changing sql calls from user_students table to role_assignments table
[moodle.git] / lib / accesslib.php
CommitLineData
bbbf2d40 1<?php
cee0901c 2 /**
3 * Capability session information format
bbbf2d40 4 * 2 x 2 array
5 * [context][capability]
6 * where context is the context id of the table 'context'
7 * and capability is a string defining the capability
8 * e.g.
9 *
10 * [Capabilities] => [26][mod/forum:viewpost] = 1
11 * [26][mod/forum:startdiscussion] = -8990
12 * [26][mod/forum:editallpost] = -1
13 * [273][moodle:blahblah] = 1
14 * [273][moodle:blahblahblah] = 2
15 */
bbbf2d40 16
17// permission definitions
18define('CAP_ALLOW', 1);
19define('CAP_PREVENT', -1);
20define('CAP_PROHIBIT', -1000);
21
bbbf2d40 22// context definitions
23define('CONTEXT_SYSTEM', 10);
24define('CONTEXT_PERSONAL', 20);
25define('CONTEXT_USERID', 30);
26define('CONTEXT_COURSECAT', 40);
27define('CONTEXT_COURSE', 50);
28define('CONTEXT_GROUP', 60);
29define('CONTEXT_MODULE', 70);
30define('CONTEXT_BLOCK', 80);
31
340ea4e8 32$context_cache = array(); // Cache of all used context objects for performance (by level and instance)
33$context_cache_id = array(); // Index to above cache by id
bbbf2d40 34
7700027f 35
e7876c1e 36/**
37 * Loads the capabilities for the default guest role to the current user in a specific context
38 * @return object
39 */
40function load_guest_role($context=NULL) {
41 global $USER;
42
43 static $guestrole;
44
45 if (!isloggedin()) {
46 return false;
47 }
48
49 if (!$sitecontext = get_context_instance(CONTEXT_SYSTEM, SITEID)) {
50 return false;
51 }
52
53 if (empty($context)) {
54 $context = $sitecontext;
55 }
56
57 if (empty($guestrole)) {
58 if ($roles = get_roles_with_capability('moodle/legacy:guest', CAP_ALLOW)) {
59 $guestrole = array_shift($roles); // Pick the first one
60 } else {
61 return false;
62 }
63 }
64
65 if ($capabilities = get_records_select('role_capabilities',
66 "roleid = $guestrole->id AND contextid = $sitecontext->id")) {
67 foreach ($capabilities as $capability) {
68 $USER->capabilities[$context->id][$capability->capability] = $capability->permission;
69 }
70 }
71
72 return true;
73}
74
7700027f 75/**
76 * Load default not logged in role capabilities when user is not logged in
77 * @return bool
78 */
20aeb4b8 79function load_notloggedin_role() {
80 global $CFG, $USER;
81
7700027f 82 if (!$sitecontext = get_context_instance(CONTEXT_SYSTEM, SITEID)) {
83 return false;
35a518c5 84 }
85
7700027f 86 if (empty($CFG->notloggedinroleid)) { // Let's set the default to the guest role
87 if ($roles = get_roles_with_capability('moodle/legacy:guest', CAP_ALLOW)) {
88 $role = array_shift($roles); // Pick the first one
89 set_config('notloggedinroleid', $role->id);
90 } else {
91 return false;
92 }
93 }
20aeb4b8 94
7700027f 95 if ($capabilities = get_records_select('role_capabilities',
96 "roleid = $CFG->notloggedinroleid AND contextid = $sitecontext->id")) {
97 foreach ($capabilities as $capability) {
98 $USER->capabilities[$sitecontext->id][$capability->capability] = $capability->permission;
99 }
20aeb4b8 100 }
101
102 return true;
103}
cee0901c 104
bbbf2d40 105/**
106 * This functions get all the course categories in proper order
0468976c 107 * @param int $context
bbbf2d40 108 * @param int $type
109 * @return array of contextids
110 */
0468976c 111function get_parent_cats($context, $type) {
98882637 112
113 $parents = array();
98882637 114
c5ddc3fd 115 switch ($type) {
98882637 116
117 case CONTEXT_COURSECAT:
118
c5ddc3fd 119 if (!$cat = get_record('course_categories','id',$context->instanceid)) {
120 break;
121 }
122
123 while (!empty($cat->parent)) {
124 if (!$context = get_context_instance(CONTEXT_COURSECAT, $cat->parent)) {
125 break;
126 }
98882637 127 $parents[] = $context->id;
128 $cat = get_record('course_categories','id',$cat->parent);
129 }
130
131 break;
132
133 case CONTEXT_COURSE:
134
c5ddc3fd 135 if (!$course = get_record('course', 'id', $context->instanceid)) {
136 break;
137 }
138 if (!$catinstance = get_context_instance(CONTEXT_COURSECAT, $course->category)) {
139 break;
140 }
141
98882637 142 $parents[] = $catinstance->id;
c5ddc3fd 143
144 if (!$cat = get_record('course_categories','id',$course->category)) {
145 break;
146 }
147
148 while (!empty($cat->parent)) {
149 if (!$context = get_context_instance(CONTEXT_COURSECAT, $cat->parent)) {
150 break;
151 }
98882637 152 $parents[] = $context->id;
153 $cat = get_record('course_categories','id',$cat->parent);
154 }
155 break;
156
157 default:
158 break;
159
160 }
161
162 return array_reverse($parents);
bbbf2d40 163}
164
165
cee0901c 166
167/*************************************
168 * Functions for Roles & Capabilites *
169 *************************************/
bbbf2d40 170
171
0468976c 172/**
173 * This function checks for a capability assertion being true. If it isn't
174 * then the page is terminated neatly with a standard error message
175 * @param string $capability - name of the capability
176 * @param object $context - a context object (record from context table)
177 * @param integer $userid - a userid number
d74067e8 178 * @param bool $doanything - if false, ignore do anything
0468976c 179 * @param string $errorstring - an errorstring
d74067e8 180 * @param string $stringfile - which stringfile to get it from
0468976c 181 */
d74067e8 182function require_capability($capability, $context=NULL, $userid=NULL, $doanything=true,
183 $errormessage="nopermissions", $stringfile='') {
a9e1c058 184
185 global $USER;
186
187/// If the current user is not logged in, then make sure they are
188
189 if (empty($userid) and empty($USER->id)) {
190 if ($context && ($context->aggregatelevel == CONTEXT_COURSE)) {
191 require_login($context->instanceid);
192 } else {
193 require_login();
194 }
195 }
196
197/// OK, if they still don't have the capability then print a nice error message
198
d74067e8 199 if (!has_capability($capability, $context, $userid, $doanything)) {
0468976c 200 $capabilityname = get_capability_string($capability);
201 print_error($errormessage, $stringfile, '', $capabilityname);
202 }
203}
204
205
bbbf2d40 206/**
207 * This function returns whether the current user has the capability of performing a function
208 * For example, we can do has_capability('mod/forum:replypost',$cm) in forum
209 * only one of the 4 (moduleinstance, courseid, site, userid) would be set at 1 time
210 * This is a recursive funciton.
bbbf2d40 211 * @uses $USER
212 * @param string $capability - name of the capability
0468976c 213 * @param object $context - a context object (record from context table)
214 * @param integer $userid - a userid number
20aeb4b8 215 * @param bool $doanything - if false, ignore do anything
bbbf2d40 216 * @return bool
217 */
d74067e8 218function has_capability($capability, $context=NULL, $userid=NULL, $doanything=true) {
bbbf2d40 219
20aeb4b8 220 global $USER, $CONTEXT, $CFG;
bbbf2d40 221
dc411d1b 222 if (empty($userid) && !isloggedin() && !isset($USER->capabilities)) {
20aeb4b8 223 load_notloggedin_role();
224 }
225
226 if ($userid && $userid != $USER->id) {
9425b25f 227 if (empty($USER->id) or ($userid != $USER->id)) {
228 $capabilities = load_user_capability($capability, $context, $userid);
229 } else { //$USER->id == $userid
230 $capabilities = empty($USER->capabilities) ? NULL : $USER->capabilities;
231 }
232 } else { // no userid
233 $capabilities = empty($USER->capabilities) ? NULL : $USER->capabilities;
98882637 234 }
9425b25f 235
0468976c 236 if (empty($context)) { // Use default CONTEXT if none specified
340ea4e8 237 if (empty($CONTEXT)) {
238 return false;
239 } else {
240 $context = $CONTEXT;
241 }
0468976c 242 } else { // A context was given to us
243 if (empty($CONTEXT)) {
244 $CONTEXT = $context; // Store FIRST used context in this global as future default
245 }
340ea4e8 246 }
bbbf2d40 247
20aeb4b8 248 if ($doanything) {
249 // Check site
250 $sitecontext = get_context_instance(CONTEXT_SYSTEM, SITEID);
251 if (isset($capabilities[$sitecontext->id]['moodle/site:doanything'])) {
252 return (0 < $capabilities[$sitecontext->id]['moodle/site:doanything']);
253 }
98882637 254
20aeb4b8 255 switch ($context->aggregatelevel) {
bbbf2d40 256
20aeb4b8 257 case CONTEXT_COURSECAT:
258 // Check parent cats.
259 $parentcats = get_parent_cats($context, CONTEXT_COURSECAT);
260 foreach ($parentcats as $parentcat) {
261 if (isset($capabilities[$parentcat]['moodle/site:doanything'])) {
262 return (0 < $capabilities[$parentcat]['moodle/site:doanything']);
263 }
cee0901c 264 }
20aeb4b8 265 break;
bbbf2d40 266
20aeb4b8 267 case CONTEXT_COURSE:
268 // Check parent cat.
269 $parentcats = get_parent_cats($context, CONTEXT_COURSE);
98882637 270
20aeb4b8 271 foreach ($parentcats as $parentcat) {
272 if (isset($capabilities[$parentcat]['do_anything'])) {
273 return (0 < $capabilities[$parentcat]['do_anything']);
274 }
9425b25f 275 }
20aeb4b8 276 break;
bbbf2d40 277
20aeb4b8 278 case CONTEXT_GROUP:
279 // Find course.
280 $group = get_record('groups','id',$context->instanceid);
281 $courseinstance = get_context_instance(CONTEXT_COURSE, $group->courseid);
9425b25f 282
20aeb4b8 283 $parentcats = get_parent_cats($courseinstance, CONTEXT_COURSE);
284 foreach ($parentcats as $parentcat) {
285 if (isset($capabilities[$parentcat->id]['do_anything'])) {
286 return (0 < $capabilities[$parentcat->id]['do_anything']);
287 }
9425b25f 288 }
9425b25f 289
20aeb4b8 290 $coursecontext = '';
291 if (isset($capabilities[$courseinstance->id]['do_anything'])) {
292 return (0 < $capabilities[$courseinstance->id]['do_anything']);
293 }
9425b25f 294
20aeb4b8 295 break;
bbbf2d40 296
20aeb4b8 297 case CONTEXT_MODULE:
298 // Find course.
299 $cm = get_record('course_modules', 'id', $context->instanceid);
300 $courseinstance = get_context_instance(CONTEXT_COURSE, $cm->course);
9425b25f 301
20aeb4b8 302 if ($parentcats = get_parent_cats($courseinstance, CONTEXT_COURSE)) {
303 foreach ($parentcats as $parentcat) {
304 if (isset($capabilities[$parentcat]['do_anything'])) {
305 return (0 < $capabilities[$parentcat]['do_anything']);
306 }
cee0901c 307 }
9425b25f 308 }
98882637 309
20aeb4b8 310 if (isset($capabilities[$courseinstance->id]['do_anything'])) {
311 return (0 < $capabilities[$courseinstance->id]['do_anything']);
312 }
bbbf2d40 313
20aeb4b8 314 break;
bbbf2d40 315
20aeb4b8 316 case CONTEXT_BLOCK:
317 // 1 to 1 to course.
318 // Find course.
319 $block = get_record('block_instance','id',$context->instanceid);
320 $courseinstance = get_context_instance(CONTEXT_COURSE, $block->pageid); // needs check
9425b25f 321
20aeb4b8 322 $parentcats = get_parent_cats($courseinstance, CONTEXT_COURSE);
323 foreach ($parentcats as $parentcat) {
324 if (isset($capabilities[$parentcat]['do_anything'])) {
325 return (0 < $capabilities[$parentcat]['do_anything']);
326 }
cee0901c 327 }
9425b25f 328
20aeb4b8 329 if (isset($capabilities[$courseinstance->id]['do_anything'])) {
330 return (0 < $capabilities[$courseinstance->id]['do_anything']);
331 }
332 break;
bbbf2d40 333
20aeb4b8 334 default:
335 // CONTEXT_SYSTEM: CONTEXT_PERSONAL: CONTEXT_USERID:
336 // Do nothing.
337 break;
338 }
bbbf2d40 339
20aeb4b8 340 // Last: check self.
341 if (isset($capabilities[$context->id]['do_anything'])) {
342 return (0 < $capabilities[$context->id]['do_anything']);
343 }
98882637 344 }
98882637 345 // do_anything has not been set, we now look for it the normal way.
9425b25f 346 return (0 < capability_search($capability, $context, $capabilities));
bbbf2d40 347
9425b25f 348}
bbbf2d40 349
350
351/**
352 * In a separate function so that we won't have to deal with do_anything.
353 * again. Used by function has_capability.
354 * @param $capability - capability string
0468976c 355 * @param $context - the context object
bbbf2d40 356 * @param $capabilities - either $USER->capability or loaded array
357 * @return permission (int)
358 */
0468976c 359function capability_search($capability, $context, $capabilities) {
20aeb4b8 360
bbbf2d40 361 global $USER, $CFG;
0468976c 362
0468976c 363 if (isset($capabilities[$context->id][$capability])) {
ea82d6b6 364 debugging("Found $capability in context $context->id at level $context->aggregatelevel: ".$capabilities[$context->id][$capability], E_ALL);
0468976c 365 return ($capabilities[$context->id][$capability]);
bbbf2d40 366 }
9425b25f 367
bbbf2d40 368 /* Then, we check the cache recursively */
9425b25f 369 $permission = 0;
370
d140ad3f 371 switch ($context->aggregatelevel) {
bbbf2d40 372
373 case CONTEXT_SYSTEM: // by now it's a definite an inherit
374 $permission = 0;
375 break;
376
377 case CONTEXT_PERSONAL:
0468976c 378 $parentcontext = get_context_instance(CONTEXT_SYSTEM, SITEID);
379 $permission = capability_search($capability, $parentcontext, $capabilities);
bbbf2d40 380 break;
9425b25f 381
bbbf2d40 382 case CONTEXT_USERID:
0468976c 383 $parentcontext = get_context_instance(CONTEXT_SYSTEM, SITEID);
384 $permission = capability_search($capability, $parentcontext, $capabilities);
bbbf2d40 385 break;
9425b25f 386
bbbf2d40 387 case CONTEXT_COURSECAT: // Coursecat -> coursecat or site
388 $coursecat = get_record('course_categories','id',$context->instanceid);
0468976c 389 if (!empty($coursecat->parent)) { // return parent value if it exists
390 $parentcontext = get_context_instance(CONTEXT_COURSECAT, $coursecat->parent);
bbbf2d40 391 } else { // else return site value
0468976c 392 $parentcontext = get_context_instance(CONTEXT_SYSTEM, SITEID);
bbbf2d40 393 }
0468976c 394 $permission = capability_search($capability, $parentcontext, $capabilities);
bbbf2d40 395 break;
396
397 case CONTEXT_COURSE: // 1 to 1 to course cat
398 // find the course cat, and return its value
399 $course = get_record('course','id',$context->instanceid);
0468976c 400 $parentcontext = get_context_instance(CONTEXT_COURSECAT, $course->category);
401 $permission = capability_search($capability, $parentcontext, $capabilities);
bbbf2d40 402 break;
403
404 case CONTEXT_GROUP: // 1 to 1 to course
405 $group = get_record('groups','id',$context->instanceid);
0468976c 406 $parentcontext = get_context_instance(CONTEXT_COURSE, $group->courseid);
407 $permission = capability_search($capability, $parentcontext, $capabilities);
bbbf2d40 408 break;
409
410 case CONTEXT_MODULE: // 1 to 1 to course
411 $cm = get_record('course_modules','id',$context->instanceid);
0468976c 412 $parentcontext = get_context_instance(CONTEXT_COURSE, $cm->course);
413 $permission = capability_search($capability, $parentcontext, $capabilities);
bbbf2d40 414 break;
415
416 case CONTEXT_BLOCK: // 1 to 1 to course
417 $block = get_record('block_instance','id',$context->instanceid);
0468976c 418 $parentcontext = get_context_instance(CONTEXT_COURSE, $block->pageid); // needs check
419 $permission = capability_search($capability, $parentcontext, $capabilities);
bbbf2d40 420 break;
421
422 default:
423 error ('This is an unknown context!');
424 return false;
425 }
ea82d6b6 426 debugging("Found $capability recursively from context $context->id at level $context->aggregatelevel: $permission", E_ALL);
9425b25f 427
98882637 428 return $permission;
bbbf2d40 429}
430
431
432/**
433 * This function should be called immediately after a login, when $USER is set.
434 * It will build an array of all the capabilities at each level
435 * i.e. site/metacourse/course_category/course/moduleinstance
436 * Note we should only load capabilities if they are explicitly assigned already,
437 * we should not load all module's capability!
438 * @param $userid - the id of the user whose capabilities we want to load
439 * @return array
440 * possible just s simple 2D array with [contextid][capabilityname]
441 * [Capabilities] => [26][forum_post] = 1
442 * [26][forum_start] = -8990
443 * [26][forum_edit] = -1
444 * [273][blah blah] = 1
445 * [273][blah blah blah] = 2
446 */
0468976c 447function load_user_capability($capability='', $context ='', $userid='') {
d140ad3f 448
98882637 449 global $USER, $CFG;
bbbf2d40 450
20aeb4b8 451
bbbf2d40 452 if (empty($userid)) {
dc411d1b 453 if (empty($USER->id)) { // We have no user to get capabilities for
454 return false;
455 }
456 if (!empty($USER->capabilities)) { // make sure it's cleaned when loaded (again)
457 unset($USER->capabilities);
458 }
bbbf2d40 459 $userid = $USER->id;
dc411d1b 460 $otheruserid = false;
bbbf2d40 461 } else {
9425b25f 462 $otheruserid = $userid;
bbbf2d40 463 }
9425b25f 464
bbbf2d40 465 if ($capability) {
9425b25f 466 $capsearch = " AND rc.capability = '$capability' ";
bbbf2d40 467 } else {
9425b25f 468 $capsearch ="";
bbbf2d40 469 }
5f70bcc3 470
471/// First we generate a list of all relevant contexts of the user
472
473 $usercontexts = array();
bbbf2d40 474
0468976c 475 if ($context) { // if context is specified
476 $usercontexts = get_parent_contexts($context);
98882637 477 } else { // else, we load everything
5f70bcc3 478 if ($userroles = get_records('role_assignments','userid',$userid)) {
479 foreach ($userroles as $userrole) {
480 $usercontexts[] = $userrole->contextid;
481 }
98882637 482 }
5f70bcc3 483 }
484
485/// Set up SQL fragments for searching contexts
486
487 if ($usercontexts) {
0468976c 488 $listofcontexts = '('.implode(',', $usercontexts).')';
5f70bcc3 489 $searchcontexts1 = "c1.id IN $listofcontexts AND";
490 $searchcontexts2 = "c2.id IN $listofcontexts AND";
491 } else {
492 $listofcontexts = $searchcontexts1 = $searchcontexts2 = '';
bbbf2d40 493 }
0468976c 494
5f70bcc3 495/// Then we use 1 giant SQL to bring out all relevant capabilities.
496/// The first part gets the capabilities of orginal role.
497/// The second part gets the capabilities of overriden roles.
bbbf2d40 498
98882637 499 $siteinstance = get_context_instance(CONTEXT_SYSTEM, SITEID);
bbbf2d40 500
75e84883 501 $SQL = " SELECT rc.capability, c1.id, (c1.aggregatelevel * 100) AS aggrlevel,
bbbf2d40 502 SUM(rc.permission) AS sum
503 FROM
42ac3ecf 504 {$CFG->prefix}role_assignments ra,
505 {$CFG->prefix}role_capabilities rc,
506 {$CFG->prefix}context c1
bbbf2d40 507 WHERE
d4649c76 508 ra.contextid=c1.id AND
509 ra.roleid=rc.roleid AND
bbbf2d40 510 ra.userid=$userid AND
5f70bcc3 511 $searchcontexts1
bbbf2d40 512 rc.contextid=$siteinstance->id
98882637 513 $capsearch
bbbf2d40 514 GROUP BY
0be16c1d 515 rc.capability, (c1.aggregatelevel * 100), c1.id
bbbf2d40 516 HAVING
41811960 517 SUM(rc.permission) != 0
bbbf2d40 518 UNION
519
75e84883 520 SELECT rc.capability, c1.id, (c1.aggregatelevel * 100 + c2.aggregatelevel) AS aggrlevel,
bbbf2d40 521 SUM(rc.permission) AS sum
522 FROM
42ac3ecf 523 {$CFG->prefix}role_assignments ra,
524 {$CFG->prefix}role_capabilities rc,
525 {$CFG->prefix}context c1,
526 {$CFG->prefix}context c2
bbbf2d40 527 WHERE
d4649c76 528 ra.contextid=c1.id AND
529 ra.roleid=rc.roleid AND
530 ra.userid=$userid AND
531 rc.contextid=c2.id AND
5f70bcc3 532 $searchcontexts1
533 $searchcontexts2
534 rc.contextid != $siteinstance->id
bbbf2d40 535 $capsearch
536
537 GROUP BY
0be16c1d 538 rc.capability, (c1.aggregatelevel * 100 + c2.aggregatelevel), c1.id
bbbf2d40 539 HAVING
41811960 540 SUM(rc.permission) != 0
bbbf2d40 541 ORDER BY
75e84883 542 aggrlevel ASC
bbbf2d40 543 ";
544
98882637 545 $capabilities = array(); // Reinitialize.
75e84883 546 if (!$rs = get_recordset_sql($SQL)) {
547 error("Query failed in load_user_capability.");
548 }
5cf38a57 549
bbbf2d40 550 if ($rs && $rs->RecordCount() > 0) {
551 while (!$rs->EOF) {
75e84883 552 $array = $rs->fields;
553 $temprecord = new object;
98882637 554
555 foreach ($array as $key=>$val) {
75e84883 556 if ($key == 'aggrlevel') {
557 $temprecord->aggregatelevel = $val;
558 } else {
559 $temprecord->{$key} = $val;
560 }
98882637 561 }
bbbf2d40 562 $capabilities[] = $temprecord;
563 $rs->MoveNext();
564 }
565 }
d140ad3f 566
bbbf2d40 567 /* so up to this point we should have somethign like this
41811960 568 * $capabilities[1] ->aggregatelevel = 1000
bbbf2d40 569 ->module = SITEID
570 ->capability = do_anything
571 ->id = 1 (id is the context id)
572 ->sum = 0
573
41811960 574 * $capabilities[2] ->aggregatelevel = 1000
bbbf2d40 575 ->module = SITEID
576 ->capability = post_messages
577 ->id = 1
578 ->sum = -9000
579
41811960 580 * $capabilittes[3] ->aggregatelevel = 3000
bbbf2d40 581 ->module = course
582 ->capability = view_course_activities
583 ->id = 25
584 ->sum = 1
585
41811960 586 * $capabilittes[4] ->aggregatelevel = 3000
bbbf2d40 587 ->module = course
588 ->capability = view_course_activities
589 ->id = 26
590 ->sum = 0 (this is another course)
591
41811960 592 * $capabilities[5] ->aggregatelevel = 3050
bbbf2d40 593 ->module = course
594 ->capability = view_course_activities
595 ->id = 25 (override in course 25)
596 ->sum = -1
597 * ....
598 * now we proceed to write the session array, going from top to bottom
599 * at anypoint, we need to go up and check parent to look for prohibit
600 */
601 // print_object($capabilities);
602
603 /* This is where we write to the actualy capabilities array
604 * what we need to do from here on is
605 * going down the array from lowest level to highest level
606 * 1) recursively check for prohibit,
607 * if any, we write prohibit
608 * else, we write the value
609 * 2) at an override level, we overwrite current level
610 * if it's not set to prohibit already, and if different
611 * ........ that should be it ........
612 */
98882637 613 $usercap = array(); // for other user's capabilities
bbbf2d40 614 foreach ($capabilities as $capability) {
615
0468976c 616 $context = get_context_instance_by_id($capability->id);
617
41811960 618 if (!empty($otheruserid)) { // we are pulling out other user's capabilities, do not write to session
98882637 619
0468976c 620 if (capability_prohibits($capability->capability, $context, $capability->sum, $usercap)) {
98882637 621 $usercap[$capability->id][$capability->capability] = -9000;
622 continue;
623 }
624
625 $usercap[$capability->id][$capability->capability] = $capability->sum;
626
627 } else {
628
0468976c 629 if (capability_prohibits($capability->capability, $context, $capability->sum)) { // if any parent or parent's parent is set to prohibit
98882637 630 $USER->capabilities[$capability->id][$capability->capability] = -9000;
631 continue;
632 }
633
634 // if no parental prohibit set
635 // just write to session, i am not sure this is correct yet
636 // since 3050 shows up after 3000, and 3070 shows up after 3050,
637 // it should be ok just to overwrite like this, provided that there's no
638 // parental prohibits
639 // no point writing 0, since 0 = inherit
640 // we need to write even if it's 0, because it could be an inherit override
641 $USER->capabilities[$capability->id][$capability->capability] = $capability->sum;
642 }
bbbf2d40 643 }
644
645 // now we don't care about the huge array anymore, we can dispose it.
646 unset($capabilities);
647
dbe7e582 648 if (!empty($otheruserid)) {
98882637 649 return $usercap; // return the array
bbbf2d40 650 }
651 // see array in session to see what it looks like
652
653}
654
655
656/**
657 * This is a recursive function that checks whether the capability in this
658 * context, or the parent capabilities are set to prohibit.
659 *
660 * At this point, we can probably just use the values already set in the
661 * session variable, since we are going down the level. Any prohit set in
662 * parents would already reflect in the session.
663 *
664 * @param $capability - capability name
665 * @param $sum - sum of all capabilities values
0468976c 666 * @param $context - the context object
bbbf2d40 667 * @param $array - when loading another user caps, their caps are not stored in session but an array
668 */
0468976c 669function capability_prohibits($capability, $context, $sum='', $array='') {
bbbf2d40 670 global $USER;
0468976c 671
bbbf2d40 672 if ($sum < -8000) {
673 // If this capability is set to prohibit.
674 return true;
675 }
676
677 if (isset($array)) {
0468976c 678 if (isset($array[$context->id][$capability])
679 && $array[$context->id][$capability] < -8000) {
98882637 680 return true;
681 }
bbbf2d40 682 } else {
98882637 683 // Else if set in session.
0468976c 684 if (isset($USER->capabilities[$context->id][$capability])
685 && $USER->capabilities[$context->id][$capability] < -8000) {
98882637 686 return true;
687 }
bbbf2d40 688 }
d140ad3f 689 switch ($context->aggregatelevel) {
bbbf2d40 690
691 case CONTEXT_SYSTEM:
692 // By now it's a definite an inherit.
693 return 0;
694 break;
695
696 case CONTEXT_PERSONAL:
697 $parent = get_context_instance(CONTEXT_SYSTEM, SITEID);
0468976c 698 return capability_prohibits($capability, $parent);
bbbf2d40 699 break;
700
701 case CONTEXT_USERID:
702 $parent = get_context_instance(CONTEXT_SYSTEM, SITEID);
0468976c 703 return capability_prohibits($capability, $parent);
bbbf2d40 704 break;
705
706 case CONTEXT_COURSECAT:
707 // Coursecat -> coursecat or site.
708 $coursecat = get_record('course_categories','id',$context->instanceid);
41811960 709 if (!empty($coursecat->parent)) {
bbbf2d40 710 // return parent value if exist.
711 $parent = get_context_instance(CONTEXT_COURSECAT, $coursecat->parent);
712 } else {
713 // Return site value.
714 $parent = get_context_instance(CONTEXT_SYSTEM, SITEID);
715 }
0468976c 716 return capability_prohibits($capability, $parent);
bbbf2d40 717 break;
718
719 case CONTEXT_COURSE:
720 // 1 to 1 to course cat.
721 // Find the course cat, and return its value.
722 $course = get_record('course','id',$context->instanceid);
723 $parent = get_context_instance(CONTEXT_COURSECAT, $course->category);
0468976c 724 return capability_prohibits($capability, $parent);
bbbf2d40 725 break;
726
727 case CONTEXT_GROUP:
728 // 1 to 1 to course.
729 $group = get_record('groups','id',$context->instanceid);
730 $parent = get_context_instance(CONTEXT_COURSE, $group->courseid);
0468976c 731 return capability_prohibits($capability, $parent);
bbbf2d40 732 break;
733
734 case CONTEXT_MODULE:
735 // 1 to 1 to course.
736 $cm = get_record('course_modules','id',$context->instanceid);
737 $parent = get_context_instance(CONTEXT_COURSE, $cm->course);
0468976c 738 return capability_prohibits($capability, $parent);
bbbf2d40 739 break;
740
741 case CONTEXT_BLOCK:
742 // 1 to 1 to course.
743 $block = get_record('block_instance','id',$context->instanceid);
744 $parent = get_context_instance(CONTEXT_COURSE, $block->pageid); // needs check
0468976c 745 return capability_prohibits($capability, $parent);
bbbf2d40 746 break;
747
748 default:
749 error ('This is an unknown context!');
750 return false;
751 }
752}
753
754
755/**
756 * A print form function. This should either grab all the capabilities from
757 * files or a central table for that particular module instance, then present
758 * them in check boxes. Only relevant capabilities should print for known
759 * context.
760 * @param $mod - module id of the mod
761 */
762function print_capabilities($modid=0) {
763 global $CFG;
764
765 $capabilities = array();
766
767 if ($modid) {
768 // We are in a module specific context.
769
770 // Get the mod's name.
771 // Call the function that grabs the file and parse.
772 $cm = get_record('course_modules', 'id', $modid);
773 $module = get_record('modules', 'id', $cm->module);
774
775 } else {
776 // Print all capabilities.
777 foreach ($capabilities as $capability) {
778 // Prints the check box component.
779 }
780 }
781}
782
783
784/**
1afecc03 785 * Installs the roles system.
786 * This function runs on a fresh install as well as on an upgrade from the old
787 * hard-coded student/teacher/admin etc. roles to the new roles system.
bbbf2d40 788 */
1afecc03 789function moodle_install_roles() {
bbbf2d40 790
1afecc03 791 global $CFG, $db;
792
bbbf2d40 793 // Create a system wide context for assignemnt.
794 $systemcontext = $context = get_context_instance(CONTEXT_SYSTEM, SITEID);
795
1afecc03 796
797 // Create default/legacy roles and capabilities.
798 // (1 legacy capability per legacy role at system level).
bbbf2d40 799 $adminrole = create_role(get_string('administrator'), get_string('administratordescription'), 'moodle/legacy:admin');
98882637 800 if (!assign_capability('moodle/site:doanything', CAP_ALLOW, $adminrole, $systemcontext->id)) {
bbbf2d40 801 error('Could not assign moodle/site:doanything to the admin role');
802 }
803 $coursecreatorrole = create_role(get_string('coursecreators'), get_string('coursecreatorsdescription'), 'moodle/legacy:coursecreator');
98882637 804 $noneditteacherrole = create_role(get_string('noneditingteacher'), get_string('noneditingteacherdescription'), 'moodle/legacy:teacher');
805 $editteacherrole = create_role(get_string('defaultcourseteacher'), get_string('defaultcourseteacherdescription'), 'moodle/legacy:editingteacher');
806 $studentrole = create_role(get_string('defaultcoursestudent'), get_string('defaultcoursestudentdescription'), 'moodle/legacy:student');
bbbf2d40 807 $guestrole = create_role(get_string('guest'), get_string('guestdescription'), 'moodle/legacy:guest');
1afecc03 808
809
810 // Look inside user_admin, user_creator, user_teachers, user_students and
811 // assign above new roles. If a user has both teacher and student role,
812 // only teacher role is assigned. The assignment should be system level.
813 $dbtables = $db->MetaTables('TABLES');
bbbf2d40 814
1afecc03 815
98882637 816 /**
bbbf2d40 817 * Upgrade the admins.
1afecc03 818 * Sort using id ASC, first one is primary admin.
bbbf2d40 819 */
1afecc03 820 if (in_array($CFG->prefix.'user_admins', $dbtables)) {
821 if ($useradmins = get_records_sql('SELECT * from '.$CFG->prefix.'user_admins ORDER BY ID ASC')) {
822 foreach ($useradmins as $admin) {
823 role_assign($adminrole, $admin->userid, 0, $systemcontext->id);
824 }
825 }
826 } else {
827 // This is a fresh install.
bbbf2d40 828 }
1afecc03 829
830
bbbf2d40 831 /**
832 * Upgrade course creators.
833 */
1afecc03 834 if (in_array($CFG->prefix.'user_coursecreators', $dbtables)) {
835 if ($usercoursecreators = get_records('user_coursecreators')) {
836 foreach ($usercoursecreators as $coursecreator) {
56b4d70d 837 role_assign($coursecreatorrole, $coursecreator->userid, 0, $systemcontext->id);
1afecc03 838 }
839 }
bbbf2d40 840 }
841
1afecc03 842
bbbf2d40 843 /**
844 * Upgrade editting teachers and non-editting teachers.
845 */
1afecc03 846 if (in_array($CFG->prefix.'user_teachers', $dbtables)) {
847 if ($userteachers = get_records('user_teachers')) {
848 foreach ($userteachers as $teacher) {
17d6a25e 849 // populate the user_lastaccess table
850 unset($access);
851 $access->timeaccess = $teacher->timeaccess;
852 $access->userid = $teacher->userid;
853 $access->courseid = $teacher->course;
854 insert_record('user_lastaccess', $access);
855 // assign the default student role
1afecc03 856 $coursecontext = get_context_instance(CONTEXT_COURSE, $teacher->course); // needs cache
857 if ($teacher->editall) { // editting teacher
858 role_assign($editteacherrole, $teacher->userid, 0, $coursecontext->id);
859 } else {
860 role_assign($noneditteacherrole, $teacher->userid, 0, $coursecontext->id);
861 }
862 }
bbbf2d40 863 }
864 }
1afecc03 865
866
bbbf2d40 867 /**
868 * Upgrade students.
869 */
1afecc03 870 if (in_array($CFG->prefix.'user_students', $dbtables)) {
871 if ($userstudents = get_records('user_students')) {
17d6a25e 872 foreach ($userstudents as $student) {
873 // populate the user_lastaccess table
874 unset($access);
875 $access->timeaccess = $student->timeaccess;
876 $access->userid = $student->userid;
877 $access->courseid = $student->course;
878 insert_record('user_lastaccess', $access);
879 // assign the default student role
1afecc03 880 $coursecontext = get_context_instance(CONTEXT_COURSE, $student->course);
881 role_assign($studentrole, $student->userid, 0, $coursecontext->id);
882 }
883 }
bbbf2d40 884 }
1afecc03 885
886
bbbf2d40 887 /**
888 * Upgrade guest (only 1 entry).
889 */
1afecc03 890 if ($guestuser = get_record('user', 'username', 'guest')) {
891 role_assign($guestrole, $guestuser->id, 0, $systemcontext->id);
892 }
893
945f88ca 894 /**
895 * Insert the correct records for legacy roles
896 */
897 allow_assign($adminrole, $adminrole);
898 allow_assign($adminrole, $coursecreatorrole);
899 allow_assign($adminrole, $noneditteacherrole);
900 allow_assign($adminrole, $editteacherrole);
901 allow_assign($adminrole, $studentrole);
902 allow_assign($adminrole, $guestrole);
903
904 allow_assign($coursecreatorrole, $noneditteacherrole);
905 allow_assign($coursecreatorrole, $editteacherrole);
906 allow_assign($coursecreatorrole, $studentrole);
907 allow_assign($coursecreatorrole, $guestrole);
908
909 allow_assign($editteacherrole, $noneditteacherrole);
910 allow_assign($editteacherrole, $studentrole);
911 allow_assign($editteacherrole, $guestrole);
912
913 /// overrides
914 allow_override($adminrole, $adminrole);
915 allow_override($adminrole, $coursecreatorrole);
916 allow_override($adminrole, $noneditteacherrole);
917 allow_override($adminrole, $editteacherrole);
918 allow_override($adminrole, $studentrole);
5769734f 919 allow_override($adminrole, $guestrole);
1afecc03 920
921 // Should we delete the tables after we are done? Not yet.
bbbf2d40 922}
923
bbbf2d40 924/**
925 * Assign the defaults found in this capabality definition to roles that have
926 * the corresponding legacy capabilities assigned to them.
927 * @param $legacyperms - an array in the format (example):
928 * 'guest' => CAP_PREVENT,
929 * 'student' => CAP_ALLOW,
930 * 'teacher' => CAP_ALLOW,
931 * 'editingteacher' => CAP_ALLOW,
932 * 'coursecreator' => CAP_ALLOW,
933 * 'admin' => CAP_ALLOW
934 * @return boolean - success or failure.
935 */
936function assign_legacy_capabilities($capability, $legacyperms) {
937
938 foreach ($legacyperms as $type => $perm) {
939
940 $systemcontext = get_context_instance(CONTEXT_SYSTEM, SITEID);
941
942 // The legacy capabilities are:
943 // 'moodle/legacy:guest'
944 // 'moodle/legacy:student'
945 // 'moodle/legacy:teacher'
946 // 'moodle/legacy:editingteacher'
947 // 'moodle/legacy:coursecreator'
948 // 'moodle/legacy:admin'
949
2e85fffe 950 if ($roles = get_roles_with_capability('moodle/legacy:'.$type, CAP_ALLOW)) {
951 foreach ($roles as $role) {
952 // Assign a site level capability.
953 if (!assign_capability($capability, $perm, $role->id, $systemcontext->id)) {
954 return false;
955 }
bbbf2d40 956 }
957 }
958 }
959 return true;
960}
961
962
cee0901c 963/**
964 * Checks to see if a capability is a legacy capability.
965 * @param $capabilityname
966 * @return boolean
967 */
bbbf2d40 968function islegacy($capabilityname) {
98882637 969 if (strstr($capabilityname, 'legacy') === false) {
970 return false;
971 } else {
972 return true;
973 }
bbbf2d40 974}
975
cee0901c 976
977
978/**********************************
bbbf2d40 979 * Context Manipulation functions *
980 **********************************/
981
bbbf2d40 982/**
983 * This should be called prolly everytime a user, group, module, course,
984 * coursecat or site is set up maybe?
985 * @param $level
986 * @param $instanceid
987 */
d140ad3f 988function create_context($aggregatelevel, $instanceid) {
989 if (!get_record('context','aggregatelevel',$aggregatelevel,'instanceid',$instanceid)) {
bbbf2d40 990 $context = new object;
d140ad3f 991 $context->aggregatelevel = $aggregatelevel;
bbbf2d40 992 $context->instanceid = $instanceid;
993 return insert_record('context',$context);
994 }
995}
996
997
998/**
999 * Get the context instance as an object. This function will create the
1000 * context instance if it does not exist yet.
1001 * @param $level
1002 * @param $instance
1003 */
d140ad3f 1004function get_context_instance($aggregatelevel=NULL, $instance=SITEID) {
e5605780 1005
51195e6f 1006 global $context_cache, $context_cache_id, $CONTEXT;
d9a35e12 1007
340ea4e8 1008/// If no level is supplied then return the current global context if there is one
d140ad3f 1009 if (empty($aggregatelevel)) {
340ea4e8 1010 if (empty($CONTEXT)) {
ea82d6b6 1011 debugging("Error: get_context_instance() called without a context");
340ea4e8 1012 } else {
1013 return $CONTEXT;
1014 }
e5605780 1015 }
1016
340ea4e8 1017/// Check the cache
d140ad3f 1018 if (isset($context_cache[$aggregatelevel][$instance])) { // Already cached
1019 return $context_cache[$aggregatelevel][$instance];
e5605780 1020 }
1021
340ea4e8 1022/// Get it from the database, or create it
d140ad3f 1023 if (!$context = get_record('context', 'aggregatelevel', $aggregatelevel, 'instanceid', $instance)) {
1024 create_context($aggregatelevel, $instance);
1025 $context = get_record('context', 'aggregatelevel', $aggregatelevel, 'instanceid', $instance);
e5605780 1026 }
1027
ccfc5ecc 1028/// Only add to cache if context isn't empty.
1029 if (!empty($context)) {
1030 $context_cache[$aggregatelevel][$instance] = $context; // Cache it for later
1031 $context_cache_id[$context->id] = $context; // Cache it for later
1032 }
0468976c 1033
bbbf2d40 1034 return $context;
1035}
1036
cee0901c 1037
340ea4e8 1038/**
1039 * Get a context instance as an object, from a given id.
1040 * @param $id
1041 */
1042function get_context_instance_by_id($id) {
1043
d9a35e12 1044 global $context_cache, $context_cache_id;
1045
340ea4e8 1046 if (isset($context_cache_id[$id])) { // Already cached
75e84883 1047 return $context_cache_id[$id];
340ea4e8 1048 }
1049
1050 if ($context = get_record('context', 'id', $id)) { // Update the cache and return
d140ad3f 1051 $context_cache[$context->aggregatelevel][$context->instanceid] = $context;
340ea4e8 1052 $context_cache_id[$context->id] = $context;
1053 return $context;
1054 }
1055
1056 return false;
1057}
1058
bbbf2d40 1059
8737be58 1060/**
1061 * Get the local override (if any) for a given capability in a role in a context
1062 * @param $roleid
0468976c 1063 * @param $contextid
1064 * @param $capability
8737be58 1065 */
1066function get_local_override($roleid, $contextid, $capability) {
1067 return get_record('role_capabilities', 'roleid', $roleid, 'capability', $capability, 'contextid', $contextid);
1068}
1069
1070
bbbf2d40 1071
1072/************************************
1073 * DB TABLE RELATED FUNCTIONS *
1074 ************************************/
1075
cee0901c 1076/**
bbbf2d40 1077 * function that creates a role
1078 * @param name - role name
1079 * @param description - role description
1080 * @param legacy - optional legacy capability
1081 * @return id or false
1082 */
1083function create_role($name, $description, $legacy='') {
98882637 1084
1085 // check for duplicate role name
1086
1087 if ($role = get_record('role','name', $name)) {
98882637 1088 error('there is already a role with this name!');
1089 }
1090
1091 $role->name = $name;
1092 $role->description = $description;
ec7a8b79 1093
1094 $context = get_context_instance(CONTEXT_SYSTEM, SITEID);
1095
98882637 1096 if ($id = insert_record('role', $role)) {
ec7a8b79 1097 if ($legacy) {
1afecc03 1098 assign_capability($legacy, CAP_ALLOW, $id, $context->id);
98882637 1099 }
ec7a8b79 1100
1101 /// By default, users with role:manage at site level
1102 /// should be able to assign users to this new role, and override this new role's capabilities
1103
1104 // find all admin roles
e46c0987 1105 if ($adminroles = get_roles_with_capability('moodle/role:manage', CAP_ALLOW, $context)) {
1106 // foreach admin role
1107 foreach ($adminroles as $arole) {
1108 // write allow_assign and allow_overrid
1109 allow_assign($arole->id, $id);
1110 allow_override($arole->id, $id);
1111 }
ec7a8b79 1112 }
1113
98882637 1114 return $id;
1115 } else {
1116 return false;
1117 }
bbbf2d40 1118
1119}
1120
1121/**
1122 * Function to write context specific overrides, or default capabilities.
1123 * @param module - string name
1124 * @param capability - string name
1125 * @param contextid - context id
1126 * @param roleid - role id
1127 * @param permission - int 1,-1 or -1000
1128 */
e7876c1e 1129function assign_capability($capability, $permission, $roleid, $contextid, $overwrite=false) {
98882637 1130
1131 global $USER;
1132
1133 if (empty($permission) || $permission == 0) { // if permission is not set
1134 unassign_capability($capability, $roleid, $contextid);
1135 }
bbbf2d40 1136
2e85fffe 1137 $existing = get_record('role_capabilities', 'contextid', $contextid, 'roleid', $roleid, 'capability', $capability);
e7876c1e 1138
1139 if ($existing and !$overwrite) { // We want to keep whatever is there already
1140 return true;
1141 }
1142
bbbf2d40 1143 $cap = new object;
1144 $cap->contextid = $contextid;
1145 $cap->roleid = $roleid;
1146 $cap->capability = $capability;
1147 $cap->permission = $permission;
1148 $cap->timemodified = time();
9db12da7 1149 $cap->modifierid = empty($USER->id) ? 0 : $USER->id;
e7876c1e 1150
1151 if ($existing) {
1152 $cap->id = $existing->id;
1153 return update_record('role_capabilities', $cap);
1154 } else {
1155 return insert_record('role_capabilities', $cap);
1156 }
bbbf2d40 1157}
1158
1159
1160/**
1161 * Unassign a capability from a role.
1162 * @param $roleid - the role id
1163 * @param $capability - the name of the capability
1164 * @return boolean - success or failure
1165 */
1166function unassign_capability($capability, $roleid, $contextid=NULL) {
98882637 1167
1168 if (isset($contextid)) {
1169 $status = delete_records('role_capabilities', 'capability', $capability,
1170 'roleid', $roleid, 'contextid', $contextid);
1171 } else {
1172 $status = delete_records('role_capabilities', 'capability', $capability,
1173 'roleid', $roleid);
1174 }
1175 return $status;
bbbf2d40 1176}
1177
1178
1179/**
1180 * Get the roles that have a given capability.
1181 * @param $capability - capability name (string)
1182 * @param $permission - optional, the permission defined for this capability
1183 * either CAP_ALLOW, CAP_PREVENT or CAP_PROHIBIT
1184 * @return array or role objects
1185 */
ec7a8b79 1186function get_roles_with_capability($capability, $permission=NULL, $context='') {
1187
bbbf2d40 1188 global $CFG;
1189
ec7a8b79 1190 if ($context) {
1191 if ($contexts = get_parent_contexts($context)) {
1192 $listofcontexts = '('.implode(',', $contexts).')';
1193 } else {
1194 $sitecontext = get_context_instance(CONTEXT_SYSTEM, SITEID);
1195 $listofcontexts = '('.$sitecontext->id.')'; // must be site
1196 }
42ac3ecf 1197 $contextstr = "AND (rc.contextid = '$context->id' OR rc.contextid IN $listofcontexts)";
ec7a8b79 1198 } else {
1199 $contextstr = '';
1200 }
1201
bbbf2d40 1202 $selectroles = "SELECT r.*
42ac3ecf 1203 FROM {$CFG->prefix}role r,
1204 {$CFG->prefix}role_capabilities rc
bbbf2d40 1205 WHERE rc.capability = '$capability'
ec7a8b79 1206 AND rc.roleid = r.id $contextstr";
bbbf2d40 1207
1208 if (isset($permission)) {
1209 $selectroles .= " AND rc.permission = '$permission'";
1210 }
1211 return get_records_sql($selectroles);
1212}
1213
1214
1215/**
a9e1c058 1216 * This function makes a role-assignment (a role for a user or group in a particular context)
bbbf2d40 1217 * @param $roleid - the role of the id
1218 * @param $userid - userid
1219 * @param $groupid - group id
1220 * @param $contextid - id of the context
1221 * @param $timestart - time this assignment becomes effective
1222 * @param $timeend - time this assignemnt ceases to be effective
1223 * @uses $USER
1224 * @return id - new id of the assigment
1225 */
f44152f4 1226function role_assign($roleid, $userid, $groupid, $contextid, $timestart=0, $timeend=0, $hidden=0, $enrol='manual') {
aa311411 1227 global $USER, $CFG;
bbbf2d40 1228
ea82d6b6 1229 debugging("Assign roleid $roleid userid $userid contextid $contextid", E_ALL);
bbbf2d40 1230
a9e1c058 1231/// Do some data validation
1232
bbbf2d40 1233 if (empty($roleid)) {
a9e1c058 1234 notify('Role ID not provided');
1235 return false;
bbbf2d40 1236 }
1237
1238 if (empty($userid) && empty($groupid)) {
a9e1c058 1239 notify('Either userid or groupid must be provided');
1240 return false;
bbbf2d40 1241 }
7700027f 1242
1243 if ($userid && !record_exists('user', 'id', $userid)) {
1244 notify('User does not exist!');
1245 return false;
1246 }
bbbf2d40 1247
dc411d1b 1248 if ($groupid && !record_exists('groups', 'id', $groupid)) {
1249 notify('Group does not exist!');
1250 return false;
1251 }
1252
7700027f 1253 if (!$context = get_context_instance_by_id($contextid)) {
a9e1c058 1254 notify('A valid context must be provided');
1255 return false;
bbbf2d40 1256 }
1257
a9e1c058 1258 if (($timestart and $timeend) and ($timestart > $timeend)) {
7700027f 1259 notify('The end time can not be earlier than the start time');
a9e1c058 1260 return false;
1261 }
1262
7700027f 1263
a9e1c058 1264/// Check for existing entry
1265 if ($userid) {
7700027f 1266 $ra = get_record('role_assignments', 'roleid', $roleid, 'contextid', $context->id, 'userid', $userid);
a9e1c058 1267 } else {
7700027f 1268 $ra = get_record('role_assignments', 'roleid', $roleid, 'contextid', $context->id, 'groupid', $groupid);
a9e1c058 1269 }
1270
9ebcb4d2 1271
a9e1c058 1272 $newra = new object;
bbbf2d40 1273
a9e1c058 1274 if (empty($ra)) { // Create a new entry
1275 $newra->roleid = $roleid;
7700027f 1276 $newra->contextid = $context->id;
a9e1c058 1277 $newra->userid = $userid;
1278 $newra->groupid = $groupid;
1279
1280 $newra->hidden = $hidden;
f44152f4 1281 $newra->enrol = $enrol;
a9e1c058 1282 $newra->timestart = $timestart;
1283 $newra->timeend = $timeend;
1284 $newra->timemodified = time();
1285 $newra->modifier = empty($USER->id) ? 0 : $USER->id;
1286
9ebcb4d2 1287 $success = insert_record('role_assignments', $newra);
a9e1c058 1288
1289 } else { // We already have one, just update it
1290
1291 $newra->id = $ra->id;
1292 $newra->hidden = $hidden;
f44152f4 1293 $newra->enrol = $enrol;
a9e1c058 1294 $newra->timestart = $timestart;
1295 $newra->timeend = $timeend;
1296 $newra->timemodified = time();
1297 $newra->modifier = empty($USER->id) ? 0 : $USER->id;
1298
9ebcb4d2 1299 $success = update_record('role_assignments', $newra);
1300 }
1301
7700027f 1302 if ($success) { /// Role was assigned, so do some other things
1303
1304 /// If the user is the current user, then reload the capabilities too.
1305 if (!empty($USER->id) && $USER->id == $userid) {
1306 load_user_capability();
1307 }
1308
0f161e1f 1309 /// Ask all the modules if anything needs to be done for this user
1310 if ($mods = get_list_of_plugins('mod')) {
1311 foreach ($mods as $mod) {
1312 include_once($CFG->dirroot.'/mod/'.$mod.'/lib.php');
1313 $functionname = $mod.'_role_assign';
1314 if (function_exists($functionname)) {
1315 $functionname($userid, $context);
1316 }
1317 }
1318 }
1319
1320 /// Make sure they have an entry in user_lastaccess for courses they can access
1321 // role_add_lastaccess_entries($userid, $context);
a9e1c058 1322 }
6eb4f823 1323
1324 return $success;
bbbf2d40 1325}
1326
1327
1328/**
1dc1f037 1329 * Deletes one or more role assignments. You must specify at least one parameter.
bbbf2d40 1330 * @param $roleid
1331 * @param $userid
1332 * @param $groupid
1333 * @param $contextid
1334 * @return boolean - success or failure
1335 */
1dc1f037 1336function role_unassign($roleid=0, $userid=0, $groupid=0, $contextid=0) {
d74067e8 1337
1338 global $USER, $CFG;
1339
1dc1f037 1340 $args = array('roleid', 'userid', 'groupid', 'contextid');
1341 $select = array();
1342 foreach ($args as $arg) {
1343 if ($$arg) {
1344 $select[] = $arg.' = '.$$arg;
1345 }
1346 }
d74067e8 1347
1dc1f037 1348 if ($select) {
d74067e8 1349 if (delete_records_select('role_assignments', implode(' AND ', $select))) {
1350
1351 /// If the user is the current user, then reload the capabilities too.
1352 if (!empty($USER->id) && $USER->id == $userid) {
1353 load_user_capability();
1354 }
1355
0f161e1f 1356 if ($contextid) {
1357 if ($context = get_record('context', 'id', $contextid)) {
1358
1359 /// Ask all the modules if anything needs to be done for this user
1360 if ($mods = get_list_of_plugins('mod')) {
1361 foreach ($mods as $mod) {
1362 include_once($CFG->dirroot.'/mod/'.$mod.'/lib.php');
1363 $functionname = $mod.'_role_unassign';
1364 if (function_exists($functionname)) {
1365 $functionname($userid, $context);
1366 }
1367 }
1368 }
1369
1370 /// Remove entries from user_lastaccess for courses they can no longer access
1371 //role_add_lastaccess_entries($userid, $context);
1372 }
1373 }
d74067e8 1374
1375 return true;
1376 }
1377 return false;
1dc1f037 1378 }
d74067e8 1379 return true;
bbbf2d40 1380}
1381
0f161e1f 1382/**
1383 * Add last access times to user_lastaccess as required
1384 * @param $userid
1385 * @param $context
1386 * @return boolean - success or failure
1387 */
1388function role_add_lastaccess_entries($userid, $context) {
1389
1390 global $USER, $CFG;
1391
1392 if (empty($context->aggregatelevel)) {
1393 return false;
1394 }
1395
1396 $lastaccess = new object; // Reusable object below
1397 $lastaccess->userid = $userid;
1398 $lastaccess->timeaccess = 0;
1399
1400 switch ($context->aggregatelevel) {
1401
1402 case CONTEXT_SYSTEM: // For the whole site
1403 if ($courses = get_record('course')) {
1404 foreach ($courses as $course) {
1405 $lastaccess->courseid = $course->id;
1406 role_set_lastaccess($lastaccess);
1407 }
1408 }
1409 break;
1410
1411 case CONTEXT_CATEGORY: // For a whole category
1412 if ($courses = get_record('course', 'category', $context->instanceid)) {
1413 foreach ($courses as $course) {
1414 $lastaccess->courseid = $course->id;
1415 role_set_lastaccess($lastaccess);
1416 }
1417 }
1418 if ($categories = get_record('course_categories', 'parent', $context->instanceid)) {
1419 foreach ($categories as $category) {
1420 $subcontext = get_context_instance(CONTEXT_CATEGORY, $category->id);
1421 role_add_lastaccess_entries($userid, $subcontext);
1422 }
1423 }
1424 break;
1425
1426
1427 case CONTEXT_COURSE: // For a whole course
1428 if ($course = get_record('course', 'id', $context->instanceid)) {
1429 $lastaccess->courseid = $course->id;
1430 role_set_lastaccess($lastaccess);
1431 }
1432 break;
1433 }
1434}
1435
1436/**
1437 * Delete last access times from user_lastaccess as required
1438 * @param $userid
1439 * @param $context
1440 * @return boolean - success or failure
1441 */
1442function role_remove_lastaccess_entries($userid, $context) {
1443
1444 global $USER, $CFG;
1445
1446}
1447
bbbf2d40 1448
1449/**
1450 * Loads the capability definitions for the component (from file). If no
1451 * capabilities are defined for the component, we simply return an empty array.
1452 * @param $component - examples: 'moodle', 'mod/forum', 'block/quiz_results'
1453 * @return array of capabilities
1454 */
1455function load_capability_def($component) {
1456 global $CFG;
1457
1458 if ($component == 'moodle') {
1459 $defpath = $CFG->libdir.'/db/access.php';
1460 $varprefix = 'moodle';
1461 } else {
0c4d9f49 1462 $compparts = explode('/', $component);
1463
1464 if ($compparts[0] == 'block') {
1465 // Blocks are an exception. Blocks directory is 'blocks', and not
1466 // 'block'. So we need to jump through hoops.
1467 $defpath = $CFG->dirroot.'/'.$compparts[0].
1468 's/'.$compparts[1].'/db/access.php';
1469 $varprefix = $compparts[0].'_'.$compparts[1];
1470 } else {
1471 $defpath = $CFG->dirroot.'/'.$component.'/db/access.php';
1472 $varprefix = str_replace('/', '_', $component);
1473 }
bbbf2d40 1474 }
1475 $capabilities = array();
1476
1477 if (file_exists($defpath)) {
1478 require_once($defpath);
1479 $capabilities = ${$varprefix.'_capabilities'};
1480 }
1481 return $capabilities;
1482}
1483
1484
1485/**
1486 * Gets the capabilities that have been cached in the database for this
1487 * component.
1488 * @param $component - examples: 'moodle', 'mod/forum', 'block/quiz_results'
1489 * @return array of capabilities
1490 */
1491function get_cached_capabilities($component='moodle') {
1492 if ($component == 'moodle') {
1493 $storedcaps = get_records_select('capabilities',
1494 "name LIKE 'moodle/%:%'");
1495 } else {
1496 $storedcaps = get_records_select('capabilities',
1497 "name LIKE '$component:%'");
1498 }
1499 return $storedcaps;
1500}
1501
1502
1503/**
1504 * Updates the capabilities table with the component capability definitions.
1505 * If no parameters are given, the function updates the core moodle
1506 * capabilities.
1507 *
1508 * Note that the absence of the db/access.php capabilities definition file
1509 * will cause any stored capabilities for the component to be removed from
1510 * the database.
1511 *
1512 * @param $component - examples: 'moodle', 'mod/forum', 'block/quiz_results'
1513 * @return boolean
1514 */
1515function update_capabilities($component='moodle') {
1516
1517 $storedcaps = array();
be4486da 1518
1519 $filecaps = load_capability_def($component);
bbbf2d40 1520 $cachedcaps = get_cached_capabilities($component);
1521 if ($cachedcaps) {
1522 foreach ($cachedcaps as $cachedcap) {
1523 array_push($storedcaps, $cachedcap->name);
be4486da 1524 // update risk bitmasks in existing capabilitites if needed
1525 if (array_key_exists($cachedcap->name, $filecaps)) {
1526 if (!array_key_exists('riskbitmask', $filecaps[$cachedcap->name])) {
2b531945 1527 $filecaps[$cachedcap->name]['riskbitmask'] = 0; // no risk if not specified
be4486da 1528 }
1529 if ($cachedcap->riskbitmask != $filecaps[$cachedcap->name]['riskbitmask']) {
1530 $updatecap = new object;
1531 $updatecap->id = $cachedcap->id;
1532 $updatecap->riskbitmask = $filecaps[$cachedcap->name]['riskbitmask'];
1533 if (!update_record('capabilities', $updatecap)) {
1534 return false;
1535 }
1536 }
1537 }
bbbf2d40 1538 }
1539 }
be4486da 1540
bbbf2d40 1541 // Are there new capabilities in the file definition?
1542 $newcaps = array();
1543
1544 foreach ($filecaps as $filecap => $def) {
1545 if (!$storedcaps ||
1546 ($storedcaps && in_array($filecap, $storedcaps) === false)) {
2b531945 1547 if (!array_key_exists('riskbitmask', $def)) {
1548 $def['riskbitmask'] = 0; // no risk if not specified
1549 }
bbbf2d40 1550 $newcaps[$filecap] = $def;
1551 }
1552 }
1553 // Add new capabilities to the stored definition.
1554 foreach ($newcaps as $capname => $capdef) {
1555 $capability = new object;
1556 $capability->name = $capname;
1557 $capability->captype = $capdef['captype'];
1558 $capability->contextlevel = $capdef['contextlevel'];
1559 $capability->component = $component;
be4486da 1560 $capability->riskbitmask = $capdef['riskbitmask'];
bbbf2d40 1561
1562 if (!insert_record('capabilities', $capability, false, 'id')) {
1563 return false;
1564 }
ab5c9044 1565
1566 global $db;
1567 $db->debug= 999;
bbbf2d40 1568 // Do we need to assign the new capabilities to roles that have the
1569 // legacy capabilities moodle/legacy:* as well?
1570 if (isset($capdef['legacy']) && is_array($capdef['legacy']) &&
1571 !assign_legacy_capabilities($capname, $capdef['legacy'])) {
2e85fffe 1572 notify('Could not assign legacy capabilities for '.$capname);
bbbf2d40 1573 }
1574 }
1575 // Are there any capabilities that have been removed from the file
1576 // definition that we need to delete from the stored capabilities and
1577 // role assignments?
1578 capabilities_cleanup($component, $filecaps);
1579
1580 return true;
1581}
1582
1583
1584/**
1585 * Deletes cached capabilities that are no longer needed by the component.
1586 * Also unassigns these capabilities from any roles that have them.
1587 * @param $component - examples: 'moodle', 'mod/forum', 'block/quiz_results'
1588 * @param $newcapdef - array of the new capability definitions that will be
1589 * compared with the cached capabilities
1590 * @return int - number of deprecated capabilities that have been removed
1591 */
1592function capabilities_cleanup($component, $newcapdef=NULL) {
1593
1594 $removedcount = 0;
1595
1596 if ($cachedcaps = get_cached_capabilities($component)) {
1597 foreach ($cachedcaps as $cachedcap) {
1598 if (empty($newcapdef) ||
1599 array_key_exists($cachedcap->name, $newcapdef) === false) {
1600
1601 // Remove from capabilities cache.
1602 if (!delete_records('capabilities', 'name', $cachedcap->name)) {
1603 error('Could not delete deprecated capability '.$cachedcap->name);
1604 } else {
1605 $removedcount++;
1606 }
1607 // Delete from roles.
1608 if($roles = get_roles_with_capability($cachedcap->name)) {
1609 foreach($roles as $role) {
46943f7b 1610 if (!unassign_capability($cachedcap->name, $role->id)) {
bbbf2d40 1611 error('Could not unassign deprecated capability '.
1612 $cachedcap->name.' from role '.$role->name);
1613 }
1614 }
1615 }
1616 } // End if.
1617 }
1618 }
1619 return $removedcount;
1620}
1621
1622
1623
cee0901c 1624/****************
1625 * UI FUNCTIONS *
1626 ****************/
bbbf2d40 1627
1628
1629/**
1630 * prints human readable context identifier.
1631 */
0468976c 1632function print_context_name($context) {
340ea4e8 1633
ec0810ee 1634 $name = '';
d140ad3f 1635 switch ($context->aggregatelevel) {
ec0810ee 1636
bbbf2d40 1637 case CONTEXT_SYSTEM: // by now it's a definite an inherit
ec0810ee 1638 $name = get_string('site');
340ea4e8 1639 break;
bbbf2d40 1640
1641 case CONTEXT_PERSONAL:
ec0810ee 1642 $name = get_string('personal');
340ea4e8 1643 break;
1644
bbbf2d40 1645 case CONTEXT_USERID:
ec0810ee 1646 if ($user = get_record('user', 'id', $context->instanceid)) {
1647 $name = get_string('user').': '.fullname($user);
1648 }
340ea4e8 1649 break;
1650
bbbf2d40 1651 case CONTEXT_COURSECAT: // Coursecat -> coursecat or site
ec0810ee 1652 if ($category = get_record('course_categories', 'id', $context->instanceid)) {
1653 $name = get_string('category').': '.$category->name;
1654 }
340ea4e8 1655 break;
bbbf2d40 1656
1657 case CONTEXT_COURSE: // 1 to 1 to course cat
ec0810ee 1658 if ($course = get_record('course', 'id', $context->instanceid)) {
1659 $name = get_string('course').': '.$course->fullname;
1660 }
340ea4e8 1661 break;
bbbf2d40 1662
1663 case CONTEXT_GROUP: // 1 to 1 to course
ec0810ee 1664 if ($group = get_record('groups', 'id', $context->instanceid)) {
1665 $name = get_string('group').': '.$group->name;
1666 }
340ea4e8 1667 break;
bbbf2d40 1668
1669 case CONTEXT_MODULE: // 1 to 1 to course
98882637 1670 if ($cm = get_record('course_modules','id',$context->instanceid)) {
1671 if ($module = get_record('modules','id',$cm->module)) {
1672 if ($mod = get_record($module->name, 'id', $cm->instance)) {
ec0810ee 1673 $name = get_string('activitymodule').': '.$mod->name;
98882637 1674 }
ec0810ee 1675 }
1676 }
340ea4e8 1677 break;
bbbf2d40 1678
1679 case CONTEXT_BLOCK: // 1 to 1 to course
98882637 1680 if ($blockinstance = get_record('block_instance','id',$context->instanceid)) {
1681 if ($block = get_record('block','id',$blockinstance->blockid)) {
91be52d7 1682 global $CFG;
1683 require_once("$CFG->dirroot/blocks/moodleblock.class.php");
1684 require_once("$CFG->dirroot/blocks/$block->name/block_$block->name.php");
1685 $blockname = "block_$block->name";
1686 if ($blockobject = new $blockname()) {
1687 $name = $blockobject->title.' ('.get_string('block').')';
1688 }
ec0810ee 1689 }
1690 }
340ea4e8 1691 break;
bbbf2d40 1692
1693 default:
1694 error ('This is an unknown context!');
340ea4e8 1695 return false;
1696
1697 }
340ea4e8 1698 return $name;
bbbf2d40 1699}
1700
1701
1702/**
1703 * Extracts the relevant capabilities given a contextid.
1704 * All case based, example an instance of forum context.
1705 * Will fetch all forum related capabilities, while course contexts
1706 * Will fetch all capabilities
0468976c 1707 * @param object context
bbbf2d40 1708 * @return array();
1709 *
1710 * capabilities
1711 * `name` varchar(150) NOT NULL,
1712 * `captype` varchar(50) NOT NULL,
1713 * `contextlevel` int(10) NOT NULL,
1714 * `component` varchar(100) NOT NULL,
1715 */
0468976c 1716function fetch_context_capabilities($context) {
98882637 1717
1718 global $CFG;
bbbf2d40 1719
1720 $sort = 'ORDER BY contextlevel,component,id'; // To group them sensibly for display
98882637 1721
d140ad3f 1722 switch ($context->aggregatelevel) {
bbbf2d40 1723
98882637 1724 case CONTEXT_SYSTEM: // all
1725 $SQL = "select * from {$CFG->prefix}capabilities";
bbbf2d40 1726 break;
1727
1728 case CONTEXT_PERSONAL:
0a8a95c9 1729 $SQL = "select * from {$CFG->prefix}capabilities where contextlevel = ".CONTEXT_PERSONAL;
bbbf2d40 1730 break;
1731
1732 case CONTEXT_USERID:
0a8a95c9 1733 $SQL = "select * from {$CFG->prefix}capabilities where contextlevel = ".CONTEXT_USERID;
bbbf2d40 1734 break;
1735
1736 case CONTEXT_COURSECAT: // all
98882637 1737 $SQL = "select * from {$CFG->prefix}capabilities";
bbbf2d40 1738 break;
1739
1740 case CONTEXT_COURSE: // all
98882637 1741 $SQL = "select * from {$CFG->prefix}capabilities";
bbbf2d40 1742 break;
1743
1744 case CONTEXT_GROUP: // group caps
1745 break;
1746
1747 case CONTEXT_MODULE: // mod caps
98882637 1748 $cm = get_record('course_modules', 'id', $context->instanceid);
1749 $module = get_record('modules', 'id', $cm->module);
bbbf2d40 1750
98882637 1751 $SQL = "select * from {$CFG->prefix}capabilities where contextlevel = ".CONTEXT_MODULE."
1752 and component = 'mod/$module->name'";
bbbf2d40 1753 break;
1754
1755 case CONTEXT_BLOCK: // block caps
98882637 1756 $cb = get_record('block_instance', 'id', $context->instanceid);
1757 $block = get_record('block', 'id', $cb->blockid);
bbbf2d40 1758
98882637 1759 $SQL = "select * from {$CFG->prefix}capabilities where contextlevel = ".CONTEXT_BLOCK."
1760 and component = 'block/$block->name'";
bbbf2d40 1761 break;
1762
1763 default:
1764 return false;
1765 }
1766
1767 $records = get_records_sql($SQL.' '.$sort);
69eb59f2 1768
1769 // special sorting of core system capabiltites and enrollments
1770 if ($context->aggregatelevel == CONTEXT_SYSTEM) {
1771 $first = array();
1772 foreach ($records as $key=>$record) {
1773 if (preg_match('|^moodle/|', $record->name) and $record->contextlevel == CONTEXT_SYSTEM) {
1774 $first[$key] = $record;
1775 unset($records[$key]);
1776 } else if (count($first)){
1777 break;
1778 }
1779 }
1780 if (count($first)) {
1781 $records = $first + $records; // merge the two arrays keeping the keys
1782 }
1783 }
1784 // end of special sorting
1785
bbbf2d40 1786 return $records;
1787
1788}
1789
1790
1791/**
1792 * This function pulls out all the resolved capabilities (overrides and
1793 * defaults) of a role used in capability overrieds in contexts at a given
1794 * context.
0a8a95c9 1795 * @param obj $context
bbbf2d40 1796 * @param int $roleid
1797 * @return array
1798 */
1648afb2 1799function role_context_capabilities($roleid, $context, $cap='') {
98882637 1800 global $CFG;
1801
1802 $sitecontext = get_context_instance(CONTEXT_SYSTEM, SITEID);
0468976c 1803 if ($sitecontext->id == $context->id) {
20aeb4b8 1804 $contexts = array($sitecontext->id);
1805 } else {
1806 // first of all, figure out all parental contexts
1807 $contexts = array_reverse(get_parent_contexts($context));
98882637 1808 }
98882637 1809 $contexts = '('.implode(',', $contexts).')';
1810
1648afb2 1811 if ($cap) {
e4697bf7 1812 $search = " AND rc.capability = '$cap' ";
1648afb2 1813 } else {
1814 $search = '';
1815 }
1816
98882637 1817 $SQL = "SELECT rc.* FROM {$CFG->prefix}role_capabilities rc, {$CFG->prefix}context c
1818 where rc.contextid in $contexts
1819 and rc.roleid = $roleid
1648afb2 1820 and rc.contextid = c.id $search
d140ad3f 1821 ORDER BY c.aggregatelevel DESC, rc.capability DESC";
1648afb2 1822
98882637 1823 $capabilities = array();
1824
4729012f 1825 if ($records = get_records_sql($SQL)) {
1826 // We are traversing via reverse order.
1827 foreach ($records as $record) {
1828 // If not set yet (i.e. inherit or not set at all), or currently we have a prohibit
1829 if (!isset($capabilities[$record->capability]) || $record->permission<-500) {
1830 $capabilities[$record->capability] = $record->permission;
1831 }
1832 }
98882637 1833 }
1834 return $capabilities;
bbbf2d40 1835}
1836
bbbf2d40 1837/**
0468976c 1838 * Recursive function which, given a context, find all parent context ids,
bbbf2d40 1839 * and return the array in reverse order, i.e. parent first, then grand
1840 * parent, etc.
1841 * @param object $context
1842 * @return array()
1843 */
bbbf2d40 1844function get_parent_contexts($context) {
1845
d140ad3f 1846 switch ($context->aggregatelevel) {
bbbf2d40 1847
1848 case CONTEXT_SYSTEM: // no parent
957861f7 1849 return array();
bbbf2d40 1850 break;
1851
1852 case CONTEXT_PERSONAL:
957861f7 1853 if (!$parent = get_context_instance(CONTEXT_SYSTEM, SITEID)) {
1854 return array();
1855 } else {
1856 return array($parent->id);
1857 }
bbbf2d40 1858 break;
1859
1860 case CONTEXT_USERID:
957861f7 1861 if (!$parent = get_context_instance(CONTEXT_SYSTEM, SITEID)) {
1862 return array();
1863 } else {
1864 return array($parent->id);
1865 }
bbbf2d40 1866 break;
1867
1868 case CONTEXT_COURSECAT: // Coursecat -> coursecat or site
957861f7 1869 if (!$coursecat = get_record('course_categories','id',$context->instanceid)) {
1870 return array();
1871 }
c5ddc3fd 1872 if (!empty($coursecat->parent)) { // return parent value if exist
bbbf2d40 1873 $parent = get_context_instance(CONTEXT_COURSECAT, $coursecat->parent);
1874 return array_merge(array($parent->id), get_parent_contexts($parent));
1875 } else { // else return site value
1876 $parent = get_context_instance(CONTEXT_SYSTEM, SITEID);
1877 return array($parent->id);
1878 }
1879 break;
1880
1881 case CONTEXT_COURSE: // 1 to 1 to course cat
957861f7 1882 if (!$course = get_record('course','id',$context->instanceid)) {
1883 return array();
1884 }
1885 if (!empty($course->category)) {
1886 $parent = get_context_instance(CONTEXT_COURSECAT, $course->category);
1887 return array_merge(array($parent->id), get_parent_contexts($parent));
1888 } else {
1889 return array();
1890 }
bbbf2d40 1891 break;
1892
1893 case CONTEXT_GROUP: // 1 to 1 to course
957861f7 1894 if (!$group = get_record('groups','id',$context->instanceid)) {
1895 return array();
1896 }
1897 if ($parent = get_context_instance(CONTEXT_COURSE, $group->courseid)) {
1898 return array_merge(array($parent->id), get_parent_contexts($parent));
1899 } else {
1900 return array();
1901 }
bbbf2d40 1902 break;
1903
1904 case CONTEXT_MODULE: // 1 to 1 to course
957861f7 1905 if (!$cm = get_record('course_modules','id',$context->instanceid)) {
1906 return array();
1907 }
1908 if ($parent = get_context_instance(CONTEXT_COURSE, $cm->course)) {
1909 return array_merge(array($parent->id), get_parent_contexts($parent));
1910 } else {
1911 return array();
1912 }
bbbf2d40 1913 break;
1914
1915 case CONTEXT_BLOCK: // 1 to 1 to course
957861f7 1916 if (!$block = get_record('block_instance','id',$context->instanceid)) {
1917 return array();
1918 }
1919 if ($parent = get_context_instance(CONTEXT_COURSE, $block->pageid)) {
1920 return array_merge(array($parent->id), get_parent_contexts($parent));
1921 } else {
1922 return array();
1923 }
bbbf2d40 1924 break;
1925
1926 default:
957861f7 1927 error('This is an unknown context!');
bbbf2d40 1928 return false;
1929 }
bbbf2d40 1930}
1931
ea8158c1 1932/** gets a string for sql calls, searching for stuff
1933 * in this context or above
1934 * @param object $context
1935 * @return string
1936 */
1937function get_related_contexts_string($context) {
1938 if ($parents = get_parent_contexts($context)) {
1939 return (' IN ('.$context->id.','.implode(',', $parents).')');
1940 } else {
1941 return (' ='.$context->id);
1942 }
1943}
bbbf2d40 1944/**
1945 * This function gets the capability of a role in a given context.
1946 * It is needed when printing override forms.
1947 * @param int $contextid
bbbf2d40 1948 * @param string $capability
1949 * @param array $capabilities - array loaded using role_context_capabilities
1950 * @return int (allow, prevent, prohibit, inherit)
1951 */
bbbf2d40 1952function get_role_context_capability($contextid, $capability, $capabilities) {
98882637 1953 return $capabilities[$contextid][$capability];
bbbf2d40 1954}
1955
1956
cee0901c 1957/**
1958 * Returns the human-readable, translated version of the capability.
1959 * Basically a big switch statement.
1960 * @param $capabilityname - e.g. mod/choice:readresponses
1961 */
ceb83c70 1962function get_capability_string($capabilityname) {
ae9e4c06 1963
cee0901c 1964 // Typical capabilityname is mod/choice:readresponses
ceb83c70 1965
1966 $names = split('/', $capabilityname);
1967 $stringname = $names[1]; // choice:readresponses
1968 $components = split(':', $stringname);
1969 $componentname = $components[0]; // choice
98882637 1970
1971 switch ($names[0]) {
1972 case 'mod':
ceb83c70 1973 $string = get_string($stringname, $componentname);
98882637 1974 break;
1975
1976 case 'block':
ceb83c70 1977 $string = get_string($stringname, 'block_'.$componentname);
98882637 1978 break;
ceb83c70 1979
98882637 1980 case 'moodle':
ceb83c70 1981 $string = get_string($stringname, 'role');
98882637 1982 break;
1983
1984 case 'enrol':
ceb83c70 1985 $string = get_string($stringname, 'enrol_'.$componentname);
1986 break;
98882637 1987
1988 default:
ceb83c70 1989 $string = get_string($stringname);
98882637 1990 break;
98882637 1991
1992 }
ceb83c70 1993 return $string;
bbbf2d40 1994}
1995
1996
cee0901c 1997/**
1998 * This gets the mod/block/course/core etc strings.
1999 * @param $component
2000 * @param $contextlevel
2001 */
bbbf2d40 2002function get_component_string($component, $contextlevel) {
2003
98882637 2004 switch ($contextlevel) {
bbbf2d40 2005
98882637 2006 case CONTEXT_SYSTEM:
be382aaf 2007 if (preg_match('|^enrol/|', $component)) {
2008 $langname = str_replace('/', '_', $component);
2009 $string = get_string('enrolname', $langname);
69eb59f2 2010 } else {
2011 $string = get_string('coresystem');
2012 }
bbbf2d40 2013 break;
2014
2015 case CONTEXT_PERSONAL:
98882637 2016 $string = get_string('personal');
bbbf2d40 2017 break;
2018
2019 case CONTEXT_USERID:
98882637 2020 $string = get_string('users');
bbbf2d40 2021 break;
2022
2023 case CONTEXT_COURSECAT:
98882637 2024 $string = get_string('categories');
bbbf2d40 2025 break;
2026
2027 case CONTEXT_COURSE:
98882637 2028 $string = get_string('course');
bbbf2d40 2029 break;
2030
2031 case CONTEXT_GROUP:
98882637 2032 $string = get_string('group');
bbbf2d40 2033 break;
2034
2035 case CONTEXT_MODULE:
98882637 2036 $string = get_string('modulename', basename($component));
bbbf2d40 2037 break;
2038
2039 case CONTEXT_BLOCK:
98882637 2040 $string = get_string('blockname', 'block_'.$component.'.php');
bbbf2d40 2041 break;
2042
2043 default:
2044 error ('This is an unknown context!');
2045 return false;
98882637 2046
2047 }
98882637 2048 return $string;
bbbf2d40 2049}
cee0901c 2050
945f88ca 2051/** gets the list of roles assigned to this context
2052 * @param object $context
2053 * @return array
2054 */
e4dd3222 2055function get_roles_used_in_context($context) {
2056
2057 global $CFG;
2058
2059 return get_records_sql('SELECT distinct r.id, r.name
2060 FROM '.$CFG->prefix.'role_assignments ra,
2061 '.$CFG->prefix.'role r
2062 WHERE r.id = ra.roleid
2063 AND ra.contextid = '.$context->id.'
2064 ORDER BY r.sortorder ASC');
2065}
2066
945f88ca 2067/** this function is used to print roles column in user profile page.
2068 * @param int userid
2069 * @param int contextid
2070 * @return string
2071 */
0a8a95c9 2072function get_user_roles_in_context($userid, $contextid){
2073 global $CFG;
2074
2075 $rolestring = '';
2076 $SQL = 'select * from '.$CFG->prefix.'role_assignments ra, '.$CFG->prefix.'role r where ra.userid='.$userid.' and ra.contextid='.$contextid.' and ra.roleid = r.id';
2077 if ($roles = get_records_sql($SQL)) {
2078 foreach ($roles as $userrole) {
2079 $rolestring .= '<a href="'.$CFG->wwwroot.'/user/index.php?contextid='.$userrole->contextid.'&amp;roleid='.$userrole->roleid.'">'.$userrole->name.'</a>, ';
2080 }
2081
2082 }
2083 return rtrim($rolestring, ', ');
2084}
68c52526 2085
2086
945f88ca 2087/**
2088 * Checks if a user can override capabilities of a particular role in this context
2089 * @param object $context
2090 * @param int targetroleid - the id of the role you want to override
2091 * @return boolean
2092 */
68c52526 2093function user_can_override($context, $targetroleid) {
2094 // first check if user has override capability
2095 // if not return false;
2096 if (!has_capability('moodle/role:override', $context)) {
2097 return false;
2098 }
2099 // pull out all active roles of this user from this context(or above)
c0614051 2100 if ($userroles = get_user_roles($context)) {
2101 foreach ($userroles as $userrole) {
2102 // if any in the role_allow_override table, then it's ok
2103 if (get_record('role_allow_override', 'roleid', $userrole->roleid, 'allowoverride', $targetroleid)) {
2104 return true;
2105 }
68c52526 2106 }
2107 }
2108
2109 return false;
2110
2111}
2112
945f88ca 2113/**
2114 * Checks if a user can assign users to a particular role in this context
2115 * @param object $context
2116 * @param int targetroleid - the id of the role you want to assign users to
2117 * @return boolean
2118 */
68c52526 2119function user_can_assign($context, $targetroleid) {
2120
2121 // first check if user has override capability
2122 // if not return false;
2123 if (!has_capability('moodle/role:assign', $context)) {
2124 return false;
2125 }
2126 // pull out all active roles of this user from this context(or above)
c0614051 2127 if ($userroles = get_user_roles($context)) {
2128 foreach ($userroles as $userrole) {
2129 // if any in the role_allow_override table, then it's ok
2130 if (get_record('role_allow_assign', 'roleid', $userrole->roleid, 'allowassign', $targetroleid)) {
2131 return true;
2132 }
68c52526 2133 }
2134 }
2135
2136 return false;
2137}
2138
945f88ca 2139/**
2140 * gets all the user roles assigned in this context, or higher contexts
2141 * this is mainly used when checking if a user can assign a role, or overriding a role
2142 * i.e. we need to know what this user holds, in order to verify against allow_assign and
2143 * allow_override tables
2144 * @param object $context
2145 * @param int $userid
2146 * @return array
2147 */
c0614051 2148function get_user_roles($context, $userid=0) {
68c52526 2149
2150 global $USER, $CFG, $db;
c0614051 2151
2152 if (empty($userid)) {
2153 if (empty($USER->id)) {
2154 return array();
2155 }
2156 $userid = $USER->id;
2157 }
2158
2159 if ($parents = get_parent_contexts($context)) {
2160 $contexts = ' AND ra.contextid IN ('.implode(',' , $parents).')';
2161 } else {
2162 $contexts = ' AND ra.contextid = \''.$context->id.'\'';
2163 }
2164
68c52526 2165 return get_records_sql('SELECT *
2166 FROM '.$CFG->prefix.'role_assignments ra
c0614051 2167 WHERE ra.userid = '.$userid.
2168 $contexts);
68c52526 2169}
2170
945f88ca 2171/**
2172 * Creates a record in the allow_override table
2173 * @param int sroleid - source roleid
2174 * @param int troleid - target roleid
2175 * @return int - id or false
2176 */
2177function allow_override($sroleid, $troleid) {
2178 $record->roleid = $sroleid;
2179 $record->allowoverride = $troleid;
2180 return insert_record('role_allow_override', $record);
2181}
2182
2183/**
2184 * Creates a record in the allow_assign table
2185 * @param int sroleid - source roleid
2186 * @param int troleid - target roleid
2187 * @return int - id or false
2188 */
2189function allow_assign($sroleid, $troleid) {
2190 $record->roleid = $sroleid;
2191 $record->allowassign = $troleid;
2192 return insert_record('role_allow_assign', $record);
2193}
2194
2195/**
2196 * gets a list of roles assignalbe in this context for this user
2197 * @param object $context
2198 * @return array
2199 */
2200function get_assignable_roles ($context) {
2201
2202 $role = get_records('role');
2203 $options = array();
2204 foreach ($role as $rolex) {
2205 if (user_can_assign($context, $rolex->id)) {
2206 $options[$rolex->id] = $rolex->name;
2207 }
2208 }
2209 return $options;
2210}
2211
2212/**
2213 * gets a list of roles that can be overriden in this context by this user
2214 * @param object $context
2215 * @return array
2216 */
2217function get_overridable_roles ($context) {
2218
2219 $role = get_records('role');
2220 $options = array();
2221 foreach ($role as $rolex) {
2222 if (user_can_override($context, $rolex->id)) {
2223 $options[$rolex->id] = $rolex->name;
2224 }
2225 }
2226
2227 return $options;
2228
2229}
1648afb2 2230
2231
2232/**
2233 * who has this capability in this context
2234 * does not handling user level resolving!!!
2235 * i.e 1 person has 2 roles 1 allow, 1 prevent, this will not work properly
2236 * @param $context - object
2237 * @param $capability - string capability
2238 * @param $fields - fields to be pulled
2239 * @param $sort - the sort order
04417640 2240 * @param $limitfrom - number of records to skip (offset)
2241 * @param $limitnum - number of records to fetch
1c45e42e 2242 * @param $groups - single group or array of groups - group(s) user is in
1648afb2 2243 */
1c45e42e 2244function get_users_by_capability($context, $capability, $fields='u.*', $sort='', $limitfrom='', $limitnum='', $groups='') {
1648afb2 2245
2246 global $CFG;
2247
1c45e42e 2248 if ($groups) {
2249
2250 $groupjoin = 'LEFT JOIN '.$CFG->prefix.'groups_members gm ON gm.userid = ra.userid';
2251
2252 if (is_array($groups)) {
2253 $groupsql = 'AND gm.id IN ('.implode(',', $groups).')';
2254 } else {
2255 $groupsql = 'AND gm.id = '.$groups;
2256 }
2257 } else {
2258 $groupjoin = '';
2259 $groupsql = '';
2260 }
2261
1648afb2 2262 // first get all roles with this capability in this context, or above
ec7a8b79 2263 $possibleroles = get_roles_with_capability($capability, CAP_ALLOW, $context);
1648afb2 2264 $validroleids = array();
2265 foreach ($possibleroles as $prole) {
2266 $caps = role_context_capabilities($prole->id, $context, $capability); // resolved list
2267 if ($caps[$capability] > 0) { // resolved capability > 0
2268 $validroleids[] = $prole->id;
2269 }
2270 }
2271
ec7a8b79 2272 /// the following few lines may not be needed
1648afb2 2273 if ($usercontexts = get_parent_contexts($context)) {
2274 $listofcontexts = '('.implode(',', $usercontexts).')';
2275 } else {
2276 $sitecontext = get_context_instance(CONTEXT_SYSTEM, SITEID);
2277 $listofcontexts = '('.$sitecontext->id.')'; // must be site
2278 }
2279
2280 $roleids = '('.implode(',', $validroleids).')';
2281
2282 $select = ' SELECT '.$fields;
1c45e42e 2283 $from = ' FROM '.$CFG->prefix.'user u LEFT JOIN '.$CFG->prefix.'role_assignments ra ON ra.userid = u.id '.$groupjoin;
2284 $where = ' WHERE (ra.contextid = '.$context->id.' OR ra.contextid in '.$listofcontexts.') AND u.deleted = 0 AND ra.roleid in '.$roleids.' '.$groupsql;
1648afb2 2285
04417640 2286 return get_records_sql($select.$from.$where.$sort, $limitfrom, $limitnum);
1648afb2 2287
2288}
7700027f 2289
ab5c9044 2290/**
2291 * gets all the users assigned this role in this context or higher
2292 * @param int roleid
2293 * @param int contextid
2294 * @param bool parent if true, get list of users assigned in higher context too
2295 * @return array()
2296 */
2297function get_role_users($roleid, $context, $parent=false) {
2298 global $CFG;
2299
2300 if ($parent) {
2301 if ($contexts = get_parent_contexts($context)) {
2302 $parentcontexts = 'r.contextid IN ('.implode(',', $contexts).')';
2303 } else {
2304 $parentcontexts = '';
2305 }
2306 } else {
2307 $parentcontexts = '';
2308 }
2309
2310 $SQL = "select u.*
2311 from {$CFG->prefix}role_assignments r,
2312 {$CFG->prefix}user u
2313 where (r.contextid = $context->id $parentcontexts)
2314 and r.roleid = $roleid
2315 and u.id = r.userid"; // join now so that we can just use fullname() later
2316
2317 return get_records_sql($SQL);
2318}
2319
1dc1f037 2320?>