mirror_php/moodle
1
0
Fork 0
mirror of https://github.com/moodle/moodle.git synced 2025-03-14 12:40:01 +01:00
Code Issues Projects Releases Wiki Activity

adding functions and interface for access control - role assignment and role overrides

Browse Source
This commit is contained in:
toyomoyo 2006-08-18 08:01:16 +00:00
parent 4cd174bfce
commit 68c5252623
8 changed files with 311 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

104
admin/roles/allowassign.php Executable file
View File

@ -0,0 +1,104 @@
<?php
/**
* this page defines what roles can access (grant user that role and override that roles'
* capabilities in different context. For example, we can say that Teachers can only grant
* student role or modify student role's capabilities. Note that you need both the right
* capability moodle/roles:assign or moodle/roles:manage and this database table roles_deny_grant
* to be able to grant roles. If a user has moodle/roles:manage at site level assignment
* then he can modify the roles_allow_assign table via this interface.
*/
require_once('../../config.php');
/// check capabilities here
$sitecontext = get_context_instance(CONTEXT_SYSTEM, SITEID);
require_capability('moodle/roles:manage', $sitecontext);
$site = get_site();
$stradministration = get_string('administration');
$strmanageroles = get_string('manageroles');
/// form processiong here
/// get all roles
$roles = get_records('role');
if ($grant = data_submitted()) {
foreach ($grant as $grole => $val) {
if ($grole == 'dummy') {
continue;
}
$string = explode('_', $grole);
$temp[$string[1]][$string[2]] = 1; // if set, means can access
}
// if current assignment is in data_submitted, ignore, else, write deny into db
foreach ($roles as $srole) {
foreach ($roles as $trole) {
if (isset($temp[$srole->id][$trole->id])) { // if set, need to write to db
if (!$record = get_record('role_allow_assign', 'roleid', $srole->id, 'allowassign', $trole->id)) {
$record->roleid = $srole->id;
$record->allowassign = $trole->id;
insert_record('role_allow_assign', $record);
}
} else { //if set, means can access, attempt to remove it from db
delete_records('role_allow_assign', 'roleid', $srole->id, 'allowassign', $trole->id);
}
}
}
}
/// displaying form here
print_header("$site->shortname: $strmanageroles",
"$site->fullname",
"<a href=\"../index.php\">$stradministration</a> -> <a href=\"manage.php\">$strmanageroles</a>
");
$currenttab='allowassign';
require_once('managetabs.php');
$table->tablealign = "center";
$table->align = array ("middle", "left");
$table->wrap = array ("nowrap", "nowrap");
$table->cellpadding = 5;
$table->cellspacing = 0;
$table->width = '40%';
/// get all the roles identifier
foreach ($roles as $role) {
$rolesname[] = $role->name;
$roleids[] = $role->id;
}
$table->data[] = array_merge(array(''), $rolesname);
foreach ($roles as $role) {
$beta = get_box_list($role->id, $roleids);
$table->data[] = array_merge(array($role->name), $beta);
}
echo '<form action="allowassign.php" method="post">';
print_table($table);
echo '<div align="center"><input type="submit" value="submit"/></div>';
echo '<input type="hidden" name="dummy" value="1" />'; // this is needed otherwise we do not know a form has been submitted
echo '</form>';
print_footer();
// returns array
function get_box_list($roleid, $arraylist){
foreach ($arraylist as $targetid) {
if (get_record('role_allow_assign', 'roleid', $roleid, 'allowassign', $targetid)) {
$array[] = '<input type="checkbox" name="s_'.$roleid.'_'.$targetid.'" value="1" checked="checked"/>';
} else {
$array[] = '<input type="checkbox" name="s_'.$roleid.'_'.$targetid.'" value="1" />';
}
}
return $array;
}
?>

102
admin/roles/allowoverride.php Executable file
View File

@ -0,0 +1,102 @@
<?php
/**
* this page defines what roles can override (override roles in different context. For example,
* we can say that Admin can override teacher roles in a course
* To be able to override roles. If a user has moodle/roles:overrde at context level
* and be in the roles_allow_override table.
*/
require_once('../../config.php');
/// check capabilities here
$sitecontext = get_context_instance(CONTEXT_SYSTEM, SITEID);
require_capability('moodle/roles:manage', $sitecontext);
$site = get_site();
$stradministration = get_string('administration');
$strmanageroles = get_string('manageroles');
/// form processiong here
/// get all roles
$roles = get_records('role');
if ($grant = data_submitted()) {
foreach ($grant as $grole => $val) {
if ($grole == 'dummy') {
continue;
}
$string = explode('_', $grole);
$temp[$string[1]][$string[2]] = 1; // if set, means can access
}
// if current assignment is in data_submitted, ignore, else, write deny into db
foreach ($roles as $srole) {
foreach ($roles as $trole) {
if (isset($temp[$srole->id][$trole->id])) { // if set, need to write to db
if (!$record = get_record('role_allow_override', 'roleid', $srole->id, 'allowoverride', $trole->id)) {
$record->roleid = $srole->id;
$record->allowoverride = $trole->id;
insert_record('role_allow_override', $record);
}
} else { //if set, means can access, attempt to remove it from db
delete_records('role_allow_override', 'roleid', $srole->id, 'allowoverride', $trole->id);
}
}
}
}
/// displaying form here
print_header("$site->shortname: $strmanageroles",
"$site->fullname",
"<a href=\"../index.php\">$stradministration</a> -> <a href=\"manage.php\">$strmanageroles</a>
");
$currenttab='allowoverride';
require_once('managetabs.php');
$table->tablealign = "center";
$table->align = array ("middle", "left");
$table->wrap = array ("nowrap", "nowrap");
$table->cellpadding = 5;
$table->cellspacing = 0;
$table->width = '40%';
/// get all the roles identifier
foreach ($roles as $role) {
$rolesname[] = $role->name;
$roleids[] = $role->id;
}
$table->data[] = array_merge(array(''), $rolesname);
foreach ($roles as $role) {
$beta = get_box_list($role->id, $roleids);
$table->data[] = array_merge(array($role->name), $beta);
}
echo '<form action="allowoverride.php" method="post">';
print_table($table);
echo '<div align="center"><input type="submit" value="submit"/></div>';
echo '<input type="hidden" name="dummy" value="1" />'; // this is needed otherwise we do not know a form has been submitted
echo '</form>';
print_footer();
// returns array
function get_box_list($roleid, $arraylist){
foreach ($arraylist as $targetid) {
if (get_record('role_allow_override', 'roleid', $roleid, 'allowoverride', $targetid)) {
$array[] = '<input type="checkbox" name="s_'.$roleid.'_'.$targetid.'" value="1" checked="checked"/>';
} else {
$array[] = '<input type="checkbox" name="s_'.$roleid.'_'.$targetid.'" value="1" />';
}
}
return $array;
}
?>

11
admin/roles/assign.php
View File

@ -55,6 +55,13 @@
$context = get_record('context', 'id', $contextid);
// role assigning permission checking
if ($roleid) {
if (!user_can_assign($context, $roleid)) {
error ('you can not override this role in this context');
}
}
$participants = get_string("participants");
$user = get_record('user', 'id', $userid);
$fullname = fullname($user, isteacher($course->id));
@ -155,7 +162,9 @@
// this needs to check capability too
$role = get_records('role');
foreach ($role as $rolex) {
$options[$rolex->id] = $rolex->name;
if (user_can_assign($context, $rolex->id)) {
$options[$rolex->id] = $rolex->name;
}
}
// prints a form to swap roles

3
admin/roles/manage.php
View File

@ -41,6 +41,9 @@
// $editingstr
// ");
$currenttab = 'manage';
include_once('managetabs.php');
// form processing, editing a role, adding a role or deleting a role
if ($action && confirm_sesskey()) {

14
admin/roles/managetabs.php Executable file
View File

@ -0,0 +1,14 @@
<?php
// this page deals with the 2 tabs for manage.php and grant.php
$toprow[] = new tabobject('manage', $CFG->wwwroot.'/admin/roles/manage.php', get_string('manage'));
$toprow[] = new tabobject('allowassign', $CFG->wwwroot.'/admin/roles/allowassign.php', get_string('allowassign'));
$toprow[] = new tabobject('allowoverride', $CFG->wwwroot.'/admin/roles/allowoverride.php', get_string('allowoverride'));
$tabs = array($toprow);
print_tabs($tabs, $currenttab);
?>

11
admin/roles/override.php
View File

@ -31,6 +31,13 @@
$context = get_record('context', 'id', $contextid);
// role overriding permission checking
if ($roleid) {
if (!user_can_override($context, $roleid)) {
error ('you can not override this role in this context');
}
}
$participants = get_string("participants");
$user = get_record('user', 'id', $userid);
$fullname = fullname($user, isteacher($course->id));
@ -115,7 +122,9 @@
// this needs to check capability too
$role = get_records('role');
foreach ($role as $rolex) {
$options[$rolex->id] = $rolex->name;
if (user_can_override($context, $rolex->id)) {
$options[$rolex->id] = $rolex->name;
}
}
print ('<form name="rolesform" action="override.php" method="post">');

54
lib/accesslib.php
View File

@ -1599,4 +1599,58 @@ function get_user_roles_in_context($userid, $contextid){
}
return rtrim($rolestring, ', ');
}
// returns bool
function user_can_override($context, $targetroleid) {
// first check if user has override capability
// if not return false;
if (!has_capability('moodle/role:override', $context)) {
return false;
}
// pull out all active roles of this user from this context(or above)
$userroles = get_user_roles($context);
foreach ($userroles as $userrole) {
// if any in the role_allow_override table, then it's ok
if (get_record('role_allow_override', 'roleid', $userrole->roleid, 'allowoverride', $targetroleid)) {
return true;
}
}
return false;
}
function user_can_assign($context, $targetroleid) {
// first check if user has override capability
// if not return false;
if (!has_capability('moodle/role:assign', $context)) {
return false;
}
// pull out all active roles of this user from this context(or above)
$userroles = get_user_roles($context);
foreach ($userroles as $userrole) {
// if any in the role_allow_override table, then it's ok
if (get_record('role_allow_assign', 'roleid', $userrole->roleid, 'allowassign', $targetroleid)) {
return true;
}
}
return false;
}
// gets all the user roles assigned in this context, or higher
function get_user_roles($context) {
global $USER, $CFG, $db;
$parents = get_parent_contexts($context);
$parentlists = '('.implode(',' , $parents).')';
return get_records_sql('SELECT *
FROM '.$CFG->prefix.'role_assignments ra
WHERE ra.userid = '.$USER->id.'
AND ra.contextid IN '.$parentlists);
}
?>

14
lib/db/access.php
View File

@ -256,6 +256,20 @@ $moodle_capabilities = array(
)
),
'moodle/role:override' => array(
'captype' => 'write',
'contextlevel' => CONTEXT_SYSTEM,
'legacy' => array(
'guest' => CAP_PREVENT,
'student' => CAP_PREVENT,
'teacher' => CAP_PREVENT,
'editingteacher' => CAP_PREVENT,
'coursecreator' => CAP_PREVENT,
'admin' => CAP_ALLOW
)
),
'moodle/role:manage' => array(
'captype' => 'write',