or create it
aad2ba95 1153 if (!$context = get_record('context', 'contextlevel', $contextlevel, 'instanceid', $instance)) {
1154 create_context($contextlevel, $instance);
1155 $context = get_record('context', 'contextlevel', $contextlevel, 'instanceid', $instance);
e5605780 1156 }
1157
ccfc5ecc 1158/// Only add to cache if context isn't empty.
1159 if (!empty($context)) {
aad2ba95 1160 $context_cache[$contextlevel][$instance] = $context; // Cache it for later
ccfc5ecc 1161 $context_cache_id[$context->id] = $context; // Cache it for later
1162 }
0468976c 1163
bbbf2d40 1164 return $context;
1165}
1166
cee0901c 1167
340ea4e8 1168/**
1169 * Get a context instance as an object, from a given id.
1170 * @param $id
1171 */
1172function get_context_instance_by_id($id) {
1173
d9a35e12 1174 global $context_cache, $context_cache_id;
1175
340ea4e8 1176 if (isset($context_cache_id[$id])) { // Already cached
75e84883 1177 return $context_cache_id[$id];
340ea4e8 1178 }
1179
1180 if ($context = get_record('context', 'id', $id)) { // Update the cache and return
aad2ba95 1181 $context_cache[$context->contextlevel][$context->instanceid] = $context;
340ea4e8 1182 $context_cache_id[$context->id] = $context;
1183 return $context;
1184 }
1185
1186 return false;
1187}
1188
bbbf2d40 1189
8737be58 1190/**
1191 * Get the local override (if any) for a given capability in a role in a context
1192 * @param $roleid
0468976c 1193 * @param $contextid
1194 * @param $capability
8737be58 1195 */
1196function get_local_override($roleid, $contextid, $capability) {
1197 return get_record('role_capabilities', 'roleid', $roleid, 'capability', $capability, 'contextid', $contextid);
1198}
1199
1200
bbbf2d40 1201
1202/************************************
1203 * DB TABLE RELATED FUNCTIONS *
1204 ************************************/
1205
cee0901c 1206/**
bbbf2d40 1207 * function that creates a role
1208 * @param name - role name
31f26796 1209 * @param shortname - role short name
bbbf2d40 1210 * @param description - role description
1211 * @param legacy - optional legacy capability
1212 * @return id or false
1213 */
8420bee9 1214function create_role($name, $shortname, $description, $legacy='') {
eef868d1 1215
98882637 1216 // check for duplicate role name
eef868d1 1217
98882637 1218 if ($role = get_record('role','name', $name)) {
eef868d1 1219 error('there is already a role with this name!');
98882637 1220 }
eef868d1 1221
31f26796 1222 if ($role = get_record('role','shortname', $shortname)) {
eef868d1 1223 error('there is already a role with this shortname!');
31f26796 1224 }
1225
b5959f30 1226 $role = new object();
98882637 1227 $role->name = $name;
31f26796 1228 $role->shortname = $shortname;
98882637 1229 $role->description = $description;
eef868d1 1230
8420bee9 1231 //find free sortorder number
1232 $role->sortorder = count_records('role');
1233 while (get_record('role','sortorder', $role->sortorder)) {
1234 $role->sortorder += 1;
b5959f30 1235 }
1236
eef868d1 1237 $context = get_context_instance(CONTEXT_SYSTEM, SITEID);
1238
98882637 1239 if ($id = insert_record('role', $role)) {
eef868d1 1240 if ($legacy) {
1241 assign_capability($legacy, CAP_ALLOW, $id, $context->id);
98882637 1242 }
eef868d1 1243
ec7a8b79 1244 /// By default, users with role:manage at site level
1245 /// should be able to assign users to this new role, and override this new role's capabilities
eef868d1 1246
ec7a8b79 1247 // find all admin roles
e46c0987 1248 if ($adminroles = get_roles_with_capability('moodle/role:manage', CAP_ALLOW, $context)) {
1249 // foreach admin role
1250 foreach ($adminroles as $arole) {
1251 // write allow_assign and allow_overrid
1252 allow_assign($arole->id, $id);
eef868d1 1253 allow_override($arole->id, $id);
e46c0987 1254 }
ec7a8b79 1255 }
eef868d1 1256
98882637 1257 return $id;
1258 } else {
eef868d1 1259 return false;
98882637 1260 }
eef868d1 1261
bbbf2d40 1262}
1263
8420bee9 1264/**
1265 * function that deletes a role and cleanups up after it
1266 * @param roleid - id of role to delete
1267 * @return success
1268 */
1269function delete_role($roleid) {
1270 $success = true;
1271
1272// first unssign all users
1273 if (!role_unassign($roleid)) {
1274 debugging("Error while unassigning all users from role with ID $roleid!");
1275 $success = false;
1276 }
1277
1278// cleanup all references to this role, ignore errors
1279 if ($success) {
1280 delete_records('role_capabilities', 'roleid', $roleid);
1281 delete_records('role_allow_assign', 'roleid', $roleid);
1282 delete_records('role_allow_assign', 'allowassign', $roleid);
1283 delete_records('role_allow_override', 'roleid', $roleid);
1284 delete_records('role_allow_override', 'allowoverride', $roleid);
1285 delete_records('role_names', 'roleid', $roleid);
1286 }
1287
1288// finally delete the role itself
1289 if ($success and !delete_records('role', 'id', $roleid)) {
ece4945b 1290 debugging("Could not delete role record with ID $roleid!");
8420bee9 1291 $success = false;
1292 }
1293
1294 return $success;
1295}
1296
bbbf2d40 1297/**
1298 * Function to write context specific overrides, or default capabilities.
1299 * @param module - string name
1300 * @param capability - string name
1301 * @param contextid - context id
1302 * @param roleid - role id
1303 * @param permission - int 1,-1 or -1000
1304 */
e7876c1e 1305function assign_capability($capability, $permission, $roleid, $contextid, $overwrite=false) {
eef868d1 1306
98882637 1307 global $USER;
eef868d1 1308
98882637 1309 if (empty($permission) || $permission == 0) { // if permission is not set
eef868d1 1310 unassign_capability($capability, $roleid, $contextid);
98882637 1311 }
eef868d1 1312
2e85fffe 1313 $existing = get_record('role_capabilities', 'contextid', $contextid, 'roleid', $roleid, 'capability', $capability);
e7876c1e 1314
1315 if ($existing and !$overwrite) { // We want to keep whatever is there already
1316 return true;
1317 }
1318
bbbf2d40 1319 $cap = new object;
1320 $cap->contextid = $contextid;
1321 $cap->roleid = $roleid;
1322 $cap->capability = $capability;
1323 $cap->permission = $permission;
1324 $cap->timemodified = time();
9db12da7 1325 $cap->modifierid = empty($USER->id) ? 0 : $USER->id;
e7876c1e 1326
1327 if ($existing) {
1328 $cap->id = $existing->id;
1329 return update_record('role_capabilities', $cap);
1330 } else {
1331 return insert_record('role_capabilities', $cap);
1332 }
bbbf2d40 1333}
1334
1335
1336/**
1337 * Unassign a capability from a role.
1338 * @param $roleid - the role id
1339 * @param $capability - the name of the capability
1340 * @return boolean - success or failure
1341 */
1342function unassign_capability($capability, $roleid, $contextid=NULL) {
eef868d1 1343
98882637 1344 if (isset($contextid)) {
1345 $status = delete_records('role_capabilities', 'capability', $capability,
1346 'roleid', $roleid, 'contextid', $contextid);
1347 } else {
1348 $status = delete_records('role_capabilities', 'capability', $capability,
1349 'roleid', $roleid);
1350 }
1351 return $status;
bbbf2d40 1352}
1353
1354
1355/**
759ac72d 1356 * Get the roles that have a given capability assigned to it. This function
1357 * does not resolve the actual permission of the capability. It just checks
1358 * for assignment only.
bbbf2d40 1359 * @param $capability - capability name (string)
1360 * @param $permission - optional, the permission defined for this capability
1361 * either CAP_ALLOW, CAP_PREVENT or CAP_PROHIBIT
1362 * @return array or role objects
1363 */
ec7a8b79 1364function get_roles_with_capability($capability, $permission=NULL, $context='') {
1365
bbbf2d40 1366 global $CFG;
eef868d1 1367
ec7a8b79 1368 if ($context) {
1369 if ($contexts = get_parent_contexts($context)) {
1370 $listofcontexts = '('.implode(',', $contexts).')';
1371 } else {
1372 $sitecontext = get_context_instance(CONTEXT_SYSTEM, SITEID);
eef868d1 1373 $listofcontexts = '('.$sitecontext->id.')'; // must be site
1374 }
42ac3ecf 1375 $contextstr = "AND (rc.contextid = '$context->id' OR rc.contextid IN $listofcontexts)";
ec7a8b79 1376 } else {
1377 $contextstr = '';
1378 }
eef868d1 1379
1380 $selectroles = "SELECT r.*
42ac3ecf 1381 FROM {$CFG->prefix}role r,
1382 {$CFG->prefix}role_capabilities rc
bbbf2d40 1383 WHERE rc.capability = '$capability'
ec7a8b79 1384 AND rc.roleid = r.id $contextstr";
bbbf2d40 1385
1386 if (isset($permission)) {
1387 $selectroles .= " AND rc.permission = '$permission'";
1388 }
1389 return get_records_sql($selectroles);
1390}
1391
1392
1393/**
a9e1c058 1394 * This function makes a role-assignment (a role for a user or group in a particular context)
bbbf2d40 1395 * @param $roleid - the role of the id
1396 * @param $userid - userid
1397 * @param $groupid - group id
1398 * @param $contextid - id of the context
1399 * @param $timestart - time this assignment becomes effective
1400 * @param $timeend - time this assignemnt ceases to be effective
1401 * @uses $USER
1402 * @return id - new id of the assigment
1403 */
f44152f4 1404function role_assign($roleid, $userid, $groupid, $contextid, $timestart=0, $timeend=0, $hidden=0, $enrol='manual') {
aa311411 1405 global $USER, $CFG;
bbbf2d40 1406
7eb0b60a 1407 debugging("Assign roleid $roleid userid $userid contextid $contextid", DEBUG_DEVELOPER);
bbbf2d40 1408
a9e1c058 1409/// Do some data validation
1410
bbbf2d40 1411 if (empty($roleid)) {
9d829c68 1412 debugging('Role ID not provided');
a9e1c058 1413 return false;
bbbf2d40 1414 }
1415
1416 if (empty($userid) && empty($groupid)) {
9d829c68 1417 debugging('Either userid or groupid must be provided');
a9e1c058 1418 return false;
bbbf2d40 1419 }
eef868d1 1420
7700027f 1421 if ($userid && !record_exists('user', 'id', $userid)) {
82396e5b 1422 debugging('User ID '.intval($userid).' does not exist!');
7700027f 1423 return false;
1424 }
bbbf2d40 1425
dc411d1b 1426 if ($groupid && !record_exists('groups', 'id', $groupid)) {
82396e5b 1427 debugging('Group ID '.intval($groupid).' does not exist!');
dc411d1b 1428 return false;
1429 }
1430
7700027f 1431 if (!$context = get_context_instance_by_id($contextid)) {
82396e5b 1432 debugging('Context ID '.intval($contextid).' does not exist!');
a9e1c058 1433 return false;
bbbf2d40 1434 }
1435
a9e1c058 1436 if (($timestart and $timeend) and ($timestart > $timeend)) {
9d829c68 1437 debugging('The end time can not be earlier than the start time');
a9e1c058 1438 return false;
1439 }
1440
7700027f 1441
a9e1c058 1442/// Check for existing entry
1443 if ($userid) {
7700027f 1444 $ra = get_record('role_assignments', 'roleid', $roleid, 'contextid', $context->id, 'userid', $userid);
a9e1c058 1445 } else {
7700027f 1446 $ra = get_record('role_assignments', 'roleid', $roleid, 'contextid', $context->id, 'groupid', $groupid);
a9e1c058 1447 }
1448
9ebcb4d2 1449
a9e1c058 1450 $newra = new object;
bbbf2d40 1451
a9e1c058 1452 if (empty($ra)) { // Create a new entry
1453 $newra->roleid = $roleid;
7700027f 1454 $newra->contextid = $context->id;
a9e1c058 1455 $newra->userid = $userid;
1456 $newra->groupid = $groupid;
1457
1458 $newra->hidden = $hidden;
f44152f4 1459 $newra->enrol = $enrol;
a9e1c058 1460 $newra->timestart = $timestart;
1461 $newra->timeend = $timeend;
1462 $newra->timemodified = time();
1463 $newra->modifier = empty($USER->id) ? 0 : $USER->id;
1464
9ebcb4d2 1465 $success = insert_record('role_assignments', $newra);
a9e1c058 1466
1467 } else { // We already have one, just update it
1468
1469 $newra->id = $ra->id;
1470 $newra->hidden = $hidden;
f44152f4 1471 $newra->enrol = $enrol;
a9e1c058 1472 $newra->timestart = $timestart;
1473 $newra->timeend = $timeend;
1474 $newra->timemodified = time();
1475 $newra->modifier = empty($USER->id) ? 0 : $USER->id;
1476
9ebcb4d2 1477 $success = update_record('role_assignments', $newra);
1478 }
1479
7700027f 1480 if ($success) { /// Role was assigned, so do some other things
1481
1482 /// If the user is the current user, then reload the capabilities too.
1483 if (!empty($USER->id) && $USER->id == $userid) {
1484 load_user_capability();
1485 }
1486
0f161e1f 1487 /// Ask all the modules if anything needs to be done for this user
1488 if ($mods = get_list_of_plugins('mod')) {
1489 foreach ($mods as $mod) {
1490 include_once($CFG->dirroot.'/mod/'.$mod.'/lib.php');
1491 $functionname = $mod.'_role_assign';
1492 if (function_exists($functionname)) {
1493 $functionname($userid, $context);
1494 }
1495 }
1496 }
1497
1498 /// Make sure they have an entry in user_lastaccess for courses they can access
1499 // role_add_lastaccess_entries($userid, $context);
a9e1c058 1500 }
eef868d1 1501
4e5f3064 1502 /// now handle metacourse role assignments if in course context
aad2ba95 1503 if ($success and $context->contextlevel == CONTEXT_COURSE) {
4e5f3064 1504 if ($parents = get_records('course_meta', 'child_course', $context->instanceid)) {
1505 foreach ($parents as $parent) {
1aad4310 1506 sync_metacourse($parent->parent_course);
4e5f3064 1507 }
1508 }
1509 }
6eb4f823 1510
1511 return $success;
bbbf2d40 1512}
1513
1514
1515/**
1dc1f037 1516 * Deletes one or more role assignments. You must specify at least one parameter.
bbbf2d40 1517 * @param $roleid
1518 * @param $userid
1519 * @param $groupid
1520 * @param $contextid
1521 * @return boolean - success or failure
1522 */
1dc1f037 1523function role_unassign($roleid=0, $userid=0, $groupid=0, $contextid=0) {
d74067e8 1524
1525 global $USER, $CFG;
eef868d1 1526
4e5f3064 1527 $success = true;
d74067e8 1528
1dc1f037 1529 $args = array('roleid', 'userid', 'groupid', 'contextid');
1530 $select = array();
1531 foreach ($args as $arg) {
1532 if ($$arg) {
1533 $select[] = $arg.' = '.$$arg;
1534 }
1535 }
d74067e8 1536
1dc1f037 1537 if ($select) {
4e5f3064 1538 if ($ras = get_records_select('role_assignments', implode(' AND ', $select))) {
1539 $mods = get_list_of_plugins('mod');
1540 foreach($ras as $ra) {
86e2c51d 1541 /// infinite loop protection when deleting recursively
1542 if (!$ra = get_record('role_assignments', 'id', $ra->id)) {
1543 continue;
1544 }
4e5f3064 1545 $success = delete_records('role_assignments', 'id', $ra->id) and $success;
86e2c51d 1546
4e5f3064 1547 /// If the user is the current user, then reload the capabilities too.
1548 if (!empty($USER->id) && $USER->id == $ra->userid) {
1549 load_user_capability();
1550 }
1551 $context = get_record('context', 'id', $ra->contextid);
0f161e1f 1552
1553 /// Ask all the modules if anything needs to be done for this user
4e5f3064 1554 foreach ($mods as $mod) {
1555 include_once($CFG->dirroot.'/mod/'.$mod.'/lib.php');
1556 $functionname = $mod.'_role_unassign';
1557 if (function_exists($functionname)) {
1558 $functionname($ra->userid, $context); // watch out, $context might be NULL if something goes wrong
1559 }
1560 }
1561
1562 /// now handle metacourse role unassigment and removing from goups if in course context
aad2ba95 1563 if (!empty($context) and $context->contextlevel == CONTEXT_COURSE) {
4e5f3064 1564 //remove from groups when user has no role
1565 $roles = get_user_roles($context, $ra->userid, true);
1566 if (empty($roles)) {
1567 if ($groups = get_groups($context->instanceid, $ra->userid)) {
1568 foreach ($groups as $group) {
1569 delete_records('groups_members', 'groupid', $group->id, 'userid', $ra->userid);
1570 }
1571 }
1572 }
1aad4310 1573 //unassign roles in metacourses if needed
4e5f3064 1574 if ($parents = get_records('course_meta', 'child_course', $context->instanceid)) {
1575 foreach ($parents as $parent) {
1aad4310 1576 sync_metacourse($parent->parent_course);
0f161e1f 1577 }
1578 }
0f161e1f 1579 }
1580 }
d74067e8 1581 }
1dc1f037 1582 }
4e5f3064 1583
1584 return $success;
bbbf2d40 1585}
1586
eef868d1 1587/*
1588 * A convenience function to take care of the common case where you
b963384f 1589 * just want to enrol someone using the default role into a course
1590 *
1591 * @param object $course
1592 * @param object $user
1593 * @param string $enrol - the plugin used to do this enrolment
1594 */
1595function enrol_into_course($course, $user, $enrol) {
1596
1597 if ($course->enrolperiod) {
1598 $timestart = time();
1599 $timeend = time() + $course->enrolperiod;
1600 } else {
1601 $timestart = $timeend = 0;
1602 }
1603
1604 if ($role = get_default_course_role($course)) {
c4381ef5 1605
1606 $context = get_context_instance(CONTEXT_COURSE, $course->id);
1607
e2183037 1608 if (!role_assign($role->id, $user->id, 0, $context->id, $timestart, $timeend, 0, $enrol)) {
b963384f 1609 return false;
1610 }
eef868d1 1611
b963384f 1612 email_welcome_message_to_user($course, $user);
eef868d1 1613
b963384f 1614 add_to_log($course->id, 'course', 'enrol', 'view.php?id='.$course->id, $user->id);
1615
1616 return true;
1617 }
1618
1619 return false;
1620}
1621
0f161e1f 1622/**
1623 * Add last access times to user_lastaccess as required
1624 * @param $userid
1625 * @param $context
1626 * @return boolean - success or failure
1627 */
1628function role_add_lastaccess_entries($userid, $context) {
1629
1630 global $USER, $CFG;
1631
aad2ba95 1632 if (empty($context->contextlevel)) {
0f161e1f 1633 return false;
1634 }
1635
1636 $lastaccess = new object; // Reusable object below
1637 $lastaccess->userid = $userid;
1638 $lastaccess->timeaccess = 0;
1639
aad2ba95 1640 switch ($context->contextlevel) {
0f161e1f 1641
1642 case CONTEXT_SYSTEM: // For the whole site
1643 if ($courses = get_record('course')) {
1644 foreach ($courses as $course) {
1645 $lastaccess->courseid = $course->id;
1646 role_set_lastaccess($lastaccess);
1647 }
1648 }
1649 break;
1650
1651 case CONTEXT_CATEGORY: // For a whole category
1652 if ($courses = get_record('course', 'category', $context->instanceid)) {
1653 foreach ($courses as $course) {
1654 $lastaccess->courseid = $course->id;
1655 role_set_lastaccess($lastaccess);
1656 }
1657 }
1658 if ($categories = get_record('course_categories', 'parent', $context->instanceid)) {
1659 foreach ($categories as $category) {
1660 $subcontext = get_context_instance(CONTEXT_CATEGORY, $category->id);
1661 role_add_lastaccess_entries($userid, $subcontext);
1662 }
1663 }
1664 break;
eef868d1 1665
0f161e1f 1666
1667 case CONTEXT_COURSE: // For a whole course
1668 if ($course = get_record('course', 'id', $context->instanceid)) {
1669 $lastaccess->courseid = $course->id;
1670 role_set_lastaccess($lastaccess);
1671 }
1672 break;
1673 }
1674}
1675
1676/**
1677 * Delete last access times from user_lastaccess as required
1678 * @param $userid
1679 * @param $context
1680 * @return boolean - success or failure
1681 */
1682function role_remove_lastaccess_entries($userid, $context) {
1683
1684 global $USER, $CFG;
1685
1686}
1687
bbbf2d40 1688
1689/**
1690 * Loads the capability definitions for the component (from file). If no
1691 * capabilities are defined for the component, we simply return an empty array.
1692 * @param $component - examples: 'moodle', 'mod/forum', 'block/quiz_results'
1693 * @return array of capabilities
1694 */
1695function load_capability_def($component) {
1696 global $CFG;
1697
1698 if ($component == 'moodle') {
1699 $defpath = $CFG->libdir.'/db/access.php';
1700 $varprefix = 'moodle';
1701 } else {
0c4d9f49 1702 $compparts = explode('/', $component);
eef868d1 1703
0c4d9f49 1704 if ($compparts[0] == 'block') {
1705 // Blocks are an exception. Blocks directory is 'blocks', and not
1706 // 'block'. So we need to jump through hoops.
1707 $defpath = $CFG->dirroot.'/'.$compparts[0].
1708 's/'.$compparts[1].'/db/access.php';
1709 $varprefix = $compparts[0].'_'.$compparts[1];
1710 } else {
1711 $defpath = $CFG->dirroot.'/'.$component.'/db/access.php';
1712 $varprefix = str_replace('/', '_', $component);
1713 }
bbbf2d40 1714 }
1715 $capabilities = array();
eef868d1 1716
bbbf2d40 1717 if (file_exists($defpath)) {
1718 require_once($defpath);
1719 $capabilities = ${$varprefix.'_capabilities'};
1720 }
1721 return $capabilities;
1722}
1723
1724
1725/**
1726 * Gets the capabilities that have been cached in the database for this
1727 * component.
1728 * @param $component - examples: 'moodle', 'mod/forum', 'block/quiz_results'
1729 * @return array of capabilities
1730 */
1731function get_cached_capabilities($component='moodle') {
1732 if ($component == 'moodle') {
1733 $storedcaps = get_records_select('capabilities',
1734 "name LIKE 'moodle/%:%'");
1735 } else {
1736 $storedcaps = get_records_select('capabilities',
1737 "name LIKE '$component:%'");
1738 }
1739 return $storedcaps;
1740}
1741
1742
1743/**
1744 * Updates the capabilities table with the component capability definitions.
1745 * If no parameters are given, the function updates the core moodle
1746 * capabilities.
1747 *
1748 * Note that the absence of the db/access.php capabilities definition file
1749 * will cause any stored capabilities for the component to be removed from
eef868d1 1750 * the database.
bbbf2d40 1751 *
1752 * @param $component - examples: 'moodle', 'mod/forum', 'block/quiz_results'
1753 * @return boolean
1754 */
1755function update_capabilities($component='moodle') {
eef868d1 1756
bbbf2d40 1757 $storedcaps = array();
be4486da 1758
1759 $filecaps = load_capability_def($component);
bbbf2d40 1760 $cachedcaps = get_cached_capabilities($component);
1761 if ($cachedcaps) {
1762 foreach ($cachedcaps as $cachedcap) {
1763 array_push($storedcaps, $cachedcap->name);
be4486da 1764 // update risk bitmasks in existing capabilitites if needed
1765 if (array_key_exists($cachedcap->name, $filecaps)) {
1766 if (!array_key_exists('riskbitmask', $filecaps[$cachedcap->name])) {
2b531945 1767 $filecaps[$cachedcap->name]['riskbitmask'] = 0; // no risk if not specified
be4486da 1768 }
1769 if ($cachedcap->riskbitmask != $filecaps[$cachedcap->name]['riskbitmask']) {
1770 $updatecap = new object;
1771 $updatecap->id = $cachedcap->id;
1772 $updatecap->riskbitmask = $filecaps[$cachedcap->name]['riskbitmask'];
1773 if (!update_record('capabilities', $updatecap)) {
1774 return false;
1775 }
1776 }
1777 }
bbbf2d40 1778 }
1779 }
be4486da 1780
bbbf2d40 1781 // Are there new capabilities in the file definition?
1782 $newcaps = array();
eef868d1 1783
bbbf2d40 1784 foreach ($filecaps as $filecap => $def) {
eef868d1 1785 if (!$storedcaps ||
bbbf2d40 1786 ($storedcaps && in_array($filecap, $storedcaps) === false)) {
2b531945 1787 if (!array_key_exists('riskbitmask', $def)) {
1788 $def['riskbitmask'] = 0; // no risk if not specified
1789 }
bbbf2d40 1790 $newcaps[$filecap] = $def;
1791 }
1792 }
1793 // Add new capabilities to the stored definition.
1794 foreach ($newcaps as $capname => $capdef) {
1795 $capability = new object;
1796 $capability->name = $capname;
1797 $capability->captype = $capdef['captype'];
1798 $capability->contextlevel = $capdef['contextlevel'];
1799 $capability->component = $component;
be4486da 1800 $capability->riskbitmask = $capdef['riskbitmask'];
eef868d1 1801
bbbf2d40 1802 if (!insert_record('capabilities', $capability, false, 'id')) {
1803 return false;
1804 }
eef868d1 1805
bbbf2d40 1806 // Do we need to assign the new capabilities to roles that have the
1807 // legacy capabilities moodle/legacy:* as well?
1808 if (isset($capdef['legacy']) && is_array($capdef['legacy']) &&
1809 !assign_legacy_capabilities($capname, $capdef['legacy'])) {
2e85fffe 1810 notify('Could not assign legacy capabilities for '.$capname);
bbbf2d40 1811 }
1812 }
1813 // Are there any capabilities that have been removed from the file
1814 // definition that we need to delete from the stored capabilities and
1815 // role assignments?
1816 capabilities_cleanup($component, $filecaps);
eef868d1 1817
bbbf2d40 1818 return true;
1819}
1820
1821
1822/**
1823 * Deletes cached capabilities that are no longer needed by the component.
1824 * Also unassigns these capabilities from any roles that have them.
1825 * @param $component - examples: 'moodle', 'mod/forum', 'block/quiz_results'
1826 * @param $newcapdef - array of the new capability definitions that will be
1827 * compared with the cached capabilities
1828 * @return int - number of deprecated capabilities that have been removed
1829 */
1830function capabilities_cleanup($component, $newcapdef=NULL) {
eef868d1 1831
bbbf2d40 1832 $removedcount = 0;
eef868d1 1833
bbbf2d40 1834 if ($cachedcaps = get_cached_capabilities($component)) {
1835 foreach ($cachedcaps as $cachedcap) {
1836 if (empty($newcapdef) ||
1837 array_key_exists($cachedcap->name, $newcapdef) === false) {
eef868d1 1838
bbbf2d40 1839 // Remove from capabilities cache.
1840 if (!delete_records('capabilities', 'name', $cachedcap->name)) {
1841 error('Could not delete deprecated capability '.$cachedcap->name);
1842 } else {
1843 $removedcount++;
1844 }
1845 // Delete from roles.
1846 if($roles = get_roles_with_capability($cachedcap->name)) {
1847 foreach($roles as $role) {
46943f7b 1848 if (!unassign_capability($cachedcap->name, $role->id)) {
bbbf2d40 1849 error('Could not unassign deprecated capability '.
1850 $cachedcap->name.' from role '.$role->name);
1851 }
1852 }
1853 }
1854 } // End if.
1855 }
1856 }
1857 return $removedcount;
1858}
1859
1860
1861
cee0901c 1862/****************
1863 * UI FUNCTIONS *
1864 ****************/
bbbf2d40 1865
1866
1867/**
1868 * prints human readable context identifier.
1869 */
0468976c 1870function print_context_name($context) {
340ea4e8 1871
ec0810ee 1872 $name = '';
aad2ba95 1873 switch ($context->contextlevel) {
ec0810ee 1874
bbbf2d40 1875 case CONTEXT_SYSTEM: // by now it's a definite an inherit
ec0810ee 1876 $name = get_string('site');
340ea4e8 1877 break;
bbbf2d40 1878
1879 case CONTEXT_PERSONAL:
ec0810ee 1880 $name = get_string('personal');
340ea4e8 1881 break;
1882
4b10f08b 1883 case CONTEXT_USER:
ec0810ee 1884 if ($user = get_record('user', 'id', $context->instanceid)) {
1885 $name = get_string('user').': '.fullname($user);
1886 }
340ea4e8 1887 break;
1888
bbbf2d40 1889 case CONTEXT_COURSECAT: // Coursecat -> coursecat or site
ec0810ee 1890 if ($category = get_record('course_categories', 'id', $context->instanceid)) {
1891 $name = get_string('category').': '.$category->name;
1892 }
340ea4e8 1893 break;
bbbf2d40 1894
1895 case CONTEXT_COURSE: // 1 to 1 to course cat
ec0810ee 1896 if ($course = get_record('course', 'id', $context->instanceid)) {
1897 $name = get_string('course').': '.$course->fullname;
1898 }
340ea4e8 1899 break;
bbbf2d40 1900
1901 case CONTEXT_GROUP: // 1 to 1 to course
ec0810ee 1902 if ($group = get_record('groups', 'id', $context->instanceid)) {
1903 $name = get_string('group').': '.$group->name;
1904 }
340ea4e8 1905 break;
bbbf2d40 1906
1907 case CONTEXT_MODULE: // 1 to 1 to course
98882637 1908 if ($cm = get_record('course_modules','id',$context->instanceid)) {
1909 if ($module = get_record('modules','id',$cm->module)) {
1910 if ($mod = get_record($module->name, 'id', $cm->instance)) {
ec0810ee 1911 $name = get_string('activitymodule').': '.$mod->name;
98882637 1912 }
ec0810ee 1913 }
1914 }
340ea4e8 1915 break;
bbbf2d40 1916
1917 case CONTEXT_BLOCK: // 1 to 1 to course
98882637 1918 if ($blockinstance = get_record('block_instance','id',$context->instanceid)) {
1919 if ($block = get_record('block','id',$blockinstance->blockid)) {
91be52d7 1920 global $CFG;
1921 require_once("$CFG->dirroot/blocks/moodleblock.class.php");
1922 require_once("$CFG->dirroot/blocks/$block->name/block_$block->name.php");
1923 $blockname = "block_$block->name";
1924 if ($blockobject = new $blockname()) {
1925 $name = $blockobject->title.' ('.get_string('block').')';
1926 }
ec0810ee 1927 }
1928 }
340ea4e8 1929 break;
bbbf2d40 1930
1931 default:
1932 error ('This is an unknown context!');
340ea4e8 1933 return false;
1934
1935 }
340ea4e8 1936 return $name;
bbbf2d40 1937}
1938
1939
1940/**
eef868d1 1941 * Extracts the relevant capabilities given a contextid.
bbbf2d40 1942 * All case based, example an instance of forum context.
1943 * Will fetch all forum related capabilities, while course contexts
1944 * Will fetch all capabilities
0468976c 1945 * @param object context
bbbf2d40 1946 * @return array();
1947 *
1948 * capabilities
1949 * `name` varchar(150) NOT NULL,
1950 * `captype` varchar(50) NOT NULL,
1951 * `contextlevel` int(10) NOT NULL,
1952 * `component` varchar(100) NOT NULL,
1953 */
0468976c 1954function fetch_context_capabilities($context) {
eef868d1 1955
98882637 1956 global $CFG;
bbbf2d40 1957
1958 $sort = 'ORDER BY contextlevel,component,id'; // To group them sensibly for display
eef868d1 1959
aad2ba95 1960 switch ($context->contextlevel) {
bbbf2d40 1961
98882637 1962 case CONTEXT_SYSTEM: // all
1963 $SQL = "select * from {$CFG->prefix}capabilities";
bbbf2d40 1964 break;
1965
1966 case CONTEXT_PERSONAL:
0a8a95c9 1967 $SQL = "select * from {$CFG->prefix}capabilities where contextlevel = ".CONTEXT_PERSONAL;
bbbf2d40 1968 break;
eef868d1 1969
4b10f08b 1970 case CONTEXT_USER:
1971 $SQL = "select * from {$CFG->prefix}capabilities where contextlevel = ".CONTEXT_USER;
bbbf2d40 1972 break;
eef868d1 1973
bbbf2d40 1974 case CONTEXT_COURSECAT: // all
98882637 1975 $SQL = "select * from {$CFG->prefix}capabilities";
bbbf2d40 1976 break;
1977
1978 case CONTEXT_COURSE: // all
98882637 1979 $SQL = "select * from {$CFG->prefix}capabilities";
bbbf2d40 1980 break;
1981
1982 case CONTEXT_GROUP: // group caps
1983 break;
1984
1985 case CONTEXT_MODULE: // mod caps
98882637 1986 $cm = get_record('course_modules', 'id', $context->instanceid);
1987 $module = get_record('modules', 'id', $cm->module);
eef868d1 1988
98882637 1989 $SQL = "select * from {$CFG->prefix}capabilities where contextlevel = ".CONTEXT_MODULE."
1990 and component = 'mod/$module->name'";
bbbf2d40 1991 break;
1992
1993 case CONTEXT_BLOCK: // block caps
98882637 1994 $cb = get_record('block_instance', 'id', $context->instanceid);
1995 $block = get_record('block', 'id', $cb->blockid);
eef868d1 1996
98882637 1997 $SQL = "select * from {$CFG->prefix}capabilities where contextlevel = ".CONTEXT_BLOCK."
1998 and component = 'block/$block->name'";
bbbf2d40 1999 break;
2000
2001 default:
2002 return false;
2003 }
2004
16e2e2f3 2005 if (!$records = get_records_sql($SQL.' '.$sort)) {
2006 $records = array();
2007 }
759ac72d 2008 $contextindependentcaps = fetch_context_independent_capabilities();
2009 $records = array_merge($records, $contextindependentcaps);
69eb59f2 2010
2011 // special sorting of core system capabiltites and enrollments
aad2ba95 2012 if ($context->contextlevel == CONTEXT_SYSTEM) {
69eb59f2 2013 $first = array();
2014 foreach ($records as $key=>$record) {
2015 if (preg_match('|^moodle/|', $record->name) and $record->contextlevel == CONTEXT_SYSTEM) {
2016 $first[$key] = $record;
2017 unset($records[$key]);
2018 } else if (count($first)){
2019 break;
2020 }
2021 }
2022 if (count($first)) {
2023 $records = $first + $records; // merge the two arrays keeping the keys
2024 }
2025 }
2026 // end of special sorting
bbbf2d40 2027 return $records;
eef868d1 2028
bbbf2d40 2029}
2030
2031
759ac72d 2032/**
2033 * Gets the context-independent capabilities that should be overrridable in
2034 * any context.
2035 * @return array of capability records from the capabilities table.
2036 */
2037function fetch_context_independent_capabilities() {
eef868d1 2038
759ac72d 2039 $contextindependentcaps = array(
2040 'moodle/site:accessallgroups'
2041 );
2042
2043 $records = array();
eef868d1 2044
759ac72d 2045 foreach ($contextindependentcaps as $capname) {
2046 $record = get_record('capabilities', 'name', $capname);
2047 array_push($records, $record);
2048 }
2049 return $records;
2050}
2051
2052
bbbf2d40 2053/**
2054 * This function pulls out all the resolved capabilities (overrides and
759ac72d 2055 * defaults) of a role used in capability overrides in contexts at a given
bbbf2d40 2056 * context.
0a8a95c9 2057 * @param obj $context
bbbf2d40 2058 * @param int $roleid
dc558690 2059 * @param bool self - if set to true, resolve till this level, else stop at immediate parent level
bbbf2d40 2060 * @return array
2061 */
1648afb2 2062function role_context_capabilities($roleid, $context, $cap='') {
dc558690 2063 global $CFG;
eef868d1 2064
8521d83a 2065 $contexts = get_parent_contexts($context);
2066 $contexts[] = $context->id;
98882637 2067 $contexts = '('.implode(',', $contexts).')';
eef868d1 2068
1648afb2 2069 if ($cap) {
e4697bf7 2070 $search = " AND rc.capability = '$cap' ";
1648afb2 2071 } else {
eef868d1 2072 $search = '';
1648afb2 2073 }
eef868d1 2074
2075 $SQL = "SELECT rc.*
2076 FROM {$CFG->prefix}role_capabilities rc,
dc558690 2077 {$CFG->prefix}context c
2078 WHERE rc.contextid in $contexts
2079 AND rc.roleid = $roleid
2080 AND rc.contextid = c.id $search
aad2ba95 2081 ORDER BY c.contextlevel DESC,
eef868d1 2082 rc.capability DESC";
759ac72d 2083
98882637 2084 $capabilities = array();
eef868d1 2085
4729012f 2086 if ($records = get_records_sql($SQL)) {
2087 // We are traversing via reverse order.
2088 foreach ($records as $record) {
2089 // If not set yet (i.e. inherit or not set at all), or currently we have a prohibit
2090 if (!isset($capabilities[$record->capability]) || $record->permission<-500) {
2091 $capabilities[$record->capability] = $record->permission;
eef868d1 2092 }
4729012f 2093 }
98882637 2094 }
2095 return $capabilities;
bbbf2d40 2096}
2097
bbbf2d40 2098/**
eef868d1 2099 * Recursive function which, given a context, find all parent context ids,
bbbf2d40 2100 * and return the array in reverse order, i.e. parent first, then grand
2101 * parent, etc.
2102 * @param object $context
2103 * @return array()
2104 */
bbbf2d40 2105function get_parent_contexts($context) {
759ac72d 2106
aad2ba95 2107 switch ($context->contextlevel) {
bbbf2d40 2108
2109 case CONTEXT_SYSTEM: // no parent
957861f7 2110 return array();
bbbf2d40 2111 break;
2112
2113 case CONTEXT_PERSONAL:
957861f7 2114 if (!$parent = get_context_instance(CONTEXT_SYSTEM, SITEID)) {
2115 return array();
2116 } else {
2117 return array($parent->id);
2118 }
bbbf2d40 2119 break;
eef868d1 2120
4b10f08b 2121 case CONTEXT_USER:
957861f7 2122 if (!$parent = get_context_instance(CONTEXT_SYSTEM, SITEID)) {
2123 return array();
2124 } else {
2125 return array($parent->id);
2126 }
bbbf2d40 2127 break;
eef868d1 2128
bbbf2d40 2129 case CONTEXT_COURSECAT: // Coursecat -> coursecat or site
957861f7 2130 if (!$coursecat = get_record('course_categories','id',$context->instanceid)) {
2131 return array();
2132 }
c5ddc3fd 2133 if (!empty($coursecat->parent)) { // return parent value if exist
bbbf2d40 2134 $parent = get_context_instance(CONTEXT_COURSECAT, $coursecat->parent);
2135 return array_merge(array($parent->id), get_parent_contexts($parent));
2136 } else { // else return site value
2137 $parent = get_context_instance(CONTEXT_SYSTEM, SITEID);
2138 return array($parent->id);
2139 }
2140 break;
2141
2142 case CONTEXT_COURSE: // 1 to 1 to course cat
957861f7 2143 if (!$course = get_record('course','id',$context->instanceid)) {
2144 return array();
2145 }
2146 if (!empty($course->category)) {
2147 $parent = get_context_instance(CONTEXT_COURSECAT, $course->category);
2148 return array_merge(array($parent->id), get_parent_contexts($parent));
2149 } else {
2150 return array();
2151 }
bbbf2d40 2152 break;
2153
2154 case CONTEXT_GROUP: // 1 to 1 to course
957861f7 2155 if (!$group = get_record('groups','id',$context->instanceid)) {
2156 return array();
2157 }
2158 if ($parent = get_context_instance(CONTEXT_COURSE, $group->courseid)) {
2159 return array_merge(array($parent->id), get_parent_contexts($parent));
2160 } else {
2161 return array();
2162 }
bbbf2d40 2163 break;
2164
2165 case CONTEXT_MODULE: // 1 to 1 to course
957861f7 2166 if (!$cm = get_record('course_modules','id',$context->instanceid)) {
2167 return array();
2168 }
2169 if ($parent = get_context_instance(CONTEXT_COURSE, $cm->course)) {
2170 return array_merge(array($parent->id), get_parent_contexts($parent));
2171 } else {
2172 return array();
2173 }
bbbf2d40 2174 break;
2175
2176 case CONTEXT_BLOCK: // 1 to 1 to course
957861f7 2177 if (!$block = get_record('block_instance','id',$context->instanceid)) {
2178 return array();
2179 }
2180 if ($parent = get_context_instance(CONTEXT_COURSE, $block->pageid)) {
2181 return array_merge(array($parent->id), get_parent_contexts($parent));
2182 } else {
2183 return array();
2184 }
bbbf2d40 2185 break;
2186
2187 default:
957861f7 2188 error('This is an unknown context!');
bbbf2d40 2189 return false;
2190 }
bbbf2d40 2191}
2192
759ac72d 2193
2194/**
2195 * Gets a string for sql calls, searching for stuff in this context or above
ea8158c1 2196 * @param object $context
2197 * @return string
2198 */
2199function get_related_contexts_string($context) {
2200 if ($parents = get_parent_contexts($context)) {
eef868d1 2201 return (' IN ('.$context->id.','.implode(',', $parents).')');
ea8158c1 2202 } else {
2203 return (' ='.$context->id);
2204 }
2205}
759ac72d 2206
2207
bbbf2d40 2208/**
2209 * This function gets the capability of a role in a given context.
2210 * It is needed when printing override forms.
2211 * @param int $contextid
bbbf2d40 2212 * @param string $capability
2213 * @param array $capabilities - array loaded using role_context_capabilities
2214 * @return int (allow, prevent, prohibit, inherit)
2215 */
bbbf2d40 2216function get_role_context_capability($contextid, $capability, $capabilities) {
759ac72d 2217 if (isset($capabilities[$contextid][$capability])) {
2218 return $capabilities[$contextid][$capability];
2219 }
2220 else {
2221 return false;
2222 }
bbbf2d40 2223}
2224
2225
cee0901c 2226/**
2227 * Returns the human-readable, translated version of the capability.
2228 * Basically a big switch statement.
2229 * @param $capabilityname - e.g. mod/choice:readresponses
2230 */
ceb83c70 2231function get_capability_string($capabilityname) {
eef868d1 2232
cee0901c 2233 // Typical capabilityname is mod/choice:readresponses
ceb83c70 2234
2235 $names = split('/', $capabilityname);
2236 $stringname = $names[1]; // choice:readresponses
eef868d1 2237 $components = split(':', $stringname);
ceb83c70 2238 $componentname = $components[0]; // choice
98882637 2239
2240 switch ($names[0]) {
2241 case 'mod':
ceb83c70 2242 $string = get_string($stringname, $componentname);
98882637 2243 break;
eef868d1 2244
98882637 2245 case 'block':
ceb83c70 2246 $string = get_string($stringname, 'block_'.$componentname);
98882637 2247 break;
ceb83c70 2248
98882637 2249 case 'moodle':
ceb83c70 2250 $string = get_string($stringname, 'role');
98882637 2251 break;
eef868d1 2252
98882637 2253 case 'enrol':
ceb83c70 2254 $string = get_string($stringname, 'enrol_'.$componentname);
eef868d1 2255 break;
2256
98882637 2257 default:
ceb83c70 2258 $string = get_string($stringname);
eef868d1 2259 break;
2260
98882637 2261 }
ceb83c70 2262 return $string;
bbbf2d40 2263}
2264
2265
cee0901c 2266/**
2267 * This gets the mod/block/course/core etc strings.
2268 * @param $component
2269 * @param $contextlevel
2270 */
bbbf2d40 2271function get_component_string($component, $contextlevel) {
2272
98882637 2273 switch ($contextlevel) {
bbbf2d40 2274
98882637 2275 case CONTEXT_SYSTEM:
be382aaf 2276 if (preg_match('|^enrol/|', $component)) {
2277 $langname = str_replace('/', '_', $component);
2278 $string = get_string('enrolname', $langname);
f3652521 2279 } else if (preg_match('|^block/|', $component)) {
2280 $langname = str_replace('/', '_', $component);
2281 $string = get_string('blockname', $langname);
69eb59f2 2282 } else {
2283 $string = get_string('coresystem');
2284 }
bbbf2d40 2285 break;
2286
2287 case CONTEXT_PERSONAL:
98882637 2288 $string = get_string('personal');
bbbf2d40 2289 break;
2290
4b10f08b 2291 case CONTEXT_USER:
98882637 2292 $string = get_string('users');
bbbf2d40 2293 break;
2294
2295 case CONTEXT_COURSECAT:
98882637 2296 $string = get_string('categories');
bbbf2d40 2297 break;
2298
2299 case CONTEXT_COURSE:
98882637 2300 $string = get_string('course');
bbbf2d40 2301 break;
2302
2303 case CONTEXT_GROUP:
98882637 2304 $string = get_string('group');
bbbf2d40 2305 break;
2306
2307 case CONTEXT_MODULE:
98882637 2308 $string = get_string('modulename', basename($component));
bbbf2d40 2309 break;
2310
2311 case CONTEXT_BLOCK:
98882637 2312 $string = get_string('blockname', 'block_'.$component.'.php');
bbbf2d40 2313 break;
2314
2315 default:
2316 error ('This is an unknown context!');
2317 return false;
eef868d1 2318
98882637 2319 }
98882637 2320 return $string;
bbbf2d40 2321}
cee0901c 2322
759ac72d 2323/**
2324 * Gets the list of roles assigned to this context and up (parents)
945f88ca 2325 * @param object $context
2326 * @return array
2327 */
e4dd3222 2328function get_roles_used_in_context($context) {
2329
2330 global $CFG;
2d9965e1 2331 $contextlist = get_related_contexts_string($context);
eef868d1 2332
759ac72d 2333 $sql = "SELECT DISTINCT r.id,
2334 r.name,
2335 r.shortname,
2336 r.sortorder
2337 FROM {$CFG->prefix}role_assignments ra,
eef868d1 2338 {$CFG->prefix}role r
2339 WHERE r.id = ra.roleid
759ac72d 2340 AND ra.contextid $contextlist
2341 ORDER BY r.sortorder ASC";
eef868d1 2342
759ac72d 2343 return get_records_sql($sql);
e4dd3222 2344}
2345
eef868d1 2346/** this function is used to print roles column in user profile page.
945f88ca 2347 * @param int userid
2348 * @param int contextid
2349 * @return string
2350 */
0a8a95c9 2351function get_user_roles_in_context($userid, $contextid){
2352 global $CFG;
eef868d1 2353
0a8a95c9 2354 $rolestring = '';
2355 $SQL = 'select * from '.$CFG->prefix.'role_assignments ra, '.$CFG->prefix.'role r where ra.userid='.$userid.' and ra.contextid='.$contextid.' and ra.roleid = r.id';
2356 if ($roles = get_records_sql($SQL)) {
2357 foreach ($roles as $userrole) {
2358 $rolestring .= '<a href="'.$CFG->wwwroot.'/user/index.php?contextid='.$userrole->contextid.'&amp;roleid='.$userrole->roleid.'">'.$userrole->name.'</a>, ';
eef868d1 2359 }
2360
0a8a95c9 2361 }
2362 return rtrim($rolestring, ', ');
2363}
68c52526 2364
2365
945f88ca 2366/**
2367 * Checks if a user can override capabilities of a particular role in this context
2368 * @param object $context
2369 * @param int targetroleid - the id of the role you want to override
2370 * @return boolean
2371 */
68c52526 2372function user_can_override($context, $targetroleid) {
2373 // first check if user has override capability
2374 // if not return false;
2375 if (!has_capability('moodle/role:override', $context)) {
eef868d1 2376 return false;
68c52526 2377 }
2378 // pull out all active roles of this user from this context(or above)
c0614051 2379 if ($userroles = get_user_roles($context)) {
2380 foreach ($userroles as $userrole) {
2381 // if any in the role_allow_override table, then it's ok
2382 if (get_record('role_allow_override', 'roleid', $userrole->roleid, 'allowoverride', $targetroleid)) {
2383 return true;
2384 }
68c52526 2385 }
2386 }
eef868d1 2387
68c52526 2388 return false;
eef868d1 2389
68c52526 2390}
2391
945f88ca 2392/**
2393 * Checks if a user can assign users to a particular role in this context
2394 * @param object $context
2395 * @param int targetroleid - the id of the role you want to assign users to
2396 * @return boolean
2397 */
68c52526 2398function user_can_assign($context, $targetroleid) {
eef868d1 2399
68c52526 2400 // first check if user has override capability
2401 // if not return false;
2402 if (!has_capability('moodle/role:assign', $context)) {
eef868d1 2403 return false;
68c52526 2404 }
2405 // pull out all active roles of this user from this context(or above)
c0614051 2406 if ($userroles = get_user_roles($context)) {
2407 foreach ($userroles as $userrole) {
2408 // if any in the role_allow_override table, then it's ok
2409 if (get_record('role_allow_assign', 'roleid', $userrole->roleid, 'allowassign', $targetroleid)) {
2410 return true;
2411 }
68c52526 2412 }
2413 }
eef868d1 2414
2415 return false;
68c52526 2416}
2417
ece4945b 2418/** Returns all site roles in correct sort order.
2419 *
2420 */
2421function get_all_roles() {
2422 return get_records('role', '', '', 'sortorder ASC');
2423}
2424
945f88ca 2425/**
2426 * gets all the user roles assigned in this context, or higher contexts
2427 * this is mainly used when checking if a user can assign a role, or overriding a role
2428 * i.e. we need to know what this user holds, in order to verify against allow_assign and
2429 * allow_override tables
2430 * @param object $context
2431 * @param int $userid
2432 * @return array
2433 */
5b630667 2434function get_user_roles($context, $userid=0, $checkparentcontexts=true) {
68c52526 2435
2436 global $USER, $CFG, $db;
c0614051 2437
2438 if (empty($userid)) {
2439 if (empty($USER->id)) {
2440 return array();
2441 }
2442 $userid = $USER->id;
2443 }
2444
5b630667 2445 if ($checkparentcontexts && ($parents = get_parent_contexts($context))) {
2446 $contexts = ' ra.contextid IN ('.implode(',' , $parents).','.$context->id.')';
c0614051 2447 } else {
5b630667 2448 $contexts = ' ra.contextid = \''.$context->id.'\'';
c0614051 2449 }
2450
31f26796 2451 return get_records_sql('SELECT ra.*, r.name, r.shortname
5b630667 2452 FROM '.$CFG->prefix.'role_assignments ra,
ec6eb110 2453 '.$CFG->prefix.'role r,
2454 '.$CFG->prefix.'context c
c0614051 2455 WHERE ra.userid = '.$userid.
5b630667 2456 ' AND ra.roleid = r.id
ec6eb110 2457 AND ra.contextid = c.id
eef868d1 2458 AND '.$contexts.
ece4945b 2459 ' ORDER BY c.contextlevel DESC, r.sortorder ASC');
68c52526 2460}
2461
945f88ca 2462/**
eef868d1 2463 * Creates a record in the allow_override table
945f88ca 2464 * @param int sroleid - source roleid
2465 * @param int troleid - target roleid
2466 * @return int - id or false
2467 */
2468function allow_override($sroleid, $troleid) {
ece4945b 2469 $record = new object();
945f88ca 2470 $record->roleid = $sroleid;
2471 $record->allowoverride = $troleid;
2472 return insert_record('role_allow_override', $record);
2473}
2474
2475/**
eef868d1 2476 * Creates a record in the allow_assign table
945f88ca 2477 * @param int sroleid - source roleid
2478 * @param int troleid - target roleid
2479 * @return int - id or false
2480 */
2481function allow_assign($sroleid, $troleid) {
ff64aaea 2482 $record = new object;
945f88ca 2483 $record->roleid = $sroleid;
2484 $record->allowassign = $troleid;
2485 return insert_record('role_allow_assign', $record);
2486}
2487
2488/**
ff64aaea 2489 * Gets a list of roles that this user can assign in this context
945f88ca 2490 * @param object $context
2491 * @return array
2492 */
2493function get_assignable_roles ($context) {
2494
945f88ca 2495 $options = array();
ff64aaea 2496
ece4945b 2497 if ($roles = get_all_roles()) {
ff64aaea 2498 foreach ($roles as $role) {
2499 if (user_can_assign($context, $role->id)) {
65b0c132 2500 $options[$role->id] = strip_tags(format_string($role->name, true));
ff64aaea 2501 }
945f88ca 2502 }
2503 }
2504 return $options;
2505}
2506
2507/**
ff64aaea 2508 * Gets a list of roles that this user can override in this context
945f88ca 2509 * @param object $context
2510 * @return array
2511 */
2512function get_overridable_roles ($context) {
2513
945f88ca 2514 $options = array();
ff64aaea 2515
ece4945b 2516 if ($roles = get_all_roles()) {
ff64aaea 2517 foreach ($roles as $role) {
2518 if (user_can_override($context, $role->id)) {
65b0c132 2519 $options[$role->id] = strip_tags(format_string($role->name, true));
ff64aaea 2520 }
945f88ca 2521 }
ff64aaea 2522 }
eef868d1 2523
2524 return $options;
945f88ca 2525}
1648afb2 2526
b963384f 2527/*
2528 * Returns a role object that is the default role for new enrolments
2529 * in a given course
2530 *
eef868d1 2531 * @param object $course
b963384f 2532 * @return object $role
2533 */
2534function get_default_course_role($course) {
2535 global $CFG;
2536
2537/// First let's take the default role the course may have
2538 if (!empty($course->defaultrole)) {
2539 if ($role = get_record('role', 'id', $course->defaultrole)) {
2540 return $role;
2541 }
2542 }
2543
2544/// Otherwise the site setting should tell us
2545 if ($CFG->defaultcourseroleid) {
2546 if ($role = get_record('role', 'id', $CFG->defaultcourseroleid)) {
2547 return $role;
2548 }
2549 }
2550
2551/// It's unlikely we'll get here, but just in case, try and find a student role
2552 if ($studentroles = get_roles_with_capability('moodle/legacy:student', CAP_ALLOW)) {
2553 return array_shift($studentroles); /// Take the first one
2554 }
2555
2556 return NULL;
2557}
2558
1648afb2 2559
2560/**
2561 * who has this capability in this context
2562 * does not handling user level resolving!!!
2563 * i.e 1 person has 2 roles 1 allow, 1 prevent, this will not work properly
2564 * @param $context - object
2565 * @param $capability - string capability
2566 * @param $fields - fields to be pulled
2567 * @param $sort - the sort order
04417640 2568 * @param $limitfrom - number of records to skip (offset)
eef868d1 2569 * @param $limitnum - number of records to fetch
1c45e42e 2570 * @param $groups - single group or array of groups - group(s) user is in
71dea306 2571 * @param $exceptions - list of users to exclude
1648afb2 2572 */
eef868d1 2573function get_users_by_capability($context, $capability, $fields='', $sort='',
64026e8c 2574 $limitfrom='', $limitnum='', $groups='', $exceptions='') {
1648afb2 2575 global $CFG;
eef868d1 2576
64026e8c 2577/// Sorting out groups
1c45e42e 2578 if ($groups) {
71dea306 2579 $groupjoin = 'INNER JOIN '.$CFG->prefix.'groups_members gm ON gm.userid = ra.userid';
eef868d1 2580
1c45e42e 2581 if (is_array($groups)) {
a05708ad 2582 $groupsql = 'AND gm.groupid IN ('.implode(',', $groups).')';
1c45e42e 2583 } else {
eef868d1 2584 $groupsql = 'AND gm.groupid = '.$groups;
1c45e42e 2585 }
2586 } else {
2587 $groupjoin = '';
eef868d1 2588 $groupsql = '';
1c45e42e 2589 }
eef868d1 2590
64026e8c 2591/// Sorting out exceptions
5081e786 2592 $exceptionsql = $exceptions ? "AND u.id NOT IN ($exceptions)" : '';
64026e8c 2593
2594/// Set up default fields
2595 if (empty($fields)) {
5b630667 2596 $fields = 'u.*, ul.timeaccess as lastaccess, ra.hidden';
64026e8c 2597 }
2598
2599/// Set up default sort
2600 if (empty($sort)) {
2601 $sort = 'ul.timeaccess';
2602 }
2603
eef868d1 2604 $sortby = $sort ? " ORDER BY $sort " : '';
2605
64026e8c 2606/// If context is a course, then construct sql for ul
aad2ba95 2607 if ($context->contextlevel == CONTEXT_COURSE) {
71dea306 2608 $courseid = $context->instanceid;
f00b7f8d 2609 $coursesql = "AND (ul.courseid = $courseid OR ul.courseid IS NULL)";
5081e786 2610 } else {
2611 $coursesql = '';
71dea306 2612 }
64026e8c 2613
2614/// Sorting out roles with this capability set
9d829c68 2615 if ($possibleroles = get_roles_with_capability($capability, CAP_ALLOW, $context)) {
e836a7dd 2616 if (!$sitecontext = get_context_instance(CONTEXT_SYSTEM, SITEID)) { // Something is seriously wrong
2617 return false;
2618 }
2619 $doanythingroles = get_roles_with_capability('moodle/site:doanything', CAP_ALLOW, $sitecontext);
2620
9d829c68 2621 $validroleids = array();
e836a7dd 2622 foreach ($possibleroles as $possiblerole) {
2623 if (isset($doanythingroles[$possiblerole->id])) { // We don't want these included
2624 continue;
2625 }
2626 $caps = role_context_capabilities($possiblerole->id, $context, $capability); // resolved list
9d829c68 2627 if ($caps[$capability] > 0) { // resolved capability > 0
e836a7dd 2628 $validroleids[] = $possiblerole->id;
9d829c68 2629 }
1648afb2 2630 }
9d829c68 2631 $roleids = '('.implode(',', $validroleids).')';
2632 } else {
2633 return false; // No need to continue, since no roles have this capability set
eef868d1 2634 }
64026e8c 2635
2636/// Construct the main SQL
71dea306 2637 $select = " SELECT $fields";
eef868d1 2638 $from = " FROM {$CFG->prefix}user u
2639 INNER JOIN {$CFG->prefix}role_assignments ra ON ra.userid = u.id
71dea306 2640 LEFT OUTER JOIN {$CFG->prefix}user_lastaccess ul ON ul.userid = u.id
2641 $groupjoin";
eef868d1 2642 $where = " WHERE ra.contextid ".get_related_contexts_string($context)."
2643 AND u.deleted = 0
2644 AND ra.roleid in $roleids
71dea306 2645 $exceptionsql
2646 $coursesql
2647 $groupsql";
2648
eef868d1 2649 return get_records_sql($select.$from.$where.$sortby, $limitfrom, $limitnum);
1648afb2 2650}
7700027f 2651
ab5c9044 2652/**
2653 * gets all the users assigned this role in this context or higher
2654 * @param int roleid
2655 * @param int contextid
2656 * @param bool parent if true, get list of users assigned in higher context too
2657 * @return array()
2658 */
2659function get_role_users($roleid, $context, $parent=false) {
2660 global $CFG;
eef868d1 2661
ab5c9044 2662 if ($parent) {
2663 if ($contexts = get_parent_contexts($context)) {
2664 $parentcontexts = 'r.contextid IN ('.implode(',', $contexts).')';
2665 } else {
eef868d1 2666 $parentcontexts = '';
ab5c9044 2667 }
2668 } else {
eef868d1 2669 $parentcontexts = '';
2670 }
2671
2672 $SQL = "select u.*
2673 from {$CFG->prefix}role_assignments r,
2674 {$CFG->prefix}user u
2675 where (r.contextid = $context->id $parentcontexts)
2676 and r.roleid = $roleid
ab5c9044 2677 and u.id = r.userid"; // join now so that we can just use fullname() later
eef868d1 2678
ab5c9044 2679 return get_records_sql($SQL);
2680}
2681
eef868d1 2682/**
d76a5a7f 2683 * This function gets the list of courses that this user has a particular capability in
2684 * This is not the most efficient way of doing this
2685 * @param string capability
2686 * @param int $userid
2687 * @return array
2688 */
2689function get_user_capability_course($capability, $userid='') {
eef868d1 2690
d76a5a7f 2691 global $USER;
2692 if (!$userid) {
eef868d1 2693 $userid = $USER->id;
d76a5a7f 2694 }
eef868d1 2695
d76a5a7f 2696 $usercourses = array();
2697 $courses = get_records_select('course', '', '', 'id, id');
eef868d1 2698
d76a5a7f 2699 foreach ($courses as $course) {
2700 if (has_capability($capability, get_context_capability(CONTEXT_COURSE, $course->id))) {
2701 $usercourses[] = $course;
2702 }
2703 }
eef868d1 2704 return $usercourses;
e38f38c3 2705}
2706
2707
2708/** This function finds the roles assigned directly to this context only
2709 * i.e. no parents role
2710 * @param object $context
2711 * @return array
2712 */
2713function get_roles_on_exact_context($context) {
b5959f30 2714
e38f38c3 2715 global $CFG;
49293027 2716
b5959f30 2717 return get_records_sql("SELECT DISTINCT r.*
e38f38c3 2718 FROM {$CFG->prefix}role_assignments ra,
2719 {$CFG->prefix}role r
2720 WHERE ra.roleid = r.id
2721 AND ra.contextid = $context->id");
b5959f30 2722
49293027 2723}
2724
b5959f30 2725/*
3a52e764 2726 * Switches the current user to another role for the current session and only
b5959f30 2727 * in the given context. If roleid is not valid (eg 0) or the current user
2728 * doesn't have permissions to be switching roles then the user's session
3a52e764 2729 * is compltely reset to have their normal roles.
2730 * @param integer $roleid
2731 * @param object $context
2732 * @return bool
2733 */
2734function role_switch($roleid, $context) {
2735 global $USER;
2736
2737 global $db;
2738
2739/// If we can't use this or are already using it or no role was specified then bail completely and reset
b5959f30 2740 if (empty($roleid) || !has_capability('moodle/role:switchroles', $context)
2d07587b 2741 || !empty($USER->switchrole[$context->id]) || !confirm_sesskey()) {
2742 load_user_capability('', $context); // Reset all permissions for this context to normal
2743 unset($USER->switchrole[$context->id]); // Delete old capabilities
3a52e764 2744 return true;
2745 }
2746
2747/// We're allowed to switch but can we switch to the specified role? Use assignable roles to check.
2748 if (!$roles = get_assignable_roles($context)) {
2749 return false;
2750 }
2751
2752 if (empty($roles[$roleid])) { /// We can't switch to this particular role
2753 return false;
2754 }
2755
2756 if (!$sitecontext = get_context_instance(CONTEXT_SYSTEM, SITEID)) {
2757 return false;
2758 }
2759
2760/// We have a valid roleid that this user can switch to, so let's set up the session
2761
2d07587b 2762 $USER->switchrole[$context->id] = $roleid; // So we know later what state we are in
3a52e764 2763
2764 unset($USER->capabilities[$context->id]); // Delete old capabilities
2765
2766 if ($capabilities = get_records_select('role_capabilities', "roleid = $roleid AND contextid = $sitecontext->id")) {
2767 foreach ($capabilities as $capability) {
2768 $USER->capabilities[$context->id][$capability->capability] = $capability->permission;
2769 }
2770 }
2771
2d07587b 2772/// Add some permissions we are really going to always need, even if the role doesn't have them!
3a52e764 2773
2774 $USER->capabilities[$context->id]['moodle/course:view'] = CAP_ALLOW;
2775
2776 return true;
2777
2778}
2779
2780
49293027 2781// get any role that has an override on exact context
2782function get_roles_with_override_on_context($context) {
b5959f30 2783
49293027 2784 global $CFG;
b5959f30 2785
49293027 2786 return get_records_sql("SELECT DISTINCT r.*
2787 FROM {$CFG->prefix}role_capabilities rc,
2788 {$CFG->prefix}role r
2789 WHERE rc.roleid = r.id
2790 AND rc.contextid = $context->id");
2791}
2792
2793// get all capabilities for this role on this context (overrids)
2794function get_capabilities_from_role_on_context($role, $context) {
b5959f30 2795
49293027 2796 global $CFG;
b5959f30 2797
2798 return get_records_sql("SELECT *
49293027 2799 FROM {$CFG->prefix}role_capabilities
2800 WHERE contextid = $context->id
2801 AND roleid = $role->id");
01e52ac7 2802}
2803
5b5781f4 2804// find out which roles has assignment on this context
2805function get_roles_with_assignment_on_context($context) {
ece4945b 2806
5b5781f4 2807 global $CFG;
ece4945b 2808
5b5781f4 2809 return get_records_sql("SELECT DISTINCT r.*
2810 FROM {$CFG->prefix}role_assignments ra,
2811 {$CFG->prefix}role r
2812 WHERE ra.roleid = r.id
2813 AND ra.contextid = $context->id");
2814}
2815
2816
2817
01e52ac7 2818/* find all user assignemnt of users for this role, on this context
2819 */
2820function get_users_from_role_on_context($role, $context) {
b5959f30 2821
01e52ac7 2822 global $CFG;
b5959f30 2823
01e52ac7 2824 return get_records_sql("SELECT *
2825 FROM {$CFG->prefix}role_assignments
2826 WHERE contextid = $context->id
b5959f30 2827 AND roleid = $role->id");
01e52ac7 2828}
3a52e764 2829
f3652521 2830?>
Moodle official production repository