bbbf2d40 |
1 | <?php |
cee0901c |
2 | /** |
3 | * Capability session information format |
bbbf2d40 |
4 | * 2 x 2 array |
5 | * [context][capability] |
6 | * where context is the context id of the table 'context' |
7 | * and capability is a string defining the capability |
8 | * e.g. |
9 | * |
10 | * [Capabilities] => [26][mod/forum:viewpost] = 1 |
11 | * [26][mod/forum:startdiscussion] = -8990 |
12 | * [26][mod/forum:editallpost] = -1 |
13 | * [273][moodle:blahblah] = 1 |
14 | * [273][moodle:blahblahblah] = 2 |
15 | */ |
bbbf2d40 |
16 | |
17 | // permission definitions |
18 | define('CAP_ALLOW', 1); |
19 | define('CAP_PREVENT', -1); |
20 | define('CAP_PROHIBIT', -1000); |
21 | |
bbbf2d40 |
22 | // context definitions |
23 | define('CONTEXT_SYSTEM', 10); |
24 | define('CONTEXT_PERSONAL', 20); |
25 | define('CONTEXT_USERID', 30); |
26 | define('CONTEXT_COURSECAT', 40); |
27 | define('CONTEXT_COURSE', 50); |
28 | define('CONTEXT_GROUP', 60); |
29 | define('CONTEXT_MODULE', 70); |
30 | define('CONTEXT_BLOCK', 80); |
31 | |
340ea4e8 |
32 | $context_cache = array(); // Cache of all used context objects for performance (by level and instance) |
33 | $context_cache_id = array(); // Index to above cache by id |
bbbf2d40 |
34 | |
7700027f |
35 | |
e7876c1e |
36 | /** |
37 | * Loads the capabilities for the default guest role to the current user in a specific context |
38 | * @return object |
39 | */ |
40 | function load_guest_role($context=NULL) { |
41 | global $USER; |
42 | |
43 | static $guestrole; |
44 | |
45 | if (!isloggedin()) { |
46 | return false; |
47 | } |
48 | |
49 | if (!$sitecontext = get_context_instance(CONTEXT_SYSTEM, SITEID)) { |
50 | return false; |
51 | } |
52 | |
53 | if (empty($context)) { |
54 | $context = $sitecontext; |
55 | } |
56 | |
57 | if (empty($guestrole)) { |
58 | if ($roles = get_roles_with_capability('moodle/legacy:guest', CAP_ALLOW)) { |
59 | $guestrole = array_shift($roles); // Pick the first one |
60 | } else { |
61 | return false; |
62 | } |
63 | } |
64 | |
65 | if ($capabilities = get_records_select('role_capabilities', |
66 | "roleid = $guestrole->id AND contextid = $sitecontext->id")) { |
67 | foreach ($capabilities as $capability) { |
68 | $USER->capabilities[$context->id][$capability->capability] = $capability->permission; |
69 | } |
70 | } |
71 | |
72 | return true; |
73 | } |
74 | |
7700027f |
75 | /** |
76 | * Load default not logged in role capabilities when user is not logged in |
77 | * @return bool |
78 | */ |
20aeb4b8 |
79 | function load_notloggedin_role() { |
80 | global $CFG, $USER; |
81 | |
7700027f |
82 | if (!$sitecontext = get_context_instance(CONTEXT_SYSTEM, SITEID)) { |
83 | return false; |
35a518c5 |
84 | } |
85 | |
7700027f |
86 | if (empty($CFG->notloggedinroleid)) { // Let's set the default to the guest role |
87 | if ($roles = get_roles_with_capability('moodle/legacy:guest', CAP_ALLOW)) { |
88 | $role = array_shift($roles); // Pick the first one |
89 | set_config('notloggedinroleid', $role->id); |
90 | } else { |
91 | return false; |
92 | } |
93 | } |
20aeb4b8 |
94 | |
7700027f |
95 | if ($capabilities = get_records_select('role_capabilities', |
96 | "roleid = $CFG->notloggedinroleid AND contextid = $sitecontext->id")) { |
97 | foreach ($capabilities as $capability) { |
98 | $USER->capabilities[$sitecontext->id][$capability->capability] = $capability->permission; |
99 | } |
20aeb4b8 |
100 | } |
101 | |
102 | return true; |
103 | } |
cee0901c |
104 | |
bbbf2d40 |
105 | /** |
106 | * This functions get all the course categories in proper order |
0468976c |
107 | * @param int $context |
bbbf2d40 |
108 | * @param int $type |
109 | * @return array of contextids |
110 | */ |
0468976c |
111 | function get_parent_cats($context, $type) { |
98882637 |
112 | |
113 | $parents = array(); |
98882637 |
114 | |
c5ddc3fd |
115 | switch ($type) { |
98882637 |
116 | |
117 | case CONTEXT_COURSECAT: |
118 | |
c5ddc3fd |
119 | if (!$cat = get_record('course_categories','id',$context->instanceid)) { |
120 | break; |
121 | } |
122 | |
123 | while (!empty($cat->parent)) { |
124 | if (!$context = get_context_instance(CONTEXT_COURSECAT, $cat->parent)) { |
125 | break; |
126 | } |
98882637 |
127 | $parents[] = $context->id; |
128 | $cat = get_record('course_categories','id',$cat->parent); |
129 | } |
130 | |
131 | break; |
132 | |
133 | case CONTEXT_COURSE: |
134 | |
c5ddc3fd |
135 | if (!$course = get_record('course', 'id', $context->instanceid)) { |
136 | break; |
137 | } |
138 | if (!$catinstance = get_context_instance(CONTEXT_COURSECAT, $course->category)) { |
139 | break; |
140 | } |
141 | |
98882637 |
142 | $parents[] = $catinstance->id; |
c5ddc3fd |
143 | |
144 | if (!$cat = get_record('course_categories','id',$course->category)) { |
145 | break; |
146 | } |
147 | |
148 | while (!empty($cat->parent)) { |
149 | if (!$context = get_context_instance(CONTEXT_COURSECAT, $cat->parent)) { |
150 | break; |
151 | } |
98882637 |
152 | $parents[] = $context->id; |
153 | $cat = get_record('course_categories','id',$cat->parent); |
154 | } |
155 | break; |
156 | |
157 | default: |
158 | break; |
159 | |
160 | } |
161 | |
162 | return array_reverse($parents); |
bbbf2d40 |
163 | } |
164 | |
165 | |
cee0901c |
166 | |
167 | /************************************* |
168 | * Functions for Roles & Capabilites * |
169 | *************************************/ |
bbbf2d40 |
170 | |
171 | |
0468976c |
172 | /** |
173 | * This function checks for a capability assertion being true. If it isn't |
174 | * then the page is terminated neatly with a standard error message |
175 | * @param string $capability - name of the capability |
176 | * @param object $context - a context object (record from context table) |
177 | * @param integer $userid - a userid number |
d74067e8 |
178 | * @param bool $doanything - if false, ignore do anything |
0468976c |
179 | * @param string $errorstring - an errorstring |
d74067e8 |
180 | * @param string $stringfile - which stringfile to get it from |
0468976c |
181 | */ |
d74067e8 |
182 | function require_capability($capability, $context=NULL, $userid=NULL, $doanything=true, |
183 | $errormessage="nopermissions", $stringfile='') { |
a9e1c058 |
184 | |
185 | global $USER; |
186 | |
187 | /// If the current user is not logged in, then make sure they are |
188 | |
189 | if (empty($userid) and empty($USER->id)) { |
190 | if ($context && ($context->aggregatelevel == CONTEXT_COURSE)) { |
191 | require_login($context->instanceid); |
192 | } else { |
193 | require_login(); |
194 | } |
195 | } |
196 | |
197 | /// OK, if they still don't have the capability then print a nice error message |
198 | |
d74067e8 |
199 | if (!has_capability($capability, $context, $userid, $doanything)) { |
0468976c |
200 | $capabilityname = get_capability_string($capability); |
201 | print_error($errormessage, $stringfile, '', $capabilityname); |
202 | } |
203 | } |
204 | |
205 | |
bbbf2d40 |
206 | /** |
207 | * This function returns whether the current user has the capability of performing a function |
208 | * For example, we can do has_capability('mod/forum:replypost',$cm) in forum |
209 | * only one of the 4 (moduleinstance, courseid, site, userid) would be set at 1 time |
210 | * This is a recursive funciton. |
bbbf2d40 |
211 | * @uses $USER |
212 | * @param string $capability - name of the capability |
0468976c |
213 | * @param object $context - a context object (record from context table) |
214 | * @param integer $userid - a userid number |
20aeb4b8 |
215 | * @param bool $doanything - if false, ignore do anything |
bbbf2d40 |
216 | * @return bool |
217 | */ |
d74067e8 |
218 | function has_capability($capability, $context=NULL, $userid=NULL, $doanything=true) { |
bbbf2d40 |
219 | |
20aeb4b8 |
220 | global $USER, $CONTEXT, $CFG; |
bbbf2d40 |
221 | |
dc411d1b |
222 | if (empty($userid) && !isloggedin() && !isset($USER->capabilities)) { |
20aeb4b8 |
223 | load_notloggedin_role(); |
224 | } |
225 | |
226 | if ($userid && $userid != $USER->id) { |
9425b25f |
227 | if (empty($USER->id) or ($userid != $USER->id)) { |
228 | $capabilities = load_user_capability($capability, $context, $userid); |
229 | } else { //$USER->id == $userid |
230 | $capabilities = empty($USER->capabilities) ? NULL : $USER->capabilities; |
231 | } |
232 | } else { // no userid |
233 | $capabilities = empty($USER->capabilities) ? NULL : $USER->capabilities; |
98882637 |
234 | } |
9425b25f |
235 | |
0468976c |
236 | if (empty($context)) { // Use default CONTEXT if none specified |
340ea4e8 |
237 | if (empty($CONTEXT)) { |
238 | return false; |
239 | } else { |
240 | $context = $CONTEXT; |
241 | } |
0468976c |
242 | } else { // A context was given to us |
243 | if (empty($CONTEXT)) { |
244 | $CONTEXT = $context; // Store FIRST used context in this global as future default |
245 | } |
340ea4e8 |
246 | } |
bbbf2d40 |
247 | |
20aeb4b8 |
248 | if ($doanything) { |
249 | // Check site |
250 | $sitecontext = get_context_instance(CONTEXT_SYSTEM, SITEID); |
251 | if (isset($capabilities[$sitecontext->id]['moodle/site:doanything'])) { |
252 | return (0 < $capabilities[$sitecontext->id]['moodle/site:doanything']); |
253 | } |
98882637 |
254 | |
20aeb4b8 |
255 | switch ($context->aggregatelevel) { |
bbbf2d40 |
256 | |
20aeb4b8 |
257 | case CONTEXT_COURSECAT: |
258 | // Check parent cats. |
259 | $parentcats = get_parent_cats($context, CONTEXT_COURSECAT); |
260 | foreach ($parentcats as $parentcat) { |
261 | if (isset($capabilities[$parentcat]['moodle/site:doanything'])) { |
262 | return (0 < $capabilities[$parentcat]['moodle/site:doanything']); |
263 | } |
cee0901c |
264 | } |
20aeb4b8 |
265 | break; |
bbbf2d40 |
266 | |
20aeb4b8 |
267 | case CONTEXT_COURSE: |
268 | // Check parent cat. |
269 | $parentcats = get_parent_cats($context, CONTEXT_COURSE); |
98882637 |
270 | |
20aeb4b8 |
271 | foreach ($parentcats as $parentcat) { |
272 | if (isset($capabilities[$parentcat]['do_anything'])) { |
273 | return (0 < $capabilities[$parentcat]['do_anything']); |
274 | } |
9425b25f |
275 | } |
20aeb4b8 |
276 | break; |
bbbf2d40 |
277 | |
20aeb4b8 |
278 | case CONTEXT_GROUP: |
279 | // Find course. |
280 | $group = get_record('groups','id',$context->instanceid); |
281 | $courseinstance = get_context_instance(CONTEXT_COURSE, $group->courseid); |
9425b25f |
282 | |
20aeb4b8 |
283 | $parentcats = get_parent_cats($courseinstance, CONTEXT_COURSE); |
284 | foreach ($parentcats as $parentcat) { |
285 | if (isset($capabilities[$parentcat->id]['do_anything'])) { |
286 | return (0 < $capabilities[$parentcat->id]['do_anything']); |
287 | } |
9425b25f |
288 | } |
9425b25f |
289 | |
20aeb4b8 |
290 | $coursecontext = ''; |
291 | if (isset($capabilities[$courseinstance->id]['do_anything'])) { |
292 | return (0 < $capabilities[$courseinstance->id]['do_anything']); |
293 | } |
9425b25f |
294 | |
20aeb4b8 |
295 | break; |
bbbf2d40 |
296 | |
20aeb4b8 |
297 | case CONTEXT_MODULE: |
298 | // Find course. |
299 | $cm = get_record('course_modules', 'id', $context->instanceid); |
300 | $courseinstance = get_context_instance(CONTEXT_COURSE, $cm->course); |
9425b25f |
301 | |
20aeb4b8 |
302 | if ($parentcats = get_parent_cats($courseinstance, CONTEXT_COURSE)) { |
303 | foreach ($parentcats as $parentcat) { |
304 | if (isset($capabilities[$parentcat]['do_anything'])) { |
305 | return (0 < $capabilities[$parentcat]['do_anything']); |
306 | } |
cee0901c |
307 | } |
9425b25f |
308 | } |
98882637 |
309 | |
20aeb4b8 |
310 | if (isset($capabilities[$courseinstance->id]['do_anything'])) { |
311 | return (0 < $capabilities[$courseinstance->id]['do_anything']); |
312 | } |
bbbf2d40 |
313 | |
20aeb4b8 |
314 | break; |
bbbf2d40 |
315 | |
20aeb4b8 |
316 | case CONTEXT_BLOCK: |
317 | // 1 to 1 to course. |
318 | // Find course. |
319 | $block = get_record('block_instance','id',$context->instanceid); |
320 | $courseinstance = get_context_instance(CONTEXT_COURSE, $block->pageid); // needs check |
9425b25f |
321 | |
20aeb4b8 |
322 | $parentcats = get_parent_cats($courseinstance, CONTEXT_COURSE); |
323 | foreach ($parentcats as $parentcat) { |
324 | if (isset($capabilities[$parentcat]['do_anything'])) { |
325 | return (0 < $capabilities[$parentcat]['do_anything']); |
326 | } |
cee0901c |
327 | } |
9425b25f |
328 | |
20aeb4b8 |
329 | if (isset($capabilities[$courseinstance->id]['do_anything'])) { |
330 | return (0 < $capabilities[$courseinstance->id]['do_anything']); |
331 | } |
332 | break; |
bbbf2d40 |
333 | |
20aeb4b8 |
334 | default: |
335 | // CONTEXT_SYSTEM: CONTEXT_PERSONAL: CONTEXT_USERID: |
336 | // Do nothing. |
337 | break; |
338 | } |
bbbf2d40 |
339 | |
20aeb4b8 |
340 | // Last: check self. |
341 | if (isset($capabilities[$context->id]['do_anything'])) { |
342 | return (0 < $capabilities[$context->id]['do_anything']); |
343 | } |
98882637 |
344 | } |
98882637 |
345 | // do_anything has not been set, we now look for it the normal way. |
9425b25f |
346 | return (0 < capability_search($capability, $context, $capabilities)); |
bbbf2d40 |
347 | |
9425b25f |
348 | } |
bbbf2d40 |
349 | |
350 | |
351 | /** |
352 | * In a separate function so that we won't have to deal with do_anything. |
353 | * again. Used by function has_capability. |
354 | * @param $capability - capability string |
0468976c |
355 | * @param $context - the context object |
bbbf2d40 |
356 | * @param $capabilities - either $USER->capability or loaded array |
357 | * @return permission (int) |
358 | */ |
0468976c |
359 | function capability_search($capability, $context, $capabilities) { |
20aeb4b8 |
360 | |
bbbf2d40 |
361 | global $USER, $CFG; |
0468976c |
362 | |
0468976c |
363 | if (isset($capabilities[$context->id][$capability])) { |
ea82d6b6 |
364 | debugging("Found $capability in context $context->id at level $context->aggregatelevel: ".$capabilities[$context->id][$capability], E_ALL); |
0468976c |
365 | return ($capabilities[$context->id][$capability]); |
bbbf2d40 |
366 | } |
9425b25f |
367 | |
bbbf2d40 |
368 | /* Then, we check the cache recursively */ |
9425b25f |
369 | $permission = 0; |
370 | |
d140ad3f |
371 | switch ($context->aggregatelevel) { |
bbbf2d40 |
372 | |
373 | case CONTEXT_SYSTEM: // by now it's a definite an inherit |
374 | $permission = 0; |
375 | break; |
376 | |
377 | case CONTEXT_PERSONAL: |
0468976c |
378 | $parentcontext = get_context_instance(CONTEXT_SYSTEM, SITEID); |
379 | $permission = capability_search($capability, $parentcontext, $capabilities); |
bbbf2d40 |
380 | break; |
9425b25f |
381 | |
bbbf2d40 |
382 | case CONTEXT_USERID: |
0468976c |
383 | $parentcontext = get_context_instance(CONTEXT_SYSTEM, SITEID); |
384 | $permission = capability_search($capability, $parentcontext, $capabilities); |
bbbf2d40 |
385 | break; |
9425b25f |
386 | |
bbbf2d40 |
387 | case CONTEXT_COURSECAT: // Coursecat -> coursecat or site |
388 | $coursecat = get_record('course_categories','id',$context->instanceid); |
0468976c |
389 | if (!empty($coursecat->parent)) { // return parent value if it exists |
390 | $parentcontext = get_context_instance(CONTEXT_COURSECAT, $coursecat->parent); |
bbbf2d40 |
391 | } else { // else return site value |
0468976c |
392 | $parentcontext = get_context_instance(CONTEXT_SYSTEM, SITEID); |
bbbf2d40 |
393 | } |
0468976c |
394 | $permission = capability_search($capability, $parentcontext, $capabilities); |
bbbf2d40 |
395 | break; |
396 | |
397 | case CONTEXT_COURSE: // 1 to 1 to course cat |
398 | // find the course cat, and return its value |
399 | $course = get_record('course','id',$context->instanceid); |
0468976c |
400 | $parentcontext = get_context_instance(CONTEXT_COURSECAT, $course->category); |
401 | $permission = capability_search($capability, $parentcontext, $capabilities); |
bbbf2d40 |
402 | break; |
403 | |
404 | case CONTEXT_GROUP: // 1 to 1 to course |
405 | $group = get_record('groups','id',$context->instanceid); |
0468976c |
406 | $parentcontext = get_context_instance(CONTEXT_COURSE, $group->courseid); |
407 | $permission = capability_search($capability, $parentcontext, $capabilities); |
bbbf2d40 |
408 | break; |
409 | |
410 | case CONTEXT_MODULE: // 1 to 1 to course |
411 | $cm = get_record('course_modules','id',$context->instanceid); |
0468976c |
412 | $parentcontext = get_context_instance(CONTEXT_COURSE, $cm->course); |
413 | $permission = capability_search($capability, $parentcontext, $capabilities); |
bbbf2d40 |
414 | break; |
415 | |
416 | case CONTEXT_BLOCK: // 1 to 1 to course |
417 | $block = get_record('block_instance','id',$context->instanceid); |
0468976c |
418 | $parentcontext = get_context_instance(CONTEXT_COURSE, $block->pageid); // needs check |
419 | $permission = capability_search($capability, $parentcontext, $capabilities); |
bbbf2d40 |
420 | break; |
421 | |
422 | default: |
423 | error ('This is an unknown context!'); |
424 | return false; |
425 | } |
ea82d6b6 |
426 | debugging("Found $capability recursively from context $context->id at level $context->aggregatelevel: $permission", E_ALL); |
9425b25f |
427 | |
98882637 |
428 | return $permission; |
bbbf2d40 |
429 | } |
430 | |
431 | |
432 | /** |
433 | * This function should be called immediately after a login, when $USER is set. |
434 | * It will build an array of all the capabilities at each level |
435 | * i.e. site/metacourse/course_category/course/moduleinstance |
436 | * Note we should only load capabilities if they are explicitly assigned already, |
437 | * we should not load all module's capability! |
438 | * @param $userid - the id of the user whose capabilities we want to load |
439 | * @return array |
440 | * possible just s simple 2D array with [contextid][capabilityname] |
441 | * [Capabilities] => [26][forum_post] = 1 |
442 | * [26][forum_start] = -8990 |
443 | * [26][forum_edit] = -1 |
444 | * [273][blah blah] = 1 |
445 | * [273][blah blah blah] = 2 |
446 | */ |
0468976c |
447 | function load_user_capability($capability='', $context ='', $userid='') { |
d140ad3f |
448 | |
98882637 |
449 | global $USER, $CFG; |
bbbf2d40 |
450 | |
20aeb4b8 |
451 | |
bbbf2d40 |
452 | if (empty($userid)) { |
dc411d1b |
453 | if (empty($USER->id)) { // We have no user to get capabilities for |
454 | return false; |
455 | } |
456 | if (!empty($USER->capabilities)) { // make sure it's cleaned when loaded (again) |
457 | unset($USER->capabilities); |
458 | } |
bbbf2d40 |
459 | $userid = $USER->id; |
dc411d1b |
460 | $otheruserid = false; |
bbbf2d40 |
461 | } else { |
9425b25f |
462 | $otheruserid = $userid; |
bbbf2d40 |
463 | } |
9425b25f |
464 | |
bbbf2d40 |
465 | if ($capability) { |
9425b25f |
466 | $capsearch = " AND rc.capability = '$capability' "; |
bbbf2d40 |
467 | } else { |
9425b25f |
468 | $capsearch =""; |
bbbf2d40 |
469 | } |
5f70bcc3 |
470 | |
471 | /// First we generate a list of all relevant contexts of the user |
472 | |
473 | $usercontexts = array(); |
bbbf2d40 |
474 | |
0468976c |
475 | if ($context) { // if context is specified |
476 | $usercontexts = get_parent_contexts($context); |
98882637 |
477 | } else { // else, we load everything |
5f70bcc3 |
478 | if ($userroles = get_records('role_assignments','userid',$userid)) { |
479 | foreach ($userroles as $userrole) { |
480 | $usercontexts[] = $userrole->contextid; |
481 | } |
98882637 |
482 | } |
5f70bcc3 |
483 | } |
484 | |
485 | /// Set up SQL fragments for searching contexts |
486 | |
487 | if ($usercontexts) { |
0468976c |
488 | $listofcontexts = '('.implode(',', $usercontexts).')'; |
5f70bcc3 |
489 | $searchcontexts1 = "c1.id IN $listofcontexts AND"; |
490 | $searchcontexts2 = "c2.id IN $listofcontexts AND"; |
491 | } else { |
492 | $listofcontexts = $searchcontexts1 = $searchcontexts2 = ''; |
bbbf2d40 |
493 | } |
0468976c |
494 | |
5f70bcc3 |
495 | /// Then we use 1 giant SQL to bring out all relevant capabilities. |
496 | /// The first part gets the capabilities of orginal role. |
497 | /// The second part gets the capabilities of overriden roles. |
bbbf2d40 |
498 | |
98882637 |
499 | $siteinstance = get_context_instance(CONTEXT_SYSTEM, SITEID); |
bbbf2d40 |
500 | |
75e84883 |
501 | $SQL = " SELECT rc.capability, c1.id, (c1.aggregatelevel * 100) AS aggrlevel, |
bbbf2d40 |
502 | SUM(rc.permission) AS sum |
503 | FROM |
42ac3ecf |
504 | {$CFG->prefix}role_assignments ra, |
505 | {$CFG->prefix}role_capabilities rc, |
506 | {$CFG->prefix}context c1 |
bbbf2d40 |
507 | WHERE |
d4649c76 |
508 | ra.contextid=c1.id AND |
509 | ra.roleid=rc.roleid AND |
bbbf2d40 |
510 | ra.userid=$userid AND |
5f70bcc3 |
511 | $searchcontexts1 |
bbbf2d40 |
512 | rc.contextid=$siteinstance->id |
98882637 |
513 | $capsearch |
bbbf2d40 |
514 | GROUP BY |
0be16c1d |
515 | rc.capability, (c1.aggregatelevel * 100), c1.id |
bbbf2d40 |
516 | HAVING |
41811960 |
517 | SUM(rc.permission) != 0 |
bbbf2d40 |
518 | UNION |
519 | |
75e84883 |
520 | SELECT rc.capability, c1.id, (c1.aggregatelevel * 100 + c2.aggregatelevel) AS aggrlevel, |
bbbf2d40 |
521 | SUM(rc.permission) AS sum |
522 | FROM |
42ac3ecf |
523 | {$CFG->prefix}role_assignments ra, |
524 | {$CFG->prefix}role_capabilities rc, |
525 | {$CFG->prefix}context c1, |
526 | {$CFG->prefix}context c2 |
bbbf2d40 |
527 | WHERE |
d4649c76 |
528 | ra.contextid=c1.id AND |
529 | ra.roleid=rc.roleid AND |
530 | ra.userid=$userid AND |
531 | rc.contextid=c2.id AND |
5f70bcc3 |
532 | $searchcontexts1 |
533 | $searchcontexts2 |
534 | rc.contextid != $siteinstance->id |
bbbf2d40 |
535 | $capsearch |
536 | |
537 | GROUP BY |
0be16c1d |
538 | rc.capability, (c1.aggregatelevel * 100 + c2.aggregatelevel), c1.id |
bbbf2d40 |
539 | HAVING |
41811960 |
540 | SUM(rc.permission) != 0 |
bbbf2d40 |
541 | ORDER BY |
75e84883 |
542 | aggrlevel ASC |
bbbf2d40 |
543 | "; |
544 | |
98882637 |
545 | $capabilities = array(); // Reinitialize. |
75e84883 |
546 | if (!$rs = get_recordset_sql($SQL)) { |
547 | error("Query failed in load_user_capability."); |
548 | } |
5cf38a57 |
549 | |
bbbf2d40 |
550 | if ($rs && $rs->RecordCount() > 0) { |
551 | while (!$rs->EOF) { |
75e84883 |
552 | $array = $rs->fields; |
553 | $temprecord = new object; |
98882637 |
554 | |
555 | foreach ($array as $key=>$val) { |
75e84883 |
556 | if ($key == 'aggrlevel') { |
557 | $temprecord->aggregatelevel = $val; |
558 | } else { |
559 | $temprecord->{$key} = $val; |
560 | } |
98882637 |
561 | } |
bbbf2d40 |
562 | $capabilities[] = $temprecord; |
563 | $rs->MoveNext(); |
564 | } |
565 | } |
d140ad3f |
566 | |
bbbf2d40 |
567 | /* so up to this point we should have somethign like this |
41811960 |
568 | * $capabilities[1] ->aggregatelevel = 1000 |
bbbf2d40 |
569 | ->module = SITEID |
570 | ->capability = do_anything |
571 | ->id = 1 (id is the context id) |
572 | ->sum = 0 |
573 | |
41811960 |
574 | * $capabilities[2] ->aggregatelevel = 1000 |
bbbf2d40 |
575 | ->module = SITEID |
576 | ->capability = post_messages |
577 | ->id = 1 |
578 | ->sum = -9000 |
579 | |
41811960 |
580 | * $capabilittes[3] ->aggregatelevel = 3000 |
bbbf2d40 |
581 | ->module = course |
582 | ->capability = view_course_activities |
583 | ->id = 25 |
584 | ->sum = 1 |
585 | |
41811960 |
586 | * $capabilittes[4] ->aggregatelevel = 3000 |
bbbf2d40 |
587 | ->module = course |
588 | ->capability = view_course_activities |
589 | ->id = 26 |
590 | ->sum = 0 (this is another course) |
591 | |
41811960 |
592 | * $capabilities[5] ->aggregatelevel = 3050 |
bbbf2d40 |
593 | ->module = course |
594 | ->capability = view_course_activities |
595 | ->id = 25 (override in course 25) |
596 | ->sum = -1 |
597 | * .... |
598 | * now we proceed to write the session array, going from top to bottom |
599 | * at anypoint, we need to go up and check parent to look for prohibit |
600 | */ |
601 | // print_object($capabilities); |
602 | |
603 | /* This is where we write to the actualy capabilities array |
604 | * what we need to do from here on is |
605 | * going down the array from lowest level to highest level |
606 | * 1) recursively check for prohibit, |
607 | * if any, we write prohibit |
608 | * else, we write the value |
609 | * 2) at an override level, we overwrite current level |
610 | * if it's not set to prohibit already, and if different |
611 | * ........ that should be it ........ |
612 | */ |
98882637 |
613 | $usercap = array(); // for other user's capabilities |
bbbf2d40 |
614 | foreach ($capabilities as $capability) { |
615 | |
0468976c |
616 | $context = get_context_instance_by_id($capability->id); |
617 | |
41811960 |
618 | if (!empty($otheruserid)) { // we are pulling out other user's capabilities, do not write to session |
98882637 |
619 | |
0468976c |
620 | if (capability_prohibits($capability->capability, $context, $capability->sum, $usercap)) { |
98882637 |
621 | $usercap[$capability->id][$capability->capability] = -9000; |
622 | continue; |
623 | } |
624 | |
625 | $usercap[$capability->id][$capability->capability] = $capability->sum; |
626 | |
627 | } else { |
628 | |
0468976c |
629 | if (capability_prohibits($capability->capability, $context, $capability->sum)) { // if any parent or parent's parent is set to prohibit |
98882637 |
630 | $USER->capabilities[$capability->id][$capability->capability] = -9000; |
631 | continue; |
632 | } |
633 | |
634 | // if no parental prohibit set |
635 | // just write to session, i am not sure this is correct yet |
636 | // since 3050 shows up after 3000, and 3070 shows up after 3050, |
637 | // it should be ok just to overwrite like this, provided that there's no |
638 | // parental prohibits |
639 | // no point writing 0, since 0 = inherit |
640 | // we need to write even if it's 0, because it could be an inherit override |
641 | $USER->capabilities[$capability->id][$capability->capability] = $capability->sum; |
642 | } |
bbbf2d40 |
643 | } |
644 | |
645 | // now we don't care about the huge array anymore, we can dispose it. |
646 | unset($capabilities); |
647 | |
dbe7e582 |
648 | if (!empty($otheruserid)) { |
98882637 |
649 | return $usercap; // return the array |
bbbf2d40 |
650 | } |
651 | // see array in session to see what it looks like |
652 | |
653 | } |
654 | |
655 | |
656 | /** |
657 | * This is a recursive function that checks whether the capability in this |
658 | * context, or the parent capabilities are set to prohibit. |
659 | * |
660 | * At this point, we can probably just use the values already set in the |
661 | * session variable, since we are going down the level. Any prohit set in |
662 | * parents would already reflect in the session. |
663 | * |
664 | * @param $capability - capability name |
665 | * @param $sum - sum of all capabilities values |
0468976c |
666 | * @param $context - the context object |
bbbf2d40 |
667 | * @param $array - when loading another user caps, their caps are not stored in session but an array |
668 | */ |
0468976c |
669 | function capability_prohibits($capability, $context, $sum='', $array='') { |
bbbf2d40 |
670 | global $USER; |
0468976c |
671 | |
bbbf2d40 |
672 | if ($sum < -8000) { |
673 | // If this capability is set to prohibit. |
674 | return true; |
675 | } |
676 | |
677 | if (isset($array)) { |
0468976c |
678 | if (isset($array[$context->id][$capability]) |
679 | && $array[$context->id][$capability] < -8000) { |
98882637 |
680 | return true; |
681 | } |
bbbf2d40 |
682 | } else { |
98882637 |
683 | // Else if set in session. |
0468976c |
684 | if (isset($USER->capabilities[$context->id][$capability]) |
685 | && $USER->capabilities[$context->id][$capability] < -8000) { |
98882637 |
686 | return true; |
687 | } |
bbbf2d40 |
688 | } |
d140ad3f |
689 | switch ($context->aggregatelevel) { |
bbbf2d40 |
690 | |
691 | case CONTEXT_SYSTEM: |
692 | // By now it's a definite an inherit. |
693 | return 0; |
694 | break; |
695 | |
696 | case CONTEXT_PERSONAL: |
697 | $parent = get_context_instance(CONTEXT_SYSTEM, SITEID); |
0468976c |
698 | return capability_prohibits($capability, $parent); |
bbbf2d40 |
699 | break; |
700 | |
701 | case CONTEXT_USERID: |
702 | $parent = get_context_instance(CONTEXT_SYSTEM, SITEID); |
0468976c |
703 | return capability_prohibits($capability, $parent); |
bbbf2d40 |
704 | break; |
705 | |
706 | case CONTEXT_COURSECAT: |
707 | // Coursecat -> coursecat or site. |
708 | $coursecat = get_record('course_categories','id',$context->instanceid); |
41811960 |
709 | if (!empty($coursecat->parent)) { |
bbbf2d40 |
710 | // return parent value if exist. |
711 | $parent = get_context_instance(CONTEXT_COURSECAT, $coursecat->parent); |
712 | } else { |
713 | // Return site value. |
714 | $parent = get_context_instance(CONTEXT_SYSTEM, SITEID); |
715 | } |
0468976c |
716 | return capability_prohibits($capability, $parent); |
bbbf2d40 |
717 | break; |
718 | |
719 | case CONTEXT_COURSE: |
720 | // 1 to 1 to course cat. |
721 | // Find the course cat, and return its value. |
722 | $course = get_record('course','id',$context->instanceid); |
723 | $parent = get_context_instance(CONTEXT_COURSECAT, $course->category); |
0468976c |
724 | return capability_prohibits($capability, $parent); |
bbbf2d40 |
725 | break; |
726 | |
727 | case CONTEXT_GROUP: |
728 | // 1 to 1 to course. |
729 | $group = get_record('groups','id',$context->instanceid); |
730 | $parent = get_context_instance(CONTEXT_COURSE, $group->courseid); |
0468976c |
731 | return capability_prohibits($capability, $parent); |
bbbf2d40 |
732 | break; |
733 | |
734 | case CONTEXT_MODULE: |
735 | // 1 to 1 to course. |
736 | $cm = get_record('course_modules','id',$context->instanceid); |
737 | $parent = get_context_instance(CONTEXT_COURSE, $cm->course); |
0468976c |
738 | return capability_prohibits($capability, $parent); |
bbbf2d40 |
739 | break; |
740 | |
741 | case CONTEXT_BLOCK: |
742 | // 1 to 1 to course. |
743 | $block = get_record('block_instance','id',$context->instanceid); |
744 | $parent = get_context_instance(CONTEXT_COURSE, $block->pageid); // needs check |
0468976c |
745 | return capability_prohibits($capability, $parent); |
bbbf2d40 |
746 | break; |
747 | |
748 | default: |
749 | error ('This is an unknown context!'); |
750 | return false; |
751 | } |
752 | } |
753 | |
754 | |
755 | /** |
756 | * A print form function. This should either grab all the capabilities from |
757 | * files or a central table for that particular module instance, then present |
758 | * them in check boxes. Only relevant capabilities should print for known |
759 | * context. |
760 | * @param $mod - module id of the mod |
761 | */ |
762 | function print_capabilities($modid=0) { |
763 | global $CFG; |
764 | |
765 | $capabilities = array(); |
766 | |
767 | if ($modid) { |
768 | // We are in a module specific context. |
769 | |
770 | // Get the mod's name. |
771 | // Call the function that grabs the file and parse. |
772 | $cm = get_record('course_modules', 'id', $modid); |
773 | $module = get_record('modules', 'id', $cm->module); |
774 | |
775 | } else { |
776 | // Print all capabilities. |
777 | foreach ($capabilities as $capability) { |
778 | // Prints the check box component. |
779 | } |
780 | } |
781 | } |
782 | |
783 | |
784 | /** |
1afecc03 |
785 | * Installs the roles system. |
786 | * This function runs on a fresh install as well as on an upgrade from the old |
787 | * hard-coded student/teacher/admin etc. roles to the new roles system. |
bbbf2d40 |
788 | */ |
1afecc03 |
789 | function moodle_install_roles() { |
bbbf2d40 |
790 | |
1afecc03 |
791 | global $CFG, $db; |
792 | |
bbbf2d40 |
793 | // Create a system wide context for assignemnt. |
794 | $systemcontext = $context = get_context_instance(CONTEXT_SYSTEM, SITEID); |
795 | |
1afecc03 |
796 | |
797 | // Create default/legacy roles and capabilities. |
798 | // (1 legacy capability per legacy role at system level). |
bbbf2d40 |
799 | $adminrole = create_role(get_string('administrator'), get_string('administratordescription'), 'moodle/legacy:admin'); |
98882637 |
800 | if (!assign_capability('moodle/site:doanything', CAP_ALLOW, $adminrole, $systemcontext->id)) { |
bbbf2d40 |
801 | error('Could not assign moodle/site:doanything to the admin role'); |
802 | } |
803 | $coursecreatorrole = create_role(get_string('coursecreators'), get_string('coursecreatorsdescription'), 'moodle/legacy:coursecreator'); |
98882637 |
804 | $noneditteacherrole = create_role(get_string('noneditingteacher'), get_string('noneditingteacherdescription'), 'moodle/legacy:teacher'); |
805 | $editteacherrole = create_role(get_string('defaultcourseteacher'), get_string('defaultcourseteacherdescription'), 'moodle/legacy:editingteacher'); |
806 | $studentrole = create_role(get_string('defaultcoursestudent'), get_string('defaultcoursestudentdescription'), 'moodle/legacy:student'); |
bbbf2d40 |
807 | $guestrole = create_role(get_string('guest'), get_string('guestdescription'), 'moodle/legacy:guest'); |
1afecc03 |
808 | |
809 | |
810 | // Look inside user_admin, user_creator, user_teachers, user_students and |
811 | // assign above new roles. If a user has both teacher and student role, |
812 | // only teacher role is assigned. The assignment should be system level. |
813 | $dbtables = $db->MetaTables('TABLES'); |
bbbf2d40 |
814 | |
1afecc03 |
815 | |
98882637 |
816 | /** |
bbbf2d40 |
817 | * Upgrade the admins. |
1afecc03 |
818 | * Sort using id ASC, first one is primary admin. |
bbbf2d40 |
819 | */ |
1afecc03 |
820 | if (in_array($CFG->prefix.'user_admins', $dbtables)) { |
821 | if ($useradmins = get_records_sql('SELECT * from '.$CFG->prefix.'user_admins ORDER BY ID ASC')) { |
822 | foreach ($useradmins as $admin) { |
823 | role_assign($adminrole, $admin->userid, 0, $systemcontext->id); |
824 | } |
825 | } |
826 | } else { |
827 | // This is a fresh install. |
bbbf2d40 |
828 | } |
1afecc03 |
829 | |
830 | |
bbbf2d40 |
831 | /** |
832 | * Upgrade course creators. |
833 | */ |
1afecc03 |
834 | if (in_array($CFG->prefix.'user_coursecreators', $dbtables)) { |
835 | if ($usercoursecreators = get_records('user_coursecreators')) { |
836 | foreach ($usercoursecreators as $coursecreator) { |
56b4d70d |
837 | role_assign($coursecreatorrole, $coursecreator->userid, 0, $systemcontext->id); |
1afecc03 |
838 | } |
839 | } |
bbbf2d40 |
840 | } |
841 | |
1afecc03 |
842 | |
bbbf2d40 |
843 | /** |
844 | * Upgrade editting teachers and non-editting teachers. |
845 | */ |
1afecc03 |
846 | if (in_array($CFG->prefix.'user_teachers', $dbtables)) { |
847 | if ($userteachers = get_records('user_teachers')) { |
848 | foreach ($userteachers as $teacher) { |
17d6a25e |
849 | // populate the user_lastaccess table |
850 | unset($access); |
851 | $access->timeaccess = $teacher->timeaccess; |
852 | $access->userid = $teacher->userid; |
853 | $access->courseid = $teacher->course; |
854 | insert_record('user_lastaccess', $access); |
855 | // assign the default student role |
1afecc03 |
856 | $coursecontext = get_context_instance(CONTEXT_COURSE, $teacher->course); // needs cache |
857 | if ($teacher->editall) { // editting teacher |
858 | role_assign($editteacherrole, $teacher->userid, 0, $coursecontext->id); |
859 | } else { |
860 | role_assign($noneditteacherrole, $teacher->userid, 0, $coursecontext->id); |
861 | } |
862 | } |
bbbf2d40 |
863 | } |
864 | } |
1afecc03 |
865 | |
866 | |
bbbf2d40 |
867 | /** |
868 | * Upgrade students. |
869 | */ |
1afecc03 |
870 | if (in_array($CFG->prefix.'user_students', $dbtables)) { |
871 | if ($userstudents = get_records('user_students')) { |
17d6a25e |
872 | foreach ($userstudents as $student) { |
873 | // populate the user_lastaccess table |
874 | unset($access); |
875 | $access->timeaccess = $student->timeaccess; |
876 | $access->userid = $student->userid; |
877 | $access->courseid = $student->course; |
878 | insert_record('user_lastaccess', $access); |
879 | // assign the default student role |
1afecc03 |
880 | $coursecontext = get_context_instance(CONTEXT_COURSE, $student->course); |
881 | role_assign($studentrole, $student->userid, 0, $coursecontext->id); |
882 | } |
883 | } |
bbbf2d40 |
884 | } |
1afecc03 |
885 | |
886 | |
bbbf2d40 |
887 | /** |
888 | * Upgrade guest (only 1 entry). |
889 | */ |
1afecc03 |
890 | if ($guestuser = get_record('user', 'username', 'guest')) { |
891 | role_assign($guestrole, $guestuser->id, 0, $systemcontext->id); |
892 | } |
893 | |
945f88ca |
894 | /** |
895 | * Insert the correct records for legacy roles |
896 | */ |
897 | allow_assign($adminrole, $adminrole); |
898 | allow_assign($adminrole, $coursecreatorrole); |
899 | allow_assign($adminrole, $noneditteacherrole); |
900 | allow_assign($adminrole, $editteacherrole); |
901 | allow_assign($adminrole, $studentrole); |
902 | allow_assign($adminrole, $guestrole); |
903 | |
904 | allow_assign($coursecreatorrole, $noneditteacherrole); |
905 | allow_assign($coursecreatorrole, $editteacherrole); |
906 | allow_assign($coursecreatorrole, $studentrole); |
907 | allow_assign($coursecreatorrole, $guestrole); |
908 | |
909 | allow_assign($editteacherrole, $noneditteacherrole); |
910 | allow_assign($editteacherrole, $studentrole); |
911 | allow_assign($editteacherrole, $guestrole); |
912 | |
913 | /// overrides |
914 | allow_override($adminrole, $adminrole); |
915 | allow_override($adminrole, $coursecreatorrole); |
916 | allow_override($adminrole, $noneditteacherrole); |
917 | allow_override($adminrole, $editteacherrole); |
918 | allow_override($adminrole, $studentrole); |
5769734f |
919 | allow_override($adminrole, $guestrole); |
1afecc03 |
920 | |
921 | // Should we delete the tables after we are done? Not yet. |
bbbf2d40 |
922 | } |
923 | |
bbbf2d40 |
924 | /** |
925 | * Assign the defaults found in this capabality definition to roles that have |
926 | * the corresponding legacy capabilities assigned to them. |
927 | * @param $legacyperms - an array in the format (example): |
928 | * 'guest' => CAP_PREVENT, |
929 | * 'student' => CAP_ALLOW, |
930 | * 'teacher' => CAP_ALLOW, |
931 | * 'editingteacher' => CAP_ALLOW, |
932 | * 'coursecreator' => CAP_ALLOW, |
933 | * 'admin' => CAP_ALLOW |
934 | * @return boolean - success or failure. |
935 | */ |
936 | function assign_legacy_capabilities($capability, $legacyperms) { |
937 | |
938 | foreach ($legacyperms as $type => $perm) { |
939 | |
940 | $systemcontext = get_context_instance(CONTEXT_SYSTEM, SITEID); |
941 | |
942 | // The legacy capabilities are: |
943 | // 'moodle/legacy:guest' |
944 | // 'moodle/legacy:student' |
945 | // 'moodle/legacy:teacher' |
946 | // 'moodle/legacy:editingteacher' |
947 | // 'moodle/legacy:coursecreator' |
948 | // 'moodle/legacy:admin' |
949 | |
2e85fffe |
950 | if ($roles = get_roles_with_capability('moodle/legacy:'.$type, CAP_ALLOW)) { |
951 | foreach ($roles as $role) { |
952 | // Assign a site level capability. |
953 | if (!assign_capability($capability, $perm, $role->id, $systemcontext->id)) { |
954 | return false; |
955 | } |
bbbf2d40 |
956 | } |
957 | } |
958 | } |
959 | return true; |
960 | } |
961 | |
962 | |
cee0901c |
963 | /** |
964 | * Checks to see if a capability is a legacy capability. |
965 | * @param $capabilityname |
966 | * @return boolean |
967 | */ |
bbbf2d40 |
968 | function islegacy($capabilityname) { |
98882637 |
969 | if (strstr($capabilityname, 'legacy') === false) { |
970 | return false; |
971 | } else { |
972 | return true; |
973 | } |
bbbf2d40 |
974 | } |
975 | |
cee0901c |
976 | |
977 | |
978 | /********************************** |
bbbf2d40 |
979 | * Context Manipulation functions * |
980 | **********************************/ |
981 | |
bbbf2d40 |
982 | /** |
983 | * This should be called prolly everytime a user, group, module, course, |
984 | * coursecat or site is set up maybe? |
985 | * @param $level |
986 | * @param $instanceid |
987 | */ |
d140ad3f |
988 | function create_context($aggregatelevel, $instanceid) { |
989 | if (!get_record('context','aggregatelevel',$aggregatelevel,'instanceid',$instanceid)) { |
bbbf2d40 |
990 | $context = new object; |
d140ad3f |
991 | $context->aggregatelevel = $aggregatelevel; |
bbbf2d40 |
992 | $context->instanceid = $instanceid; |
993 | return insert_record('context',$context); |
994 | } |
995 | } |
996 | |
997 | |
998 | /** |
999 | * Get the context instance as an object. This function will create the |
1000 | * context instance if it does not exist yet. |
1001 | * @param $level |
1002 | * @param $instance |
1003 | */ |
d140ad3f |
1004 | function get_context_instance($aggregatelevel=NULL, $instance=SITEID) { |
e5605780 |
1005 | |
51195e6f |
1006 | global $context_cache, $context_cache_id, $CONTEXT; |
d9a35e12 |
1007 | |
340ea4e8 |
1008 | /// If no level is supplied then return the current global context if there is one |
d140ad3f |
1009 | if (empty($aggregatelevel)) { |
340ea4e8 |
1010 | if (empty($CONTEXT)) { |
ea82d6b6 |
1011 | debugging("Error: get_context_instance() called without a context"); |
340ea4e8 |
1012 | } else { |
1013 | return $CONTEXT; |
1014 | } |
e5605780 |
1015 | } |
1016 | |
340ea4e8 |
1017 | /// Check the cache |
d140ad3f |
1018 | if (isset($context_cache[$aggregatelevel][$instance])) { // Already cached |
1019 | return $context_cache[$aggregatelevel][$instance]; |
e5605780 |
1020 | } |
1021 | |
340ea4e8 |
1022 | /// Get it from the database, or create it |
d140ad3f |
1023 | if (!$context = get_record('context', 'aggregatelevel', $aggregatelevel, 'instanceid', $instance)) { |
1024 | create_context($aggregatelevel, $instance); |
1025 | $context = get_record('context', 'aggregatelevel', $aggregatelevel, 'instanceid', $instance); |
e5605780 |
1026 | } |
1027 | |
ccfc5ecc |
1028 | /// Only add to cache if context isn't empty. |
1029 | if (!empty($context)) { |
1030 | $context_cache[$aggregatelevel][$instance] = $context; // Cache it for later |
1031 | $context_cache_id[$context->id] = $context; // Cache it for later |
1032 | } |
0468976c |
1033 | |
bbbf2d40 |
1034 | return $context; |
1035 | } |
1036 | |
cee0901c |
1037 | |
340ea4e8 |
1038 | /** |
1039 | * Get a context instance as an object, from a given id. |
1040 | * @param $id |
1041 | */ |
1042 | function get_context_instance_by_id($id) { |
1043 | |
d9a35e12 |
1044 | global $context_cache, $context_cache_id; |
1045 | |
340ea4e8 |
1046 | if (isset($context_cache_id[$id])) { // Already cached |
75e84883 |
1047 | return $context_cache_id[$id]; |
340ea4e8 |
1048 | } |
1049 | |
1050 | if ($context = get_record('context', 'id', $id)) { // Update the cache and return |
d140ad3f |
1051 | $context_cache[$context->aggregatelevel][$context->instanceid] = $context; |
340ea4e8 |
1052 | $context_cache_id[$context->id] = $context; |
1053 | return $context; |
1054 | } |
1055 | |
1056 | return false; |
1057 | } |
1058 | |
bbbf2d40 |
1059 | |
8737be58 |
1060 | /** |
1061 | * Get the local override (if any) for a given capability in a role in a context |
1062 | * @param $roleid |
0468976c |
1063 | * @param $contextid |
1064 | * @param $capability |
8737be58 |
1065 | */ |
1066 | function get_local_override($roleid, $contextid, $capability) { |
1067 | return get_record('role_capabilities', 'roleid', $roleid, 'capability', $capability, 'contextid', $contextid); |
1068 | } |
1069 | |
1070 | |
bbbf2d40 |
1071 | |
1072 | /************************************ |
1073 | * DB TABLE RELATED FUNCTIONS * |
1074 | ************************************/ |
1075 | |
cee0901c |
1076 | /** |
bbbf2d40 |
1077 | * function that creates a role |
1078 | * @param name - role name |
1079 | * @param description - role description |
1080 | * @param legacy - optional legacy capability |
1081 | * @return id or false |
1082 | */ |
1083 | function create_role($name, $description, $legacy='') { |
98882637 |
1084 | |
1085 | // check for duplicate role name |
1086 | |
1087 | if ($role = get_record('role','name', $name)) { |
98882637 |
1088 | error('there is already a role with this name!'); |
1089 | } |
1090 | |
1091 | $role->name = $name; |
1092 | $role->description = $description; |
ec7a8b79 |
1093 | |
1094 | $context = get_context_instance(CONTEXT_SYSTEM, SITEID); |
1095 | |
98882637 |
1096 | if ($id = insert_record('role', $role)) { |
ec7a8b79 |
1097 | if ($legacy) { |
1afecc03 |
1098 | assign_capability($legacy, CAP_ALLOW, $id, $context->id); |
98882637 |
1099 | } |
ec7a8b79 |
1100 | |
1101 | /// By default, users with role:manage at site level |
1102 | /// should be able to assign users to this new role, and override this new role's capabilities |
1103 | |
1104 | // find all admin roles |
e46c0987 |
1105 | if ($adminroles = get_roles_with_capability('moodle/role:manage', CAP_ALLOW, $context)) { |
1106 | // foreach admin role |
1107 | foreach ($adminroles as $arole) { |
1108 | // write allow_assign and allow_overrid |
1109 | allow_assign($arole->id, $id); |
1110 | allow_override($arole->id, $id); |
1111 | } |
ec7a8b79 |
1112 | } |
1113 | |
98882637 |
1114 | return $id; |
1115 | } else { |
1116 | return false; |
1117 | } |
bbbf2d40 |
1118 | |
1119 | } |
1120 | |
1121 | /** |
1122 | * Function to write context specific overrides, or default capabilities. |
1123 | * @param module - string name |
1124 | * @param capability - string name |
1125 | * @param contextid - context id |
1126 | * @param roleid - role id |
1127 | * @param permission - int 1,-1 or -1000 |
1128 | */ |
e7876c1e |
1129 | function assign_capability($capability, $permission, $roleid, $contextid, $overwrite=false) { |
98882637 |
1130 | |
1131 | global $USER; |
1132 | |
1133 | if (empty($permission) || $permission == 0) { // if permission is not set |
1134 | unassign_capability($capability, $roleid, $contextid); |
1135 | } |
bbbf2d40 |
1136 | |
2e85fffe |
1137 | $existing = get_record('role_capabilities', 'contextid', $contextid, 'roleid', $roleid, 'capability', $capability); |
e7876c1e |
1138 | |
1139 | if ($existing and !$overwrite) { // We want to keep whatever is there already |
1140 | return true; |
1141 | } |
1142 | |
bbbf2d40 |
1143 | $cap = new object; |
1144 | $cap->contextid = $contextid; |
1145 | $cap->roleid = $roleid; |
1146 | $cap->capability = $capability; |
1147 | $cap->permission = $permission; |
1148 | $cap->timemodified = time(); |
9db12da7 |
1149 | $cap->modifierid = empty($USER->id) ? 0 : $USER->id; |
e7876c1e |
1150 | |
1151 | if ($existing) { |
1152 | $cap->id = $existing->id; |
1153 | return update_record('role_capabilities', $cap); |
1154 | } else { |
1155 | return insert_record('role_capabilities', $cap); |
1156 | } |
bbbf2d40 |
1157 | } |
1158 | |
1159 | |
1160 | /** |
1161 | * Unassign a capability from a role. |
1162 | * @param $roleid - the role id |
1163 | * @param $capability - the name of the capability |
1164 | * @return boolean - success or failure |
1165 | */ |
1166 | function unassign_capability($capability, $roleid, $contextid=NULL) { |
98882637 |
1167 | |
1168 | if (isset($contextid)) { |
1169 | $status = delete_records('role_capabilities', 'capability', $capability, |
1170 | 'roleid', $roleid, 'contextid', $contextid); |
1171 | } else { |
1172 | $status = delete_records('role_capabilities', 'capability', $capability, |
1173 | 'roleid', $roleid); |
1174 | } |
1175 | return $status; |
bbbf2d40 |
1176 | } |
1177 | |
1178 | |
1179 | /** |
1180 | * Get the roles that have a given capability. |
1181 | * @param $capability - capability name (string) |
1182 | * @param $permission - optional, the permission defined for this capability |
1183 | * either CAP_ALLOW, CAP_PREVENT or CAP_PROHIBIT |
1184 | * @return array or role objects |
1185 | */ |
ec7a8b79 |
1186 | function get_roles_with_capability($capability, $permission=NULL, $context='') { |
1187 | |
bbbf2d40 |
1188 | global $CFG; |
1189 | |
ec7a8b79 |
1190 | if ($context) { |
1191 | if ($contexts = get_parent_contexts($context)) { |
1192 | $listofcontexts = '('.implode(',', $contexts).')'; |
1193 | } else { |
1194 | $sitecontext = get_context_instance(CONTEXT_SYSTEM, SITEID); |
1195 | $listofcontexts = '('.$sitecontext->id.')'; // must be site |
1196 | } |
42ac3ecf |
1197 | $contextstr = "AND (rc.contextid = '$context->id' OR rc.contextid IN $listofcontexts)"; |
ec7a8b79 |
1198 | } else { |
1199 | $contextstr = ''; |
1200 | } |
1201 | |
bbbf2d40 |
1202 | $selectroles = "SELECT r.* |
42ac3ecf |
1203 | FROM {$CFG->prefix}role r, |
1204 | {$CFG->prefix}role_capabilities rc |
bbbf2d40 |
1205 | WHERE rc.capability = '$capability' |
ec7a8b79 |
1206 | AND rc.roleid = r.id $contextstr"; |
bbbf2d40 |
1207 | |
1208 | if (isset($permission)) { |
1209 | $selectroles .= " AND rc.permission = '$permission'"; |
1210 | } |
1211 | return get_records_sql($selectroles); |
1212 | } |
1213 | |
1214 | |
1215 | /** |
a9e1c058 |
1216 | * This function makes a role-assignment (a role for a user or group in a particular context) |
bbbf2d40 |
1217 | * @param $roleid - the role of the id |
1218 | * @param $userid - userid |
1219 | * @param $groupid - group id |
1220 | * @param $contextid - id of the context |
1221 | * @param $timestart - time this assignment becomes effective |
1222 | * @param $timeend - time this assignemnt ceases to be effective |
1223 | * @uses $USER |
1224 | * @return id - new id of the assigment |
1225 | */ |
f44152f4 |
1226 | function role_assign($roleid, $userid, $groupid, $contextid, $timestart=0, $timeend=0, $hidden=0, $enrol='manual') { |
aa311411 |
1227 | global $USER, $CFG; |
bbbf2d40 |
1228 | |
ea82d6b6 |
1229 | debugging("Assign roleid $roleid userid $userid contextid $contextid", E_ALL); |
bbbf2d40 |
1230 | |
a9e1c058 |
1231 | /// Do some data validation |
1232 | |
bbbf2d40 |
1233 | if (empty($roleid)) { |
a9e1c058 |
1234 | notify('Role ID not provided'); |
1235 | return false; |
bbbf2d40 |
1236 | } |
1237 | |
1238 | if (empty($userid) && empty($groupid)) { |
a9e1c058 |
1239 | notify('Either userid or groupid must be provided'); |
1240 | return false; |
bbbf2d40 |
1241 | } |
7700027f |
1242 | |
1243 | if ($userid && !record_exists('user', 'id', $userid)) { |
1244 | notify('User does not exist!'); |
1245 | return false; |
1246 | } |
bbbf2d40 |
1247 | |
dc411d1b |
1248 | if ($groupid && !record_exists('groups', 'id', $groupid)) { |
1249 | notify('Group does not exist!'); |
1250 | return false; |
1251 | } |
1252 | |
7700027f |
1253 | if (!$context = get_context_instance_by_id($contextid)) { |
a9e1c058 |
1254 | notify('A valid context must be provided'); |
1255 | return false; |
bbbf2d40 |
1256 | } |
1257 | |
a9e1c058 |
1258 | if (($timestart and $timeend) and ($timestart > $timeend)) { |
7700027f |
1259 | notify('The end time can not be earlier than the start time'); |
a9e1c058 |
1260 | return false; |
1261 | } |
1262 | |
7700027f |
1263 | |
a9e1c058 |
1264 | /// Check for existing entry |
1265 | if ($userid) { |
7700027f |
1266 | $ra = get_record('role_assignments', 'roleid', $roleid, 'contextid', $context->id, 'userid', $userid); |
a9e1c058 |
1267 | } else { |
7700027f |
1268 | $ra = get_record('role_assignments', 'roleid', $roleid, 'contextid', $context->id, 'groupid', $groupid); |
a9e1c058 |
1269 | } |
1270 | |
9ebcb4d2 |
1271 | |
a9e1c058 |
1272 | $newra = new object; |
bbbf2d40 |
1273 | |
a9e1c058 |
1274 | if (empty($ra)) { // Create a new entry |
1275 | $newra->roleid = $roleid; |
7700027f |
1276 | $newra->contextid = $context->id; |
a9e1c058 |
1277 | $newra->userid = $userid; |
1278 | $newra->groupid = $groupid; |
1279 | |
1280 | $newra->hidden = $hidden; |
f44152f4 |
1281 | $newra->enrol = $enrol; |
a9e1c058 |
1282 | $newra->timestart = $timestart; |
1283 | $newra->timeend = $timeend; |
1284 | $newra->timemodified = time(); |
1285 | $newra->modifier = empty($USER->id) ? 0 : $USER->id; |
1286 | |
9ebcb4d2 |
1287 | $success = insert_record('role_assignments', $newra); |
a9e1c058 |
1288 | |
1289 | } else { // We already have one, just update it |
1290 | |
1291 | $newra->id = $ra->id; |
1292 | $newra->hidden = $hidden; |
f44152f4 |
1293 | $newra->enrol = $enrol; |
a9e1c058 |
1294 | $newra->timestart = $timestart; |
1295 | $newra->timeend = $timeend; |
1296 | $newra->timemodified = time(); |
1297 | $newra->modifier = empty($USER->id) ? 0 : $USER->id; |
1298 | |
9ebcb4d2 |
1299 | $success = update_record('role_assignments', $newra); |
1300 | } |
1301 | |
7700027f |
1302 | if ($success) { /// Role was assigned, so do some other things |
1303 | |
1304 | /// If the user is the current user, then reload the capabilities too. |
1305 | if (!empty($USER->id) && $USER->id == $userid) { |
1306 | load_user_capability(); |
1307 | } |
1308 | |
0f161e1f |
1309 | /// Ask all the modules if anything needs to be done for this user |
1310 | if ($mods = get_list_of_plugins('mod')) { |
1311 | foreach ($mods as $mod) { |
1312 | include_once($CFG->dirroot.'/mod/'.$mod.'/lib.php'); |
1313 | $functionname = $mod.'_role_assign'; |
1314 | if (function_exists($functionname)) { |
1315 | $functionname($userid, $context); |
1316 | } |
1317 | } |
1318 | } |
1319 | |
1320 | /// Make sure they have an entry in user_lastaccess for courses they can access |
1321 | // role_add_lastaccess_entries($userid, $context); |
a9e1c058 |
1322 | } |
6eb4f823 |
1323 | |
1324 | return $success; |
bbbf2d40 |
1325 | } |
1326 | |
1327 | |
1328 | /** |
1dc1f037 |
1329 | * Deletes one or more role assignments. You must specify at least one parameter. |
bbbf2d40 |
1330 | * @param $roleid |
1331 | * @param $userid |
1332 | * @param $groupid |
1333 | * @param $contextid |
1334 | * @return boolean - success or failure |
1335 | */ |
1dc1f037 |
1336 | function role_unassign($roleid=0, $userid=0, $groupid=0, $contextid=0) { |
d74067e8 |
1337 | |
1338 | global $USER, $CFG; |
1339 | |
1dc1f037 |
1340 | $args = array('roleid', 'userid', 'groupid', 'contextid'); |
1341 | $select = array(); |
1342 | foreach ($args as $arg) { |
1343 | if ($$arg) { |
1344 | $select[] = $arg.' = '.$$arg; |
1345 | } |
1346 | } |
d74067e8 |
1347 | |
1dc1f037 |
1348 | if ($select) { |
d74067e8 |
1349 | if (delete_records_select('role_assignments', implode(' AND ', $select))) { |
1350 | |
1351 | /// If the user is the current user, then reload the capabilities too. |
1352 | if (!empty($USER->id) && $USER->id == $userid) { |
1353 | load_user_capability(); |
1354 | } |
1355 | |
0f161e1f |
1356 | if ($contextid) { |
1357 | if ($context = get_record('context', 'id', $contextid)) { |
1358 | |
1359 | /// Ask all the modules if anything needs to be done for this user |
1360 | if ($mods = get_list_of_plugins('mod')) { |
1361 | foreach ($mods as $mod) { |
1362 | include_once($CFG->dirroot.'/mod/'.$mod.'/lib.php'); |
1363 | $functionname = $mod.'_role_unassign'; |
1364 | if (function_exists($functionname)) { |
1365 | $functionname($userid, $context); |
1366 | } |
1367 | } |
1368 | } |
1369 | |
1370 | /// Remove entries from user_lastaccess for courses they can no longer access |
1371 | //role_add_lastaccess_entries($userid, $context); |
1372 | } |
1373 | } |
d74067e8 |
1374 | |
1375 | return true; |
1376 | } |
1377 | return false; |
1dc1f037 |
1378 | } |
d74067e8 |
1379 | return true; |
bbbf2d40 |
1380 | } |
1381 | |
0f161e1f |
1382 | /** |
1383 | * Add last access times to user_lastaccess as required |
1384 | * @param $userid |
1385 | * @param $context |
1386 | * @return boolean - success or failure |
1387 | */ |
1388 | function role_add_lastaccess_entries($userid, $context) { |
1389 | |
1390 | global $USER, $CFG; |
1391 | |
1392 | if (empty($context->aggregatelevel)) { |
1393 | return false; |
1394 | } |
1395 | |
1396 | $lastaccess = new object; // Reusable object below |
1397 | $lastaccess->userid = $userid; |
1398 | $lastaccess->timeaccess = 0; |
1399 | |
1400 | switch ($context->aggregatelevel) { |
1401 | |
1402 | case CONTEXT_SYSTEM: // For the whole site |
1403 | if ($courses = get_record('course')) { |
1404 | foreach ($courses as $course) { |
1405 | $lastaccess->courseid = $course->id; |
1406 | role_set_lastaccess($lastaccess); |
1407 | } |
1408 | } |
1409 | break; |
1410 | |
1411 | case CONTEXT_CATEGORY: // For a whole category |
1412 | if ($courses = get_record('course', 'category', $context->instanceid)) { |
1413 | foreach ($courses as $course) { |
1414 | $lastaccess->courseid = $course->id; |
1415 | role_set_lastaccess($lastaccess); |
1416 | } |
1417 | } |
1418 | if ($categories = get_record('course_categories', 'parent', $context->instanceid)) { |
1419 | foreach ($categories as $category) { |
1420 | $subcontext = get_context_instance(CONTEXT_CATEGORY, $category->id); |
1421 | role_add_lastaccess_entries($userid, $subcontext); |
1422 | } |
1423 | } |
1424 | break; |
1425 | |
1426 | |
1427 | case CONTEXT_COURSE: // For a whole course |
1428 | if ($course = get_record('course', 'id', $context->instanceid)) { |
1429 | $lastaccess->courseid = $course->id; |
1430 | role_set_lastaccess($lastaccess); |
1431 | } |
1432 | break; |
1433 | } |
1434 | } |
1435 | |
1436 | /** |
1437 | * Delete last access times from user_lastaccess as required |
1438 | * @param $userid |
1439 | * @param $context |
1440 | * @return boolean - success or failure |
1441 | */ |
1442 | function role_remove_lastaccess_entries($userid, $context) { |
1443 | |
1444 | global $USER, $CFG; |
1445 | |
1446 | } |
1447 | |
bbbf2d40 |
1448 | |
1449 | /** |
1450 | * Loads the capability definitions for the component (from file). If no |
1451 | * capabilities are defined for the component, we simply return an empty array. |
1452 | * @param $component - examples: 'moodle', 'mod/forum', 'block/quiz_results' |
1453 | * @return array of capabilities |
1454 | */ |
1455 | function load_capability_def($component) { |
1456 | global $CFG; |
1457 | |
1458 | if ($component == 'moodle') { |
1459 | $defpath = $CFG->libdir.'/db/access.php'; |
1460 | $varprefix = 'moodle'; |
1461 | } else { |
0c4d9f49 |
1462 | $compparts = explode('/', $component); |
1463 | |
1464 | if ($compparts[0] == 'block') { |
1465 | // Blocks are an exception. Blocks directory is 'blocks', and not |
1466 | // 'block'. So we need to jump through hoops. |
1467 | $defpath = $CFG->dirroot.'/'.$compparts[0]. |
1468 | 's/'.$compparts[1].'/db/access.php'; |
1469 | $varprefix = $compparts[0].'_'.$compparts[1]; |
1470 | } else { |
1471 | $defpath = $CFG->dirroot.'/'.$component.'/db/access.php'; |
1472 | $varprefix = str_replace('/', '_', $component); |
1473 | } |
bbbf2d40 |
1474 | } |
1475 | $capabilities = array(); |
1476 | |
1477 | if (file_exists($defpath)) { |
1478 | require_once($defpath); |
1479 | $capabilities = ${$varprefix.'_capabilities'}; |
1480 | } |
1481 | return $capabilities; |
1482 | } |
1483 | |
1484 | |
1485 | /** |
1486 | * Gets the capabilities that have been cached in the database for this |
1487 | * component. |
1488 | * @param $component - examples: 'moodle', 'mod/forum', 'block/quiz_results' |
1489 | * @return array of capabilities |
1490 | */ |
1491 | function get_cached_capabilities($component='moodle') { |
1492 | if ($component == 'moodle') { |
1493 | $storedcaps = get_records_select('capabilities', |
1494 | "name LIKE 'moodle/%:%'"); |
1495 | } else { |
1496 | $storedcaps = get_records_select('capabilities', |
1497 | "name LIKE '$component:%'"); |
1498 | } |
1499 | return $storedcaps; |
1500 | } |
1501 | |
1502 | |
1503 | /** |
1504 | * Updates the capabilities table with the component capability definitions. |
1505 | * If no parameters are given, the function updates the core moodle |
1506 | * capabilities. |
1507 | * |
1508 | * Note that the absence of the db/access.php capabilities definition file |
1509 | * will cause any stored capabilities for the component to be removed from |
1510 | * the database. |
1511 | * |
1512 | * @param $component - examples: 'moodle', 'mod/forum', 'block/quiz_results' |
1513 | * @return boolean |
1514 | */ |
1515 | function update_capabilities($component='moodle') { |
1516 | |
1517 | $storedcaps = array(); |
be4486da |
1518 | |
1519 | $filecaps = load_capability_def($component); |
bbbf2d40 |
1520 | $cachedcaps = get_cached_capabilities($component); |
1521 | if ($cachedcaps) { |
1522 | foreach ($cachedcaps as $cachedcap) { |
1523 | array_push($storedcaps, $cachedcap->name); |
be4486da |
1524 | // update risk bitmasks in existing capabilitites if needed |
1525 | if (array_key_exists($cachedcap->name, $filecaps)) { |
1526 | if (!array_key_exists('riskbitmask', $filecaps[$cachedcap->name])) { |
2b531945 |
1527 | $filecaps[$cachedcap->name]['riskbitmask'] = 0; // no risk if not specified |
be4486da |
1528 | } |
1529 | if ($cachedcap->riskbitmask != $filecaps[$cachedcap->name]['riskbitmask']) { |
1530 | $updatecap = new object; |
1531 | $updatecap->id = $cachedcap->id; |
1532 | $updatecap->riskbitmask = $filecaps[$cachedcap->name]['riskbitmask']; |
1533 | if (!update_record('capabilities', $updatecap)) { |
1534 | return false; |
1535 | } |
1536 | } |
1537 | } |
bbbf2d40 |
1538 | } |
1539 | } |
be4486da |
1540 | |
bbbf2d40 |
1541 | // Are there new capabilities in the file definition? |
1542 | $newcaps = array(); |
1543 | |
1544 | foreach ($filecaps as $filecap => $def) { |
1545 | if (!$storedcaps || |
1546 | ($storedcaps && in_array($filecap, $storedcaps) === false)) { |
2b531945 |
1547 | if (!array_key_exists('riskbitmask', $def)) { |
1548 | $def['riskbitmask'] = 0; // no risk if not specified |
1549 | } |
bbbf2d40 |
1550 | $newcaps[$filecap] = $def; |
1551 | } |
1552 | } |
1553 | // Add new capabilities to the stored definition. |
1554 | foreach ($newcaps as $capname => $capdef) { |
1555 | $capability = new object; |
1556 | $capability->name = $capname; |
1557 | $capability->captype = $capdef['captype']; |
1558 | $capability->contextlevel = $capdef['contextlevel']; |
1559 | $capability->component = $component; |
be4486da |
1560 | $capability->riskbitmask = $capdef['riskbitmask']; |
bbbf2d40 |
1561 | |
1562 | if (!insert_record('capabilities', $capability, false, 'id')) { |
1563 | return false; |
1564 | } |
ab5c9044 |
1565 | |
1566 | global $db; |
1567 | $db->debug= 999; |
bbbf2d40 |
1568 | // Do we need to assign the new capabilities to roles that have the |
1569 | // legacy capabilities moodle/legacy:* as well? |
1570 | if (isset($capdef['legacy']) && is_array($capdef['legacy']) && |
1571 | !assign_legacy_capabilities($capname, $capdef['legacy'])) { |
2e85fffe |
1572 | notify('Could not assign legacy capabilities for '.$capname); |
bbbf2d40 |
1573 | } |
1574 | } |
1575 | // Are there any capabilities that have been removed from the file |
1576 | // definition that we need to delete from the stored capabilities and |
1577 | // role assignments? |
1578 | capabilities_cleanup($component, $filecaps); |
1579 | |
1580 | return true; |
1581 | } |
1582 | |
1583 | |
1584 | /** |
1585 | * Deletes cached capabilities that are no longer needed by the component. |
1586 | * Also unassigns these capabilities from any roles that have them. |
1587 | * @param $component - examples: 'moodle', 'mod/forum', 'block/quiz_results' |
1588 | * @param $newcapdef - array of the new capability definitions that will be |
1589 | * compared with the cached capabilities |
1590 | * @return int - number of deprecated capabilities that have been removed |
1591 | */ |
1592 | function capabilities_cleanup($component, $newcapdef=NULL) { |
1593 | |
1594 | $removedcount = 0; |
1595 | |
1596 | if ($cachedcaps = get_cached_capabilities($component)) { |
1597 | foreach ($cachedcaps as $cachedcap) { |
1598 | if (empty($newcapdef) || |
1599 | array_key_exists($cachedcap->name, $newcapdef) === false) { |
1600 | |
1601 | // Remove from capabilities cache. |
1602 | if (!delete_records('capabilities', 'name', $cachedcap->name)) { |
1603 | error('Could not delete deprecated capability '.$cachedcap->name); |
1604 | } else { |
1605 | $removedcount++; |
1606 | } |
1607 | // Delete from roles. |
1608 | if($roles = get_roles_with_capability($cachedcap->name)) { |
1609 | foreach($roles as $role) { |
46943f7b |
1610 | if (!unassign_capability($cachedcap->name, $role->id)) { |
bbbf2d40 |
1611 | error('Could not unassign deprecated capability '. |
1612 | $cachedcap->name.' from role '.$role->name); |
1613 | } |
1614 | } |
1615 | } |
1616 | } // End if. |
1617 | } |
1618 | } |
1619 | return $removedcount; |
1620 | } |
1621 | |
1622 | |
1623 | |
cee0901c |
1624 | /**************** |
1625 | * UI FUNCTIONS * |
1626 | ****************/ |
bbbf2d40 |
1627 | |
1628 | |
1629 | /** |
1630 | * prints human readable context identifier. |
1631 | */ |
0468976c |
1632 | function print_context_name($context) { |
340ea4e8 |
1633 | |
ec0810ee |
1634 | $name = ''; |
d140ad3f |
1635 | switch ($context->aggregatelevel) { |
ec0810ee |
1636 | |
bbbf2d40 |
1637 | case CONTEXT_SYSTEM: // by now it's a definite an inherit |
ec0810ee |
1638 | $name = get_string('site'); |
340ea4e8 |
1639 | break; |
bbbf2d40 |
1640 | |
1641 | case CONTEXT_PERSONAL: |
ec0810ee |
1642 | $name = get_string('personal'); |
340ea4e8 |
1643 | break; |
1644 | |
bbbf2d40 |
1645 | case CONTEXT_USERID: |
ec0810ee |
1646 | if ($user = get_record('user', 'id', $context->instanceid)) { |
1647 | $name = get_string('user').': '.fullname($user); |
1648 | } |
340ea4e8 |
1649 | break; |
1650 | |
bbbf2d40 |
1651 | case CONTEXT_COURSECAT: // Coursecat -> coursecat or site |
ec0810ee |
1652 | if ($category = get_record('course_categories', 'id', $context->instanceid)) { |
1653 | $name = get_string('category').': '.$category->name; |
1654 | } |
340ea4e8 |
1655 | break; |
bbbf2d40 |
1656 | |
1657 | case CONTEXT_COURSE: // 1 to 1 to course cat |
ec0810ee |
1658 | if ($course = get_record('course', 'id', $context->instanceid)) { |
1659 | $name = get_string('course').': '.$course->fullname; |
1660 | } |
340ea4e8 |
1661 | break; |
bbbf2d40 |
1662 | |
1663 | case CONTEXT_GROUP: // 1 to 1 to course |
ec0810ee |
1664 | if ($group = get_record('groups', 'id', $context->instanceid)) { |
1665 | $name = get_string('group').': '.$group->name; |
1666 | } |
340ea4e8 |
1667 | break; |
bbbf2d40 |
1668 | |
1669 | case CONTEXT_MODULE: // 1 to 1 to course |
98882637 |
1670 | if ($cm = get_record('course_modules','id',$context->instanceid)) { |
1671 | if ($module = get_record('modules','id',$cm->module)) { |
1672 | if ($mod = get_record($module->name, 'id', $cm->instance)) { |
ec0810ee |
1673 | $name = get_string('activitymodule').': '.$mod->name; |
98882637 |
1674 | } |
ec0810ee |
1675 | } |
1676 | } |
340ea4e8 |
1677 | break; |
bbbf2d40 |
1678 | |
1679 | case CONTEXT_BLOCK: // 1 to 1 to course |
98882637 |
1680 | if ($blockinstance = get_record('block_instance','id',$context->instanceid)) { |
1681 | if ($block = get_record('block','id',$blockinstance->blockid)) { |
91be52d7 |
1682 | global $CFG; |
1683 | require_once("$CFG->dirroot/blocks/moodleblock.class.php"); |
1684 | require_once("$CFG->dirroot/blocks/$block->name/block_$block->name.php"); |
1685 | $blockname = "block_$block->name"; |
1686 | if ($blockobject = new $blockname()) { |
1687 | $name = $blockobject->title.' ('.get_string('block').')'; |
1688 | } |
ec0810ee |
1689 | } |
1690 | } |
340ea4e8 |
1691 | break; |
bbbf2d40 |
1692 | |
1693 | default: |
1694 | error ('This is an unknown context!'); |
340ea4e8 |
1695 | return false; |
1696 | |
1697 | } |
340ea4e8 |
1698 | return $name; |
bbbf2d40 |
1699 | } |
1700 | |
1701 | |
1702 | /** |
1703 | * Extracts the relevant capabilities given a contextid. |
1704 | * All case based, example an instance of forum context. |
1705 | * Will fetch all forum related capabilities, while course contexts |
1706 | * Will fetch all capabilities |
0468976c |
1707 | * @param object context |
bbbf2d40 |
1708 | * @return array(); |
1709 | * |
1710 | * capabilities |
1711 | * `name` varchar(150) NOT NULL, |
1712 | * `captype` varchar(50) NOT NULL, |
1713 | * `contextlevel` int(10) NOT NULL, |
1714 | * `component` varchar(100) NOT NULL, |
1715 | */ |
0468976c |
1716 | function fetch_context_capabilities($context) { |
98882637 |
1717 | |
1718 | global $CFG; |
bbbf2d40 |
1719 | |
1720 | $sort = 'ORDER BY contextlevel,component,id'; // To group them sensibly for display |
98882637 |
1721 | |
d140ad3f |
1722 | switch ($context->aggregatelevel) { |
bbbf2d40 |
1723 | |
98882637 |
1724 | case CONTEXT_SYSTEM: // all |
1725 | $SQL = "select * from {$CFG->prefix}capabilities"; |
bbbf2d40 |
1726 | break; |
1727 | |
1728 | case CONTEXT_PERSONAL: |
0a8a95c9 |
1729 | $SQL = "select * from {$CFG->prefix}capabilities where contextlevel = ".CONTEXT_PERSONAL; |
bbbf2d40 |
1730 | break; |
1731 | |
1732 | case CONTEXT_USERID: |
0a8a95c9 |
1733 | $SQL = "select * from {$CFG->prefix}capabilities where contextlevel = ".CONTEXT_USERID; |
bbbf2d40 |
1734 | break; |
1735 | |
1736 | case CONTEXT_COURSECAT: // all |
98882637 |
1737 | $SQL = "select * from {$CFG->prefix}capabilities"; |
bbbf2d40 |
1738 | break; |
1739 | |
1740 | case CONTEXT_COURSE: // all |
98882637 |
1741 | $SQL = "select * from {$CFG->prefix}capabilities"; |
bbbf2d40 |
1742 | break; |
1743 | |
1744 | case CONTEXT_GROUP: // group caps |
1745 | break; |
1746 | |
1747 | case CONTEXT_MODULE: // mod caps |
98882637 |
1748 | $cm = get_record('course_modules', 'id', $context->instanceid); |
1749 | $module = get_record('modules', 'id', $cm->module); |
bbbf2d40 |
1750 | |
98882637 |
1751 | $SQL = "select * from {$CFG->prefix}capabilities where contextlevel = ".CONTEXT_MODULE." |
1752 | and component = 'mod/$module->name'"; |
bbbf2d40 |
1753 | break; |
1754 | |
1755 | case CONTEXT_BLOCK: // block caps |
98882637 |
1756 | $cb = get_record('block_instance', 'id', $context->instanceid); |
1757 | $block = get_record('block', 'id', $cb->blockid); |
bbbf2d40 |
1758 | |
98882637 |
1759 | $SQL = "select * from {$CFG->prefix}capabilities where contextlevel = ".CONTEXT_BLOCK." |
1760 | and component = 'block/$block->name'"; |
bbbf2d40 |
1761 | break; |
1762 | |
1763 | default: |
1764 | return false; |
1765 | } |
1766 | |
1767 | $records = get_records_sql($SQL.' '.$sort); |
69eb59f2 |
1768 | |
1769 | // special sorting of core system capabiltites and enrollments |
1770 | if ($context->aggregatelevel == CONTEXT_SYSTEM) { |
1771 | $first = array(); |
1772 | foreach ($records as $key=>$record) { |
1773 | if (preg_match('|^moodle/|', $record->name) and $record->contextlevel == CONTEXT_SYSTEM) { |
1774 | $first[$key] = $record; |
1775 | unset($records[$key]); |
1776 | } else if (count($first)){ |
1777 | break; |
1778 | } |
1779 | } |
1780 | if (count($first)) { |
1781 | $records = $first + $records; // merge the two arrays keeping the keys |
1782 | } |
1783 | } |
1784 | // end of special sorting |
1785 | |
bbbf2d40 |
1786 | return $records; |
1787 | |
1788 | } |
1789 | |
1790 | |
1791 | /** |
1792 | * This function pulls out all the resolved capabilities (overrides and |
1793 | * defaults) of a role used in capability overrieds in contexts at a given |
1794 | * context. |
0a8a95c9 |
1795 | * @param obj $context |
bbbf2d40 |
1796 | * @param int $roleid |
1797 | * @return array |
1798 | */ |
1648afb2 |
1799 | function role_context_capabilities($roleid, $context, $cap='') { |
98882637 |
1800 | global $CFG; |
1801 | |
1802 | $sitecontext = get_context_instance(CONTEXT_SYSTEM, SITEID); |
0468976c |
1803 | if ($sitecontext->id == $context->id) { |
20aeb4b8 |
1804 | $contexts = array($sitecontext->id); |
1805 | } else { |
1806 | // first of all, figure out all parental contexts |
1807 | $contexts = array_reverse(get_parent_contexts($context)); |
98882637 |
1808 | } |
98882637 |
1809 | $contexts = '('.implode(',', $contexts).')'; |
1810 | |
1648afb2 |
1811 | if ($cap) { |
e4697bf7 |
1812 | $search = " AND rc.capability = '$cap' "; |
1648afb2 |
1813 | } else { |
1814 | $search = ''; |
1815 | } |
1816 | |
98882637 |
1817 | $SQL = "SELECT rc.* FROM {$CFG->prefix}role_capabilities rc, {$CFG->prefix}context c |
1818 | where rc.contextid in $contexts |
1819 | and rc.roleid = $roleid |
1648afb2 |
1820 | and rc.contextid = c.id $search |
d140ad3f |
1821 | ORDER BY c.aggregatelevel DESC, rc.capability DESC"; |
1648afb2 |
1822 | |
98882637 |
1823 | $capabilities = array(); |
1824 | |
4729012f |
1825 | if ($records = get_records_sql($SQL)) { |
1826 | // We are traversing via reverse order. |
1827 | foreach ($records as $record) { |
1828 | // If not set yet (i.e. inherit or not set at all), or currently we have a prohibit |
1829 | if (!isset($capabilities[$record->capability]) || $record->permission<-500) { |
1830 | $capabilities[$record->capability] = $record->permission; |
1831 | } |
1832 | } |
98882637 |
1833 | } |
1834 | return $capabilities; |
bbbf2d40 |
1835 | } |
1836 | |
bbbf2d40 |
1837 | /** |
0468976c |
1838 | * Recursive function which, given a context, find all parent context ids, |
bbbf2d40 |
1839 | * and return the array in reverse order, i.e. parent first, then grand |
1840 | * parent, etc. |
1841 | * @param object $context |
1842 | * @return array() |
1843 | */ |
bbbf2d40 |
1844 | function get_parent_contexts($context) { |
1845 | |
d140ad3f |
1846 | switch ($context->aggregatelevel) { |
bbbf2d40 |
1847 | |
1848 | case CONTEXT_SYSTEM: // no parent |
957861f7 |
1849 | return array(); |
bbbf2d40 |
1850 | break; |
1851 | |
1852 | case CONTEXT_PERSONAL: |
957861f7 |
1853 | if (!$parent = get_context_instance(CONTEXT_SYSTEM, SITEID)) { |
1854 | return array(); |
1855 | } else { |
1856 | return array($parent->id); |
1857 | } |
bbbf2d40 |
1858 | break; |
1859 | |
1860 | case CONTEXT_USERID: |
957861f7 |
1861 | if (!$parent = get_context_instance(CONTEXT_SYSTEM, SITEID)) { |
1862 | return array(); |
1863 | } else { |
1864 | return array($parent->id); |
1865 | } |
bbbf2d40 |
1866 | break; |
1867 | |
1868 | case CONTEXT_COURSECAT: // Coursecat -> coursecat or site |
957861f7 |
1869 | if (!$coursecat = get_record('course_categories','id',$context->instanceid)) { |
1870 | return array(); |
1871 | } |
c5ddc3fd |
1872 | if (!empty($coursecat->parent)) { // return parent value if exist |
bbbf2d40 |
1873 | $parent = get_context_instance(CONTEXT_COURSECAT, $coursecat->parent); |
1874 | return array_merge(array($parent->id), get_parent_contexts($parent)); |
1875 | } else { // else return site value |
1876 | $parent = get_context_instance(CONTEXT_SYSTEM, SITEID); |
1877 | return array($parent->id); |
1878 | } |
1879 | break; |
1880 | |
1881 | case CONTEXT_COURSE: // 1 to 1 to course cat |
957861f7 |
1882 | if (!$course = get_record('course','id',$context->instanceid)) { |
1883 | return array(); |
1884 | } |
1885 | if (!empty($course->category)) { |
1886 | $parent = get_context_instance(CONTEXT_COURSECAT, $course->category); |
1887 | return array_merge(array($parent->id), get_parent_contexts($parent)); |
1888 | } else { |
1889 | return array(); |
1890 | } |
bbbf2d40 |
1891 | break; |
1892 | |
1893 | case CONTEXT_GROUP: // 1 to 1 to course |
957861f7 |
1894 | if (!$group = get_record('groups','id',$context->instanceid)) { |
1895 | return array(); |
1896 | } |
1897 | if ($parent = get_context_instance(CONTEXT_COURSE, $group->courseid)) { |
1898 | return array_merge(array($parent->id), get_parent_contexts($parent)); |
1899 | } else { |
1900 | return array(); |
1901 | } |
bbbf2d40 |
1902 | break; |
1903 | |
1904 | case CONTEXT_MODULE: // 1 to 1 to course |
957861f7 |
1905 | if (!$cm = get_record('course_modules','id',$context->instanceid)) { |
1906 | return array(); |
1907 | } |
1908 | if ($parent = get_context_instance(CONTEXT_COURSE, $cm->course)) { |
1909 | return array_merge(array($parent->id), get_parent_contexts($parent)); |
1910 | } else { |
1911 | return array(); |
1912 | } |
bbbf2d40 |
1913 | break; |
1914 | |
1915 | case CONTEXT_BLOCK: // 1 to 1 to course |
957861f7 |
1916 | if (!$block = get_record('block_instance','id',$context->instanceid)) { |
1917 | return array(); |
1918 | } |
1919 | if ($parent = get_context_instance(CONTEXT_COURSE, $block->pageid)) { |
1920 | return array_merge(array($parent->id), get_parent_contexts($parent)); |
1921 | } else { |
1922 | return array(); |
1923 | } |
bbbf2d40 |
1924 | break; |
1925 | |
1926 | default: |
957861f7 |
1927 | error('This is an unknown context!'); |
bbbf2d40 |
1928 | return false; |
1929 | } |
bbbf2d40 |
1930 | } |
1931 | |
ea8158c1 |
1932 | /** gets a string for sql calls, searching for stuff |
1933 | * in this context or above |
1934 | * @param object $context |
1935 | * @return string |
1936 | */ |
1937 | function get_related_contexts_string($context) { |
1938 | if ($parents = get_parent_contexts($context)) { |
1939 | return (' IN ('.$context->id.','.implode(',', $parents).')'); |
1940 | } else { |
1941 | return (' ='.$context->id); |
1942 | } |
1943 | } |
bbbf2d40 |
1944 | /** |
1945 | * This function gets the capability of a role in a given context. |
1946 | * It is needed when printing override forms. |
1947 | * @param int $contextid |
bbbf2d40 |
1948 | * @param string $capability |
1949 | * @param array $capabilities - array loaded using role_context_capabilities |
1950 | * @return int (allow, prevent, prohibit, inherit) |
1951 | */ |
bbbf2d40 |
1952 | function get_role_context_capability($contextid, $capability, $capabilities) { |
98882637 |
1953 | return $capabilities[$contextid][$capability]; |
bbbf2d40 |
1954 | } |
1955 | |
1956 | |
cee0901c |
1957 | /** |
1958 | * Returns the human-readable, translated version of the capability. |
1959 | * Basically a big switch statement. |
1960 | * @param $capabilityname - e.g. mod/choice:readresponses |
1961 | */ |
ceb83c70 |
1962 | function get_capability_string($capabilityname) { |
ae9e4c06 |
1963 | |
cee0901c |
1964 | // Typical capabilityname is mod/choice:readresponses |
ceb83c70 |
1965 | |
1966 | $names = split('/', $capabilityname); |
1967 | $stringname = $names[1]; // choice:readresponses |
1968 | $components = split(':', $stringname); |
1969 | $componentname = $components[0]; // choice |
98882637 |
1970 | |
1971 | switch ($names[0]) { |
1972 | case 'mod': |
ceb83c70 |
1973 | $string = get_string($stringname, $componentname); |
98882637 |
1974 | break; |
1975 | |
1976 | case 'block': |
ceb83c70 |
1977 | $string = get_string($stringname, 'block_'.$componentname); |
98882637 |
1978 | break; |
ceb83c70 |
1979 | |
98882637 |
1980 | case 'moodle': |
ceb83c70 |
1981 | $string = get_string($stringname, 'role'); |
98882637 |
1982 | break; |
1983 | |
1984 | case 'enrol': |
ceb83c70 |
1985 | $string = get_string($stringname, 'enrol_'.$componentname); |
1986 | break; |
98882637 |
1987 | |
1988 | default: |
ceb83c70 |
1989 | $string = get_string($stringname); |
98882637 |
1990 | break; |
98882637 |
1991 | |
1992 | } |
ceb83c70 |
1993 | return $string; |
bbbf2d40 |
1994 | } |
1995 | |
1996 | |
cee0901c |
1997 | /** |
1998 | * This gets the mod/block/course/core etc strings. |
1999 | * @param $component |
2000 | * @param $contextlevel |
2001 | */ |
bbbf2d40 |
2002 | function get_component_string($component, $contextlevel) { |
2003 | |
98882637 |
2004 | switch ($contextlevel) { |
bbbf2d40 |
2005 | |
98882637 |
2006 | case CONTEXT_SYSTEM: |
be382aaf |
2007 | if (preg_match('|^enrol/|', $component)) { |
2008 | $langname = str_replace('/', '_', $component); |
2009 | $string = get_string('enrolname', $langname); |
69eb59f2 |
2010 | } else { |
2011 | $string = get_string('coresystem'); |
2012 | } |
bbbf2d40 |
2013 | break; |
2014 | |
2015 | case CONTEXT_PERSONAL: |
98882637 |
2016 | $string = get_string('personal'); |
bbbf2d40 |
2017 | break; |
2018 | |
2019 | case CONTEXT_USERID: |
98882637 |
2020 | $string = get_string('users'); |
bbbf2d40 |
2021 | break; |
2022 | |
2023 | case CONTEXT_COURSECAT: |
98882637 |
2024 | $string = get_string('categories'); |
bbbf2d40 |
2025 | break; |
2026 | |
2027 | case CONTEXT_COURSE: |
98882637 |
2028 | $string = get_string('course'); |
bbbf2d40 |
2029 | break; |
2030 | |
2031 | case CONTEXT_GROUP: |
98882637 |
2032 | $string = get_string('group'); |
bbbf2d40 |
2033 | break; |
2034 | |
2035 | case CONTEXT_MODULE: |
98882637 |
2036 | $string = get_string('modulename', basename($component)); |
bbbf2d40 |
2037 | break; |
2038 | |
2039 | case CONTEXT_BLOCK: |
98882637 |
2040 | $string = get_string('blockname', 'block_'.$component.'.php'); |
bbbf2d40 |
2041 | break; |
2042 | |
2043 | default: |
2044 | error ('This is an unknown context!'); |
2045 | return false; |
98882637 |
2046 | |
2047 | } |
98882637 |
2048 | return $string; |
bbbf2d40 |
2049 | } |
cee0901c |
2050 | |
945f88ca |
2051 | /** gets the list of roles assigned to this context |
2052 | * @param object $context |
2053 | * @return array |
2054 | */ |
e4dd3222 |
2055 | function get_roles_used_in_context($context) { |
2056 | |
2057 | global $CFG; |
2058 | |
2059 | return get_records_sql('SELECT distinct r.id, r.name |
2060 | FROM '.$CFG->prefix.'role_assignments ra, |
2061 | '.$CFG->prefix.'role r |
2062 | WHERE r.id = ra.roleid |
2063 | AND ra.contextid = '.$context->id.' |
2064 | ORDER BY r.sortorder ASC'); |
2065 | } |
2066 | |
945f88ca |
2067 | /** this function is used to print roles column in user profile page. |
2068 | * @param int userid |
2069 | * @param int contextid |
2070 | * @return string |
2071 | */ |
0a8a95c9 |
2072 | function get_user_roles_in_context($userid, $contextid){ |
2073 | global $CFG; |
2074 | |
2075 | $rolestring = ''; |
2076 | $SQL = 'select * from '.$CFG->prefix.'role_assignments ra, '.$CFG->prefix.'role r where ra.userid='.$userid.' and ra.contextid='.$contextid.' and ra.roleid = r.id'; |
2077 | if ($roles = get_records_sql($SQL)) { |
2078 | foreach ($roles as $userrole) { |
2079 | $rolestring .= '<a href="'.$CFG->wwwroot.'/user/index.php?contextid='.$userrole->contextid.'&roleid='.$userrole->roleid.'">'.$userrole->name.'</a>, '; |
2080 | } |
2081 | |
2082 | } |
2083 | return rtrim($rolestring, ', '); |
2084 | } |
68c52526 |
2085 | |
2086 | |
945f88ca |
2087 | /** |
2088 | * Checks if a user can override capabilities of a particular role in this context |
2089 | * @param object $context |
2090 | * @param int targetroleid - the id of the role you want to override |
2091 | * @return boolean |
2092 | */ |
68c52526 |
2093 | function user_can_override($context, $targetroleid) { |
2094 | // first check if user has override capability |
2095 | // if not return false; |
2096 | if (!has_capability('moodle/role:override', $context)) { |
2097 | return false; |
2098 | } |
2099 | // pull out all active roles of this user from this context(or above) |
c0614051 |
2100 | if ($userroles = get_user_roles($context)) { |
2101 | foreach ($userroles as $userrole) { |
2102 | // if any in the role_allow_override table, then it's ok |
2103 | if (get_record('role_allow_override', 'roleid', $userrole->roleid, 'allowoverride', $targetroleid)) { |
2104 | return true; |
2105 | } |
68c52526 |
2106 | } |
2107 | } |
2108 | |
2109 | return false; |
2110 | |
2111 | } |
2112 | |
945f88ca |
2113 | /** |
2114 | * Checks if a user can assign users to a particular role in this context |
2115 | * @param object $context |
2116 | * @param int targetroleid - the id of the role you want to assign users to |
2117 | * @return boolean |
2118 | */ |
68c52526 |
2119 | function user_can_assign($context, $targetroleid) { |
2120 | |
2121 | // first check if user has override capability |
2122 | // if not return false; |
2123 | if (!has_capability('moodle/role:assign', $context)) { |
2124 | return false; |
2125 | } |
2126 | // pull out all active roles of this user from this context(or above) |
c0614051 |
2127 | if ($userroles = get_user_roles($context)) { |
2128 | foreach ($userroles as $userrole) { |
2129 | // if any in the role_allow_override table, then it's ok |
2130 | if (get_record('role_allow_assign', 'roleid', $userrole->roleid, 'allowassign', $targetroleid)) { |
2131 | return true; |
2132 | } |
68c52526 |
2133 | } |
2134 | } |
2135 | |
2136 | return false; |
2137 | } |
2138 | |
945f88ca |
2139 | /** |
2140 | * gets all the user roles assigned in this context, or higher contexts |
2141 | * this is mainly used when checking if a user can assign a role, or overriding a role |
2142 | * i.e. we need to know what this user holds, in order to verify against allow_assign and |
2143 | * allow_override tables |
2144 | * @param object $context |
2145 | * @param int $userid |
2146 | * @return array |
2147 | */ |
c0614051 |
2148 | function get_user_roles($context, $userid=0) { |
68c52526 |
2149 | |
2150 | global $USER, $CFG, $db; |
c0614051 |
2151 | |
2152 | if (empty($userid)) { |
2153 | if (empty($USER->id)) { |
2154 | return array(); |
2155 | } |
2156 | $userid = $USER->id; |
2157 | } |
2158 | |
2159 | if ($parents = get_parent_contexts($context)) { |
2160 | $contexts = ' AND ra.contextid IN ('.implode(',' , $parents).')'; |
2161 | } else { |
2162 | $contexts = ' AND ra.contextid = \''.$context->id.'\''; |
2163 | } |
2164 | |
68c52526 |
2165 | return get_records_sql('SELECT * |
2166 | FROM '.$CFG->prefix.'role_assignments ra |
c0614051 |
2167 | WHERE ra.userid = '.$userid. |
2168 | $contexts); |
68c52526 |
2169 | } |
2170 | |
945f88ca |
2171 | /** |
2172 | * Creates a record in the allow_override table |
2173 | * @param int sroleid - source roleid |
2174 | * @param int troleid - target roleid |
2175 | * @return int - id or false |
2176 | */ |
2177 | function allow_override($sroleid, $troleid) { |
2178 | $record->roleid = $sroleid; |
2179 | $record->allowoverride = $troleid; |
2180 | return insert_record('role_allow_override', $record); |
2181 | } |
2182 | |
2183 | /** |
2184 | * Creates a record in the allow_assign table |
2185 | * @param int sroleid - source roleid |
2186 | * @param int troleid - target roleid |
2187 | * @return int - id or false |
2188 | */ |
2189 | function allow_assign($sroleid, $troleid) { |
2190 | $record->roleid = $sroleid; |
2191 | $record->allowassign = $troleid; |
2192 | return insert_record('role_allow_assign', $record); |
2193 | } |
2194 | |
2195 | /** |
2196 | * gets a list of roles assignalbe in this context for this user |
2197 | * @param object $context |
2198 | * @return array |
2199 | */ |
2200 | function get_assignable_roles ($context) { |
2201 | |
2202 | $role = get_records('role'); |
2203 | $options = array(); |
2204 | foreach ($role as $rolex) { |
2205 | if (user_can_assign($context, $rolex->id)) { |
2206 | $options[$rolex->id] = $rolex->name; |
2207 | } |
2208 | } |
2209 | return $options; |
2210 | } |
2211 | |
2212 | /** |
2213 | * gets a list of roles that can be overriden in this context by this user |
2214 | * @param object $context |
2215 | * @return array |
2216 | */ |
2217 | function get_overridable_roles ($context) { |
2218 | |
2219 | $role = get_records('role'); |
2220 | $options = array(); |
2221 | foreach ($role as $rolex) { |
2222 | if (user_can_override($context, $rolex->id)) { |
2223 | $options[$rolex->id] = $rolex->name; |
2224 | } |
2225 | } |
2226 | |
2227 | return $options; |
2228 | |
2229 | } |
1648afb2 |
2230 | |
2231 | |
2232 | /** |
2233 | * who has this capability in this context |
2234 | * does not handling user level resolving!!! |
2235 | * i.e 1 person has 2 roles 1 allow, 1 prevent, this will not work properly |
2236 | * @param $context - object |
2237 | * @param $capability - string capability |
2238 | * @param $fields - fields to be pulled |
2239 | * @param $sort - the sort order |
04417640 |
2240 | * @param $limitfrom - number of records to skip (offset) |
2241 | * @param $limitnum - number of records to fetch |
1c45e42e |
2242 | * @param $groups - single group or array of groups - group(s) user is in |
1648afb2 |
2243 | */ |
1c45e42e |
2244 | function get_users_by_capability($context, $capability, $fields='u.*', $sort='', $limitfrom='', $limitnum='', $groups='') { |
1648afb2 |
2245 | |
2246 | global $CFG; |
2247 | |
1c45e42e |
2248 | if ($groups) { |
2249 | |
2250 | $groupjoin = 'LEFT JOIN '.$CFG->prefix.'groups_members gm ON gm.userid = ra.userid'; |
2251 | |
2252 | if (is_array($groups)) { |
2253 | $groupsql = 'AND gm.id IN ('.implode(',', $groups).')'; |
2254 | } else { |
2255 | $groupsql = 'AND gm.id = '.$groups; |
2256 | } |
2257 | } else { |
2258 | $groupjoin = ''; |
2259 | $groupsql = ''; |
2260 | } |
2261 | |
1648afb2 |
2262 | // first get all roles with this capability in this context, or above |
ec7a8b79 |
2263 | $possibleroles = get_roles_with_capability($capability, CAP_ALLOW, $context); |
1648afb2 |
2264 | $validroleids = array(); |
2265 | foreach ($possibleroles as $prole) { |
2266 | $caps = role_context_capabilities($prole->id, $context, $capability); // resolved list |
2267 | if ($caps[$capability] > 0) { // resolved capability > 0 |
2268 | $validroleids[] = $prole->id; |
2269 | } |
2270 | } |
2271 | |
ec7a8b79 |
2272 | /// the following few lines may not be needed |
1648afb2 |
2273 | if ($usercontexts = get_parent_contexts($context)) { |
2274 | $listofcontexts = '('.implode(',', $usercontexts).')'; |
2275 | } else { |
2276 | $sitecontext = get_context_instance(CONTEXT_SYSTEM, SITEID); |
2277 | $listofcontexts = '('.$sitecontext->id.')'; // must be site |
2278 | } |
2279 | |
2280 | $roleids = '('.implode(',', $validroleids).')'; |
2281 | |
2282 | $select = ' SELECT '.$fields; |
1c45e42e |
2283 | $from = ' FROM '.$CFG->prefix.'user u LEFT JOIN '.$CFG->prefix.'role_assignments ra ON ra.userid = u.id '.$groupjoin; |
2284 | $where = ' WHERE (ra.contextid = '.$context->id.' OR ra.contextid in '.$listofcontexts.') AND u.deleted = 0 AND ra.roleid in '.$roleids.' '.$groupsql; |
1648afb2 |
2285 | |
04417640 |
2286 | return get_records_sql($select.$from.$where.$sort, $limitfrom, $limitnum); |
1648afb2 |
2287 | |
2288 | } |
7700027f |
2289 | |
ab5c9044 |
2290 | /** |
2291 | * gets all the users assigned this role in this context or higher |
2292 | * @param int roleid |
2293 | * @param int contextid |
2294 | * @param bool parent if true, get list of users assigned in higher context too |
2295 | * @return array() |
2296 | */ |
2297 | function get_role_users($roleid, $context, $parent=false) { |
2298 | global $CFG; |
2299 | |
2300 | if ($parent) { |
2301 | if ($contexts = get_parent_contexts($context)) { |
2302 | $parentcontexts = 'r.contextid IN ('.implode(',', $contexts).')'; |
2303 | } else { |
2304 | $parentcontexts = ''; |
2305 | } |
2306 | } else { |
2307 | $parentcontexts = ''; |
2308 | } |
2309 | |
2310 | $SQL = "select u.* |
2311 | from {$CFG->prefix}role_assignments r, |
2312 | {$CFG->prefix}user u |
2313 | where (r.contextid = $context->id $parentcontexts) |
2314 | and r.roleid = $roleid |
2315 | and u.id = r.userid"; // join now so that we can just use fullname() later |
2316 | |
2317 | return get_records_sql($SQL); |
2318 | } |
2319 | |
1dc1f037 |
2320 | ?> |