mirror_php/moodle
1
0
Fork 0
mirror of https://github.com/moodle/moodle.git synced 2025-01-19 14:27:22 +01:00
Code Issues Projects Releases Wiki Activity
moodle/lib/accesslib.php
martinlanghoff 0d25cd3a81 accesslib: Introduce functions to deal with dirty contexts 
The accessinfo held in $USER->access can easily get out of
sync with reality if and admin has removed our access,
or expanded it after we loaded our accessinfo.

To handle this, we'll use the config_plugins table with an
'accesslib/dirtycontexts' plugin signature to store the paths of
recently changed contexts. To handle those dirrrty entries, here
we introduce

  get_dirty_contexts() - for lib/setup
  mark_context_dirty()
  cleanup_dirty_contexts() - for cron
2007-09-19 07:10:09 +00:00

4682 lines
158 KiB
PHP
Executable File
Raw Blame History

<?php // $Id$
///////////////////////////////////////////////////////////////////////////
// //
// NOTICE OF COPYRIGHT //
// //
// Moodle - Modular Object-Oriented Dynamic Learning Environment //
// http://moodle.org //
// //
// Copyright (C) 1999-2004 Martin Dougiamas http://dougiamas.com //
// //
// This program is free software; you can redistribute it and/or modify //
// it under the terms of the GNU General Public License as published by //
// the Free Software Foundation; either version 2 of the License, or //
// (at your option) any later version. //
// //
// This program is distributed in the hope that it will be useful, //
// but WITHOUT ANY WARRANTY; without even the implied warranty of //
// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the //
// GNU General Public License for more details: //
// //
// http://www.gnu.org/copyleft/gpl.html //
// //
///////////////////////////////////////////////////////////////////////////
/**
* Capability session information format
* 2 x 2 array
* [context][capability]
* where context is the context id of the table 'context'
* and capability is a string defining the capability
* e.g.
*
* [Capabilities] => [26][mod/forum:viewpost] = 1
* [26][mod/forum:startdiscussion] = -8990
* [26][mod/forum:editallpost] = -1
* [273][moodle:blahblah] = 1
* [273][moodle:blahblahblah] = 2
*/
require_once $CFG->dirroot.'/lib/blocklib.php';
// permission definitions
define('CAP_INHERIT', 0);
define('CAP_ALLOW', 1);
define('CAP_PREVENT', -1);
define('CAP_PROHIBIT', -1000);
// context definitions
define('CONTEXT_SYSTEM', 10);
define('CONTEXT_PERSONAL', 20);
define('CONTEXT_USER', 30);
define('CONTEXT_COURSECAT', 40);
define('CONTEXT_COURSE', 50);
define('CONTEXT_GROUP', 60);
define('CONTEXT_MODULE', 70);
define('CONTEXT_BLOCK', 80);
// capability risks - see http://docs.moodle.org/en/Hardening_new_Roles_system
define('RISK_MANAGETRUST', 0x0001);
define('RISK_CONFIG', 0x0002);
define('RISK_XSS', 0x0004);
define('RISK_PERSONAL', 0x0008);
define('RISK_SPAM', 0x0010);
require_once($CFG->dirroot.'/group/lib.php');
$context_cache = array(); // Cache of all used context objects for performance (by level and instance)
$context_cache_id = array(); // Index to above cache by id
function get_role_context_caps($roleid, $context) {
//this is really slow!!!! - do not use above course context level!
$result = array();
$result[$context->id] = array();
// first emulate the parent context capabilities merging into context
$searchcontexts = array_reverse(get_parent_contexts($context));
array_push($searchcontexts, $context->id);
foreach ($searchcontexts as $cid) {
if ($capabilities = get_records_select('role_capabilities', "roleid = $roleid AND contextid = $cid")) {
foreach ($capabilities as $cap) {
if (!array_key_exists($cap->capability, $result[$context->id])) {
$result[$context->id][$cap->capability] = 0;
}
$result[$context->id][$cap->capability] += $cap->permission;
}
}
}
// now go through the contexts bellow given context
$searchcontexts = array_keys(get_child_contexts($context));
foreach ($searchcontexts as $cid) {
if ($capabilities = get_records_select('role_capabilities', "roleid = $roleid AND contextid = $cid")) {
foreach ($capabilities as $cap) {
if (!array_key_exists($cap->contextid, $result)) {
$result[$cap->contextid] = array();
}
$result[$cap->contextid][$cap->capability] = $cap->permission;
}
}
}
return $result;
}
function get_role_caps($roleid) {
$result = array();
if ($capabilities = get_records_select('role_capabilities',"roleid = $roleid")) {
foreach ($capabilities as $cap) {
if (!array_key_exists($cap->contextid, $result)) {
$result[$cap->contextid] = array();
}
$result[$cap->contextid][$cap->capability] = $cap->permission;
}
}
return $result;
}
function merge_role_caps($caps, $mergecaps) {
if (empty($mergecaps)) {
return $caps;
}
if (empty($caps)) {
return $mergecaps;
}
foreach ($mergecaps as $contextid=>$capabilities) {
if (!array_key_exists($contextid, $caps)) {
$caps[$contextid] = array();
}
foreach ($capabilities as $capability=>$permission) {
if (!array_key_exists($capability, $caps[$contextid])) {
$caps[$contextid][$capability] = 0;
}
$caps[$contextid][$capability] += $permission;
}
}
return $caps;
}
/**
* Gets the access for the default guest role to the current user in a
* specific context.
* @return array
*/
function get_role_access($roleid, $acc=NULL) {
global $CFG;
/* Get it in 1 cheap DB query...
* - relevant role caps at the root and down
* to the course level - but not below
*/
if (is_null($acc)) {
$acc = array(); // named list
$acc['ra'] = array();
$acc['rdef'] = array();
$acc['loaded'] = array();
}
$base = '/' . SYSCONTEXTID;
//
// Overrides for the role IN ANY CONTEXTS
// down to COURSE - not below -
//
$sql = "SELECT ctx.path,
rc.capability, rc.permission
FROM {$CFG->prefix}context ctx
JOIN {$CFG->prefix}role_capabilities rc
ON rc.contextid=ctx.id
WHERE rc.roleid = {$roleid}
AND ctx.contextlevel <= ".CONTEXT_COURSE."
ORDER BY ctx.depth, ctx.path";
$rs = get_recordset_sql($sql);
if ($rs->RecordCount()) {
while ($rd = rs_fetch_next_record($rs)) {
$k = "{$rd->path}:{$roleid}";
$acc['rdef'][$k][$rd->capability] = $rd->permission;
}
unset($rd);
}
rs_close($rs);
return $acc;
}
/**
* Get the id for the not-logged-in role - or set it up if needed
* @return bool
*/
function get_notloggedin_roleid($return=false) {
global $CFG, $USER;
if (empty($CFG->notloggedinroleid)) { // Let's set the default to the guest role
if ($role = get_guest_role()) {
set_config('notloggedinroleid', $role->id);
return $role->id;
} else {
return false;
}
} else {
return $CFG->notloggedinroleid;
}
return (get_record('role','id', $CFG->notloggedinas));
}
/**
* Load default logged in role capabilities for all logged in users
* @return bool
*/
function load_defaultuser_role($return=false) {
global $CFG, $USER;
if (!$sitecontext = get_context_instance(CONTEXT_SYSTEM)) {
return false;
}
if (empty($CFG->defaultuserroleid)) { // Let's set the default to the guest role
if ($role = get_guest_role()) {
set_config('defaultuserroleid', $role->id);
} else {
return false;
}
}
$capabilities = get_role_caps($CFG->defaultuserroleid);
// fix the guest user heritage:
// If the default role is a guest role, then don't copy legacy:guest,
// otherwise this user could get confused with a REAL guest. Also don't copy
// course:view, which is a hack that's necessary because guest roles are
// not really handled properly (see MDL-7513)
if (!empty($capabilities[$sitecontext->id]['moodle/legacy:guest'])) {
unset($capabilities[$sitecontext->id]['moodle/legacy:guest']);
unset($capabilities[$sitecontext->id]['moodle/course:view']);
}
if ($return) {
return $capabilities;
} else {
has_capability('clearcache');
$USER->capabilities = $capabilities;
return true;
}
}
/**
* Get the default guest role
* @return object role
*/
function get_guest_role() {
global $CFG;
if (empty($CFG->guestroleid)) {
if ($roles = get_roles_with_capability('moodle/legacy:guest', CAP_ALLOW)) {
$guestrole = array_shift($roles); // Pick the first one
set_config('guestroleid', $guestrole->id);
return $guestrole;
} else {
debugging('Can not find any guest role!');
return false;
}
} else {
if ($guestrole = get_record('role','id', $CFG->guestroleid)) {
return $guestrole;
} else {
//somebody is messing with guest roles, remove incorrect setting and try to find a new one
set_config('guestroleid', '');
return get_guest_role();
}
}
}
/**
* This functions get all the course categories in proper order
* (!)note this only gets course category contexts, and not the site
* context
* @param object $context
* @return array of contextids
*/
function get_parent_cats($context) {
global $COURSE;
switch ($context->contextlevel) {
// a category can be the parent of another category
// there is no limit of depth in this case
case CONTEXT_COURSECAT:
static $categoryparents = null; // cache for parent categories
if (!isset($categoryparents)) {
$categoryparents = array();
}
if (array_key_exists($context->instanceid, $categoryparents)) {
return $categoryparents[$context->instanceid];
}
if (!$cat = get_record('course_categories','id',$context->instanceid)) {
//error?
return array();
}
$parents = array();
while (!empty($cat->parent)) {
if (!$catcontext = get_context_instance(CONTEXT_COURSECAT, $cat->parent)) {
debugging('Incorrect category parent');
break;
}
$parents[] = $catcontext->id;
$cat = get_record('course_categories','id',$cat->parent);
}
return $categoryparents[$context->instanceid] = array_reverse($parents);
break;
// a course always fall into a category, unless it's a site course
// this happens when SITEID == $course->id
// in this case the parent of the course is site context
case CONTEXT_COURSE:
static $courseparents = null; // cache course parents
if (!isset($courseparents)) {
$courseparents = array();
}
if (array_key_exists($context->instanceid, $courseparents)) {
return $courseparents[$context->instanceid];
}
if (count($courseparents) > 1000) {
$courseparents = array(); // max cache size when looping through thousands of courses
}
if ($context->instanceid == SITEID) {
return $courseparents[$context->instanceid] = array(); // frontpage course does not have parent cats
}
if ($context->instanceid == $COURSE->id) {
$course = $COURSE;
} else if (!$course = get_record('course', 'id', $context->instanceid)) {
//error?
return array();;
}
if (empty($course->category)) {
// this should not happen
return $courseparents[$context->instanceid] = array();
}
if (!$catcontext = get_context_instance(CONTEXT_COURSECAT, $course->category)) {
debugging('Incorect course category');
return array();;
}
return $courseparents[$context->instanceid] = array_merge(get_parent_cats($catcontext), array($catcontext->id)); //recursion :-)
break;
default:
// something is very wrong!
return array();
break;
}
}
function has_capability($capability, $context=NULL, $userid=NULL, $doanything=true) {
global $USER, $CONTEXT, $ACCESS, $CFG;
/// Make sure we know the current context
if (empty($context)) { // Use default CONTEXT if none specified
if (empty($CONTEXT)) {
return false;
} else {
$context = $CONTEXT;
}
}
if (empty($CONTEXT)) {
$CONTEXT = $context;
}
if (is_null($userid) || $userid===0) {
$userid = $USER->id;
}
//error_log(print_r($context,1));
$contexts = array();
if (empty($context->path)) {
$contexts[] = SYSCONTEXTID;
$context->path = '/' . SYSCONTEXTID;
if (isset($context->id) && $context->id ==! SYSCONTEXTID) {
$contexts[] = $context->id;
$context->path .= '/' . $context->id;
}
} else {
$contexts = explode('/', $context->path);
array_shift($contexts);
}
if ($USER->id === 0 && !isset($USER->access)) {
load_all_capabilities();
}
// divulge how many times we are called
//// error_log("has_capability: id:{$context->id} path:{$context->path} userid:$userid cap:$capability");
if ($USER->id === $userid) {
//
// For the logged in user, we have $USER->access
// which will have all RAs and caps preloaded for
// course and above contexts.
//
// Contexts below courses && contexts that do not
// hang from courses are loaded into $USER->access
// on demand, and listed in $USER->access[loaded]
//
if ($context->contextlevel <= CONTEXT_COURSE) {
// Course and above are always preloaded
return has_cap_fromsess($capability, $context, $USER->access, $doanything);
}
// Load it as needed
if (!access_insess($context->path,$USER->access)) {
error_log("loading access for context {$context->path} for $capability at {$context->contextlevel} {$context->id}");
// $bt = debug_backtrace();
// error_log("bt {$bt[0]['file']} {$bt[0]['line']}");
$USER->access = get_user_access_bycontext($USER->id, $context,
$USER->access);
}
return has_cap_fromsess($capability, $context,
$USER->access, $doanything);
}
if (!isset($ACCESS)) {
$ACCESS = array();
}
if (!isset($ACCESS[$userid])) {
load_user_accessdata($userid);
}
return has_cap_fromsess($capability, $context,
$ACCESS[$userid], $doanything);
}
function get_course_from_path ($path) {
// assume that nothing is more than 1 course deep
if (preg_match('!^(/.+)/\d+$!', $path, $matches)) {
return $matches[1];
}
return false;
}
function access_insess($path, $sess) {
// assume that contexts hang from sys or from a course
// this will only work well with stuff that hangs from a course
if (in_array($path, $sess['loaded'], true)) {
error_log("found it!");
return true;
}
$base = '/' . SYSCONTEXTID;
while (preg_match('!^(/.+)/\d+$!', $path, $matches)) {
$path = $matches[1];
if ($path === $base) {
return false;
}
if (in_array($path, $sess['loaded'], true)) {
return true;
}
}
return false;
}
/*
* Walk the accessinfo array and return true/false.
* Deals with prohibits, roleswitching, aggregating
* capabilities, etc.
*
* The main feature of here is being FAST and with no
* side effects.
*
* TODO:
*
* - Support for multi-enrol
* - Document how it works
* - Rewrite in ASM :-)
*
*/
function has_cap_fromsess($capability, $context, $sess, $doanything) {
$path = $context->path;
// build $contexts as a list of "paths" of the current
// contexts and parents with the order top-to-bottom
$contexts = array($path);
while (preg_match('!^(/.+)/\d+$!', $path, $matches)) {
$path = $matches[1];
array_unshift($contexts, $path);
}
// Add a "default" context for the "default role"
array_unshift($contexts,"$path:def");
$cc = count($contexts);
$can = false;
if (isset($sess['rsw'])) {
// check for isset() is fast
// empty() is slow...
if (empty($sess['rsw'])) {
unset($sess['rsw']); // keep things fast
break;
}
// From the bottom up...
for ($n=$cc-1;$n>=0;$n--) {
$ctxp = $contexts[$n];
if (isset($sess['rsw'][$ctxp])) {
// Found a switchrole assignment
$roleid = $sess['rsw'][$ctxp];
// Walk the path for capabilities
// from the bottom up...
for ($m=$cc-1;$m>=0;$m--) {
$capctxp = $contexts[$m];
if (isset($sess['rdef']["{$capctxp}:$roleid"][$capability])) {
$perm = $sess['rdef']["{$capctxp}:$roleid"][$capability];
if ($perm === CAP_PROHIBIT) {
return false;
} else {
$can += $perm;
}
}
}
// As we are dealing with a switchrole,
// we return _here_, do _not_ walk up
// the hierarchy any further
if ($can < 1) {
if ($doanything) {
// didn't find it as an explicit cap,
// but maybe the user candoanything in this context...
return has_cap_fromsess('moodle/site:doanything', $context,
$sess, false);
} else {
return false;
}
} else {
return true;
}
}
}
}
// From the bottom up... for non-switchers...
for ($n=$cc-1;$n>=0;$n--) {
$ctxp = $contexts[$n];
if (isset($sess['ra'][$ctxp])) {
// Found role assignments on this leaf
$ras = $sess['ra'][$ctxp];
$rc = count($ras);
for ($rn=0;$rn<$rc;$rn++) {
$roleid = $ras[$rn];
// Walk the path for capabilities
// from the bottom up...
for ($m=$cc-1;$m>=0;$m--) {
$capctxp = $contexts[$m];
if (isset($sess['rdef']["{$capctxp}:$roleid"][$capability])) {
$perm = $sess['rdef']["{$capctxp}:$roleid"][$capability];
if ($perm === CAP_PROHIBIT) {
return false;
} else {
$can += $perm;
}
}
}
}
}
}
if ($can < 1) {
if ($doanything) {
// didn't find it as an explicit cap,
// but maybe the user candoanything in this context...
return has_cap_fromsess('moodle/site:doanything', $context,
$sess, false);
} else {
return false;
}
} else {
return true;
}
}
function aggr_roles_fromsess($context, $sess) {
$path = $context->path;
// build $contexts as a list of "paths" of the current
// contexts and parents with the order top-to-bottom
$contexts = array($path);
while (preg_match('!^(/.+)/\d+$!', $path, $matches)) {
$path = $matches[1];
array_unshift($contexts, $path);
}
// Add a "default" context for the "default role"
array_unshift($contexts,"$path:def");
$cc = count($contexts);
$roles = array();
// From the bottom up...
for ($n=$cc-1;$n>=0;$n--) {
$ctxp = $contexts[$n];
if (isset($sess['ra'][$ctxp]) && count($sess['ra'][$ctxp])) {
// Found assignments on this leaf
$addroles = $sess['ra'][$ctxp];
$roles = array_merge($roles, $addroles);
}
}
return array_unique($roles);
}
/**
* This function checks for a capability assertion being true. If it isn't
* then the page is terminated neatly with a standard error message
* @param string $capability - name of the capability
* @param object $context - a context object (record from context table)
* @param integer $userid - a userid number
* @param bool $doanything - if false, ignore do anything
* @param string $errorstring - an errorstring
* @param string $stringfile - which stringfile to get it from
*/
function require_capability($capability, $context=NULL, $userid=NULL, $doanything=true,
$errormessage='nopermissions', $stringfile='') {
global $USER, $CFG;
/// If the current user is not logged in, then make sure they are (if needed)
if (empty($userid) and empty($USER->capabilities)) {
if ($context && ($context->contextlevel == CONTEXT_COURSE)) {
require_login($context->instanceid);
} else if ($context && ($context->contextlevel == CONTEXT_MODULE)) {
if ($cm = get_record('course_modules','id',$context->instanceid)) {
if (!$course = get_record('course', 'id', $cm->course)) {
error('Incorrect course.');
}
require_course_login($course, true, $cm);
} else {
require_login();
}
} else if ($context && ($context->contextlevel == CONTEXT_SYSTEM)) {
if (!empty($CFG->forcelogin)) {
require_login();
}
} else {
require_login();
}
}
/// OK, if they still don't have the capability then print a nice error message
if (!has_capability($capability, $context, $userid, $doanything)) {
$capabilityname = get_capability_string($capability);
print_error($errormessage, $stringfile, '', $capabilityname);
}
}
/**
* Cheks if current user has allowed permission for any of submitted capabilities
* in given or child contexts.
* @param object $context - a context object (record from context table)
* @param array $capabilitynames array of strings, capability names
* @return boolean
*/
function has_capability_including_child_contexts($context, $capabilitynames) {
global $USER;
foreach ($capabilitynames as $capname) {
if (has_capability($capname, $context)) {
return true;
}
}
if ($children = get_child_contexts($context)) {
foreach ($capabilitynames as $capname) {
foreach ($children as $child) {
if (isset($USER->capabilities[$child][$capname]) and $USER->capabilities[$child][$capname] > 0) {
// extra check for inherited prevent and prohibit
if (has_capability($capname, get_context_instance_by_id($child), $USER->id, false)) {
return true;
}
}
}
}
}
return false;
}
/*
* Get an array of courses (with magic extra bits)
* where the access sess data and in DB enrolments show
* that the cap requested is available.
*
* The main use is for get_my_courses().
*
* Notes
*
* - $fields is an array of fieldnames to ADD
* so name the fields you really need, which will
* be added and uniq'd
*
* - the course records have $c->context which is a fully
* valid context object. Saves you a query per course!
*
* - current implementation is split in -
*
* - if the user has the cap systemwide, stupidly
* grab *every* course for a capcheck. This eats
* a TON of bandwidth, specially on large sites
* with separate DBs...
*
* - otherwise, fetch "likely" courses with a wide net
* that should get us _cheaply_ at least the courses we need, and some
* we won't - we get courses that...
* - are in a category where user has the cap
* - or where use has a role-assignment (any kind)
* - or where the course has an override on for this cap
*
* - walk the courses recordset checking the caps oneach one
* the checks are all in memory and quite fast
* (though we could implement a specialised variant of the
* has_cap_fromsess() code to speed it up)
*
* @param string $capability - name of the capability
* @param array $sess - access session array
* @param bool $doanything - if false, ignore do anything
* @param string $sort - sorting fields - prefix each fieldname with "c."
* @param array $fields - additional fields you are interested in...
* @param int $limit - set if you want to limit the number of courses
* @return array $courses - ordered array of course objects - see notes above
*
*/
function get_user_courses_bycap($userid, $cap, $sess, $doanything, $sort='c.sortorder ASC', $fields=NULL, $limit=0) {
global $CFG;
// Slim base fields, let callers ask for what they need...
$basefields = array('id', 'sortorder', 'shortname', 'idnumber');
if (!is_null($fields)) {
$fields = array_merge($basefields, $fields);
$fields = array_unique($fields);
} else {
$fields = $basefields;
}
$coursefields = 'c.' .join(',c.', $fields);
$sysctx = get_context_instance(CONTEXT_SYSTEM);
if (has_cap_fromsess($cap, $sysctx, $sess, $doanything)) {
//
// Apparently the user has the cap sitewide, so walk *every* course
// (the cap checks are moderately fast, but this moves massive bandwidth w the db)
// Yuck.
//
$sql = "SELECT $coursefields,
ctx.id AS ctxid, ctx.path AS ctxpath, ctx.depth as ctxdepth
FROM {$CFG->prefix}course c
JOIN {$CFG->prefix}context ctx
ON (c.id=ctx.instanceid AND ctx.contextlevel=".CONTEXT_COURSE.")
ORDER BY $sort ";
$rs = get_recordset_sql($sql);
} else {
//
// narrow down where we have the caps to a few contexts
// this will be a combination of
// - categories where we have the rights
// - courses where we have an explicit enrolment OR that have an override
//
$sql = "SELECT ctx.*
FROM {$CFG->prefix}context ctx
WHERE ctx.contextlevel=".CONTEXT_COURSECAT."
ORDER BY ctx.depth";
$rs = get_recordset_sql($sql);
$catpaths = array();
if ($rs->RecordCount()) {
while ($catctx = rs_fetch_next_record($rs)) {
if ($catctx->path != ''
&& has_cap_fromsess($cap, $catctx, $sess, $doanything)) {
$catpaths[] = $catctx->path;
}
}
}
rs_close($rs);
$catclause = '';
if (count($catpaths)) {
$cc = count($catpaths);
for ($n=0;$n<$cc;$n++) {
$catpaths[$n] = "ctx.path LIKE '{$catpaths[$n]}/%'";
}
$catclause = 'OR (' . join(' OR ', $catpaths) .')';
}
unset($catpaths);
$capany = '';
if ($doanything) {
$capany = " OR rc.capability='moodle/site:doanything'";
}
//
// Note here that we *have* to have the compound clauses
// in the LEFT OUTER JOIN condition for them to return NULL
// appropriately and narrow things down...
//
$sql = "SELECT $coursefields,
ctx.id AS ctxid, ctx.path AS ctxpath, ctx.depth as ctxdepth
FROM {$CFG->prefix}course c
JOIN {$CFG->prefix}context ctx
ON (c.id=ctx.instanceid AND ctx.contextlevel=".CONTEXT_COURSE.")
LEFT OUTER JOIN {$CFG->prefix}role_assignments ra
ON (ra.contextid=ctx.id AND ra.userid=$userid)
LEFT OUTER JOIN {$CFG->prefix}role_capabilities rc
ON (rc.contextid=ctx.id AND (rc.capability='$cap' $capany))
WHERE ra.id IS NOT NULL
OR rc.id IS NOT NULL
$catclause
ORDER BY $sort ";
$rs = get_recordset_sql($sql);
}
$courses = array();
$cc = 0; // keep count
if ($rs->RecordCount()) {
while ($c = rs_fetch_next_record($rs)) {
// build the context obj
$c = make_context_subobj($c);
if (has_cap_fromsess($cap, $ctx, $sess, $doanything)) {
$courses[] = $c;
if ($limit > 0 && $cc++ > $limit) {
break;
}
}
}
}
rs_close($rs);
return $courses;
}
/*
* Draft - use for the course participants list page
*
* Uses 1 DB query (cheap too - 2~7ms).
*
* TODO:
* - implement additional where clauses
* - sorting
* - get course participants list to use it!
*
* returns a users array, both sorted _and_ keyed
* on id (as get_my_courses() does)
*
* as a bonus, every user record comes with its own
* personal context, as our callers need it straight away
* {save 1 dbquery per user! yay!}
*
*/
function get_context_users_byrole ($context, $roleid, $fields=NULL, $where=NULL, $sort=NULL, $limit=0) {
global $CFG;
// Slim base fields, let callers ask for what they need...
$basefields = array('id', 'username');
if (!is_null($fields)) {
$fields = array_merge($basefields, $fields);
$fields = array_unique($fields);
} else {
$fields = $basefields;
}
$userfields = 'u.' .join(',u.', $fields);
$contexts = substr($context->path, 1); // kill leading slash
$contexts = str_replace('/', ',', $contexts);
$sql = "SELECT $userfields,
ctx.id AS ctxid, ctx.path AS ctxpath, ctx.depth as ctxdepth
FROM {$CFG->prefix}user u
JOIN {$CFG->prefix}context ctx
ON (u.id=ctx.instanceid AND ctx.contextlevel=".CONTEXT_USER.")
JOIN {$CFG->prefix}role_assignments ra
ON u.id = ra.userid
WHERE ra.roleid = $roleid
AND ra.contextid IN ($contexts)";
$rs = get_recordset_sql($sql);
$users = array();
$cc = 0; // keep count
if ($rs->RecordCount()) {
while ($u = rs_fetch_next_record($rs)) {
// build the context obj
$u = make_context_subobj($u);
$users[] = $u;
if ($limit > 0 && $cc++ > $limit) {
break;
}
}
}
rs_close($rs);
return $users;
}
/*
* Draft - use for the course participants list page
*
* Uses 2 fast DB queries
*
* TODO:
* - automagically exclude roles that can-doanything sitewide (See callers)
* - perhaps also allow sitewide do-anything via flag
* - implement additional where clauses
* - sorting
* - get course participants list to use it!
*
* returns a users array, both sorted _and_ keyed
* on id (as get_my_courses() does)
*
* as a bonus, every user record comes with its own
* personal context, as our callers need it straight away
* {save 1 dbquery per user! yay!}
*
*/
function get_context_users_bycap ($context, $capability='moodle/course:view', $fields=NULL, $where=NULL, $sort=NULL, $limit=0) {
global $CFG;
// Plan
//
// - Get all the *interesting* roles -- those that
// have some rolecap entry in our ctx.path contexts
//
// - Get all RAs for any of those roles in any of our
// interesting contexts, with userid & perm data
// in a nice (per user?) order
//
// - Walk the resultset, computing the permissions
// - actually - this is all a SQL subselect
//
// - Fetch user records against the subselect
//
// Slim base fields, let callers ask for what they need...
$basefields = array('id', 'username');
if (!is_null($fields)) {
$fields = array_merge($basefields, $fields);
$fields = array_unique($fields);
} else {
$fields = $basefields;
}
$userfields = 'u.' .join(',u.', $fields);
$contexts = substr($context->path, 1); // kill leading slash
$contexts = str_replace('/', ',', $contexts);
$roles = array();
$sql = "SELECT DISTINCT rc.roleid
FROM {$CFG->prefix}role_capabilities rc
WHERE rc.capability = '$capability'
AND rc.contextid IN ($contexts)";
$rs = get_recordset_sql($sql);
if ($rs->RecordCount()) {
while ($u = rs_fetch_next_record($rs)) {
$roles[] = $u->roleid;
}
}
rs_close($rs);
$roles = join(',', $roles);
//
// User permissions subselect SQL
//
// - the open join condition to
// role_capabilities
//
// - because both rc and ra entries are
// _at or above_ our context, we don't care
// about their depth, we just need to sum them
//
$sql = "SELECT ra.userid, SUM(rc.permission) AS permission
FROM {$CFG->prefix}role_assignments ra
JOIN {$CFG->prefix}role_capabilities rc
ON (ra.roleid = rc.roleid AND rc.contextid IN ($contexts))
WHERE ra.contextid IN ($contexts)
AND ra.roleid IN ($roles)
GROUP BY ra.userid";
// Get users
$sql = "SELECT $userfields,
ctx.id AS ctxid, ctx.path AS ctxpath, ctx.depth as ctxdepth
FROM {$CFG->prefix}user u
JOIN {$CFG->prefix}context ctx
ON (u.id=ctx.instanceid AND ctx.contextlevel=".CONTEXT_USER.")
JOIN ($sql) up
ON u.id = up.userid
WHERE up.permission > 0 AND u.username != 'guest'";
$rs = get_recordset_sql($sql);
$users = array();
$cc = 0; // keep count
if ($rs->RecordCount()) {
while ($u = rs_fetch_next_record($rs)) {
// build the context obj
$u = make_context_subobj($u);
$users[] = $u;
if ($limit > 0 && $cc++ > $limit) {
break;
}
}
}
rs_close($rs);
return $users;
}
/**
* It will return a nested array showing role assignments
* all relevant role capabilities for the user at
* site/metacourse/course_category/course levels
*
* We do _not_ delve deeper than courses because the number of
* overrides at the module/block levels is HUGE.
*
* [ra] => [/path/] = array(roleid, roleid)
* [rdef] => [/path/:roleid][capability]=permission
* [loaded] => array('/path', '/path')
*
* @param $userid integer - the id of the user
*
*/
function get_user_access_sitewide($userid) {
global $CFG;
// this flag has not been set!
// (not clean install, or upgraded successfully to 1.7 and up)
if (empty($CFG->rolesactive)) {
return false;
}
/* Get in 3 cheap DB queries...
* - role assignments - with role_caps
* - relevant role caps
* - above this user's RAs
* - below this user's RAs - limited to course level
*/
$acc = array(); // named list
$acc['ra'] = array();
$acc['rdef'] = array();
$acc['loaded'] = array();
$sitectx = get_field('context', 'id','contextlevel', CONTEXT_SYSTEM);
$base = "/$sitectx";
//
// Role assignments - and any rolecaps directly linked
// because it's cheap to read rolecaps here over many
// RAs
//
$sql = "SELECT ctx.path, ra.roleid, rc.capability, rc.permission
FROM {$CFG->prefix}role_assignments ra
JOIN {$CFG->prefix}context ctx
ON ra.contextid=ctx.id
LEFT OUTER JOIN {$CFG->prefix}role_capabilities rc
ON (rc.roleid=ra.roleid AND rc.contextid=ra.contextid)
WHERE ra.userid = $userid AND ctx.contextlevel <= ".CONTEXT_COURSE."
ORDER BY ctx.depth, ctx.path";
$rs = get_recordset_sql($sql);
//
// raparents collects paths & roles we need to walk up
// the parenthood to build the rdef
//
// the array will bulk up a bit with dups
// which we'll later clear up
//
$raparents = array();
$lastseen = '';
if ($rs->RecordCount()) {
while ($ra = rs_fetch_next_record($rs)) {
// RAs leafs are arrays to support multi
// role assignments...
if (!isset($acc['ra'][$ra->path])) {
$acc['ra'][$ra->path] = array();
}
// only add if is not a repeat caused
// by capability join...
// (this check is cheaper than in_array())
if ($lastseen !== $ra->path.':'.$ra->roleid) {
$lastseen = $ra->path.':'.$ra->roleid;
array_push($acc['ra'][$ra->path], $ra->roleid);
$parentids = explode('/', $ra->path);
array_shift($parentids); // drop empty leading "context"
array_pop($parentids); // drop _this_ context
if (isset($raparents[$ra->roleid])) {
$raparents[$ra->roleid] = array_merge($raparents[$ra->roleid],
$parentids);
} else {
$raparents[$ra->roleid] = $parentids;
}
}
// Always add the roleded
if (!empty($ra->capability)) {
$k = "{$ra->path}:{$ra->roleid}";
$acc['rdef'][$k][$ra->capability] = $ra->permission;
}
}
unset($ra);
}
rs_close($rs);
// Walk up the tree to grab all the roledefs
// of interest to our user...
// NOTE: we use a series of IN clauses here - which
// might explode on huge sites with very convoluted nesting of
// categories... - extremely unlikely that the number of categories
// and roletypes is so large that we hit the limits of IN()
$clauses = array();
foreach ($raparents as $roleid=>$contexts) {
$contexts = sql_intarray_to_in(array_unique($contexts));
if ($contexts ==! '') {
$clauses[] = "(roleid=$roleid AND contextid IN ($contexts))";
}
}
$clauses = join(" OR ", $clauses);
$sql = "SELECT ctx.path, rc.roleid, rc.capability, rc.permission
FROM {$CFG->prefix}role_capabilities rc
JOIN {$CFG->prefix}context ctx
ON rc.contextid=ctx.id
WHERE $clauses
ORDER BY ctx.depth ASC, ctx.path DESC, rc.roleid ASC ";
$rs = get_recordset_sql($sql);
if ($rs->RecordCount()) {
while ($rd = rs_fetch_next_record($rs)) {
$k = "{$rd->path}:{$rd->roleid}";
$acc['rdef'][$k][$rd->capability] = $rd->permission;
}
unset($rd);
}
rs_close($rs);
//
// Overrides for the role assignments IN SUBCONTEXTS
// (though we still do _not_ go below the course level.
//
// NOTE that the JOIN w sctx is with 3-way triangulation to
// catch overrides to the applicable role in any subcontext, based
// on the path field of the parent.
//
$sql = "SELECT sctx.path, ra.roleid,
ctx.path AS parentpath,
rco.capability, rco.permission
FROM {$CFG->prefix}role_assignments ra
JOIN {$CFG->prefix}context ctx
ON ra.contextid=ctx.id
JOIN {$CFG->prefix}context sctx
ON (sctx.path LIKE ctx.path||'/%')
JOIN {$CFG->prefix}role_capabilities rco
ON (rco.roleid=ra.roleid AND rco.contextid=sctx.id)
WHERE ra.userid = $userid
AND sctx.contextlevel <= ".CONTEXT_COURSE."
ORDER BY sctx.depth, sctx.path, ra.roleid";
if ($rs->RecordCount()) {
while ($rd = rs_fetch_next_record($rs)) {
$k = "{$rd->path}:{$rd->roleid}";
$acc['rdef'][$k][$rd->capability] = $rd->permission;
}
unset($rd);
}
rs_close($rs);
return $acc;
}
/**
* It add to the access ctrl array the data
* needed by a user for a given context
*
* @param $userid integer - the id of the user
* @param $context context obj - needs path!
* @param $acc access array
*
*/
function get_user_access_bycontext($userid, $context, $acc=NULL) {
global $CFG;
/* Get the additional RAs and relevant rolecaps
* - role assignments - with role_caps
* - relevant role caps
* - above this user's RAs
* - below this user's RAs - limited to course level
*/
// Roles already in use in this context
$knownroles = array();
if (is_null($acc)) {
$acc = array(); // named list
$acc['ra'] = array();
$acc['rdef'] = array();
$acc['loaded'] = array();
} else {
$knownroles = aggr_roles_fromsess($context, $acc);
}
$base = "/" . SYSCONTEXTID;
// Determine the course context we'll go
// after, though we are usually called
// with a lower ctx. We have 3 easy cases
//
// - Course
// - BLOCK/PERSON/USER/COURSE(sitecourse) hanging from SYSTEM
// - BLOCK/MODULE/GROUP hanging from a course
//
// For course contexts, we _already_ have the RAs
// but the cost of re-fetching is minimal so we don't care.
// ... for now!
//
$targetpath;
$targetlevel;
if ($context->contextlevel === CONTEXT_COURSE) {
$targetpath = $context->path;
$targetlevel = $context->contextlevel;
} elseif ($context->path === "$base/{$context->id}") {
$targetpath = $context->path;
$targetlevel = $context->contextlevel;
} else {
// Assumption: the course _must_ be our parent
// If we ever see stuff nested further this needs to
// change to do 1 query over the exploded path to
// find out which one is the course
$targetpath = get_course_from_path($context->path);
$targetlevel = CONTEXT_COURSE;
}
//
// Role assignments in the context and below - and any rolecaps directly linked
// because it's cheap to read rolecaps here over many
// RAs
//
$sql = "SELECT ctx.path, ra.roleid, rc.capability, rc.permission
FROM {$CFG->prefix}role_assignments ra
JOIN {$CFG->prefix}context ctx
ON ra.contextid=ctx.id
LEFT OUTER JOIN {$CFG->prefix}role_capabilities rc
ON (rc.roleid=ra.roleid AND rc.contextid=ra.contextid)
WHERE ra.userid = $userid
AND (ctx.path = '$targetpath' OR ctx.path LIKE '{$targetpath}/%')
ORDER BY ctx.depth, ctx.path";
$rs = get_recordset_sql($sql);
//
// raparent collects paths & roles we need to walk up
//
// Here we only collect "different" role assignments
// that - if found - we have to walk up the parenthood
// to build the rdef.
//
// raparents array might have a few duplicates
// which we'll later clear up
//
$raparents = array();
$newroles = array();
$lastseen = '';
if ($rs->RecordCount()) {
while ($ra = rs_fetch_next_record($rs)) {
if ($lastseen !== $ra->path.':'.$ra->roleid) {
// only add if is not a repeat caused
// by capability join...
// (this check is cheaper than in_array())
$lastseen = $ra->path.':'.$ra->roleid;
if (!isset($acc['ra'][$ra->path])) {
$acc['ra'][$ra->path] = array();
}
array_push($acc['ra'][$ra->path], $ra->roleid);
if (!in_array($ra->roleid, $knownroles)) {
$newroles[] = $ra->roleid;
$parentids = explode('/', $ra->path);
array_pop($parentids); array_shift($parentids);
if (isset($raparents[$ra->roleid])) {
$raparents[$ra->roleid] = array_merge($raparents[$ra->roleid], $parentids);
} else {
$raparents[$ra->roleid] = $parentids;
}
}
}
if (!empty($ra->capability)) {
$k = "{$ra->path}:{$ra->roleid}";
$acc['rdef'][$k][$ra->capability] = $ra->permission;
}
}
$newroles = array_unique($newroles);
}
rs_close($rs);
//
// Walk up the tree to grab all the roledefs
// of interest to our user...
// NOTE: we use a series of IN clauses here - which
// might explode on huge sites with very convoluted nesting of
// categories... - extremely unlikely that the number of categories
// and roletypes is so large that we hit the limits of IN()
//
if (count($raparents)) {
$clauses = array();
foreach ($raparents as $roleid=>$contexts) {
$contexts = sql_intarray_to_in(array_unique($contexts));
if ($contexts ==! '') {
$clauses[] = "(roleid=$roleid AND contextid IN ($contexts))";
}
}
$clauses = join(" OR ", $clauses);
$sql = "SELECT ctx.path, rc.roleid, rc.capability, rc.permission
FROM {$CFG->prefix}role_capabilities rc
JOIN {$CFG->prefix}context ctx
ON rc.contextid=ctx.id
WHERE $clauses
ORDER BY ctx.depth ASC, ctx.path DESC, rc.roleid ASC ";
$rs = get_recordset_sql($sql);
if ($rs->RecordCount()) {
while ($rd = rs_fetch_next_record($rs)) {
$k = "{$rd->path}:{$rd->roleid}";
$acc['rdef'][$k][$rd->capability] = $rd->permission;
}
}
rs_close($rs);
}
//
// Overrides for the relevant roles IN SUBCONTEXTS
//
// NOTE that we use IN() but the number of roles is
// very limited.
//
$roleids = sql_intarray_to_in(array_merge($newroles, $knownroles));
$sql = "SELECT ctx.path, rc.roleid,
rc.capability, rc.permission
FROM {$CFG->prefix}context ctx
JOIN {$CFG->prefix}role_capabilities rc
ON rc.contextid=ctx.id
WHERE ctx.path LIKE '{$targetpath}/%'
AND rc.roleid IN ($roleids)
ORDER BY ctx.depth, ctx.path, rc.roleid";
$rs = get_recordset_sql($sql);
if ($rs->RecordCount()) {
while ($rd = rs_fetch_next_record($rs)) {
$k = "{$rd->path}:{$rd->roleid}";
$acc['rdef'][$k][$rd->capability] = $rd->permission;
}
}
rs_close($rs);
// TODO: compact capsets?
error_log("loaded $targetpath");
$acc['loaded'][] = $targetpath;
return $acc;
}
/**
* It add to the access ctrl array the data
* needed by a role for a given context.
*
* The data is added in the rdef key.
*
* This role-centric function is useful for role_switching
* and to get an overview of what a role gets under a
* given context and below...
*
* @param $roleid integer - the id of the user
* @param $context context obj - needs path!
* @param $acc access array
*
*/
function get_role_access_bycontext($roleid, $context, $acc=NULL) {
global $CFG;
/* Get the relevant rolecaps into rdef
* - relevant role caps
* - at ctx and above
* - below this ctx
*/
if (is_null($acc)) {
$acc = array(); // named list
$acc['ra'] = array();
$acc['rdef'] = array();
$acc['loaded'] = array();
}
$contexts = substr($context->path, 1); // kill leading slash
$contexts = str_replace('/', ',', $contexts);
//
// Walk up and down the tree to grab all the roledefs
// of interest to our role...
//
// NOTE: we use an IN clauses here - which
// might explode on huge sites with very convoluted nesting of
// categories... - extremely unlikely that the number of nested
// categories is so large that we hit the limits of IN()
//
$sql = "SELECT ctx.path, rc.capability, rc.permission
FROM {$CFG->prefix}role_capabilities rc
JOIN {$CFG->prefix}context ctx
ON rc.contextid=ctx.id
WHERE rc.roleid=$roleid AND
( ctx.id IN ($contexts) OR
ctx.path LIKE '{$context->path}/%' )
ORDER BY ctx.depth ASC, ctx.path DESC, rc.roleid ASC ";
$rs = get_recordset_sql($sql);
if ($rs->RecordCount()) {
while ($rd = rs_fetch_next_record($rs)) {
$k = "{$rd->path}:{$roleid}";
$acc['rdef'][$k][$rd->capability] = $rd->permission;
}
}
rs_close($rs);
return $acc;
}
/*
* Load accessdata for a user
* into the $ACCESS global
*
* Used by has_capability() - but feel free
* to call it if you are about to run a BIG
* cron run across a bazillion users.
*
* TODO: share rdef tree to save mem
*
*/
function load_user_accessdata($userid) {
global $ACCESS,$CFG;
if (!isset($ACCESS)) {
$ACCESS = array();
}
$access = get_user_access_sitewide($userid);
get_role_access($CFG->defaultuserroleid, $access);
// provide "default" enrolment
$base = '/'.SYSCONTEXTID;
$access['ra']["$base:def"] = array($CFG->defaultuserroleid);
// guest role mangling - TODO: fix!
if ($CFG->defaultuserroleid === $CFG->guestroleid ) {
if (isset($access['rdef']["$base:{$CFG->guestroleid}"]['moodle/legacy:guest'])) {
unset($access['rdef']["$base:{$CFG->guestroleid}"]['moodle/legacy:guest']);
}
if (isset($access['rdef']["$base:{$CFG->guestroleid}"]['moodle/course:view'])) {
unset($access['rdef']["$base:{$CFG->guestroleid}"]['moodle/course:view']);
}
}
$ACCESS[$userid] = $access;
return true;
}
/**
* A convenience function to completely load all the capabilities
* for the current user. This is what gets called from login, for example.
*/
function load_all_capabilities() {
global $USER,$CFG;
static $defcaps;
$base = '/'.SYSCONTEXTID;
if (isguestuser()) {
$guest = get_guest_role();
// Load the rdefs
$USER->access = get_role_access($guest->id);
// Put the ghost enrolment in place...
$USER->access['ra'][$base] = $guest->id;
} else if (isloggedin()) {
$USER->access = get_user_access_sitewide($USER->id);
$USER->access = get_role_access($CFG->defaultuserroleid, $USER->access);
// define a "default" enrolment
$USER->access['ra']["$base:def"] = array($CFG->defaultuserroleid);
if ($CFG->defaultuserroleid === $CFG->guestroleid ) {
if (isset($USER->access['rdef']["$base:{$CFG->guestroleid}"]['moodle/legacy:guest'])) {
unset($USER->access['rdef']["$base:{$CFG->guestroleid}"]['moodle/legacy:guest']);
}
if (isset($USER->access['rdef']["$base:{$CFG->guestroleid}"]['moodle/course:view'])) {
unset($USER->access['rdef']["$base:{$CFG->guestroleid}"]['moodle/course:view']);
}
}
// handle role switching in courses
if (!empty($USER->switchrole)) {
foreach ($USER->switchrole as $contextid => $roleid) {
$context = get_context_instance_by_id($contextid);
// first prune context and any child contexts
$children = array_keys(get_child_contexts($context));
foreach ($children as $childid) {
unset($USER->capabilities[$childid]);
}
unset($USER->capabilities[$contextid]);
// now merge all switched role caps in context and bellow
$swithccaps = get_role_context_caps($roleid, $context);
$USER->capabilities = merge_role_caps($USER->capabilities, $swithccaps);
}
}
if (isset($USER->capabilities)) {
$USER->capabilities = merge_role_caps($USER->capabilities, $defcaps);
} else {
$USER->capabilities = $defcaps;
}
} else {
if ($roleid = get_notloggedin_roleid()) {
$USER->access = get_role_access(get_notloggedin_roleid());
$USER->access['ra']["$base:def"] = array($roleid);
}
}
}
/**
* Check all the login enrolment information for the given user object
* by querying the enrolment plugins
*/
function check_enrolment_plugins(&$user) {
global $CFG;
static $inprogress; // To prevent this function being called more than once in an invocation
if (!empty($inprogress[$user->id])) {
return;
}
$inprogress[$user->id] = true; // Set the flag
require_once($CFG->dirroot .'/enrol/enrol.class.php');
if (!($plugins = explode(',', $CFG->enrol_plugins_enabled))) {
$plugins = array($CFG->enrol);
}
foreach ($plugins as $plugin) {
$enrol = enrolment_factory::factory($plugin);
if (method_exists($enrol, 'setup_enrolments')) { /// Plugin supports Roles (Moodle 1.7 and later)
$enrol->setup_enrolments($user);
} else { /// Run legacy enrolment methods
if (method_exists($enrol, 'get_student_courses')) {
$enrol->get_student_courses($user);
}
if (method_exists($enrol, 'get_teacher_courses')) {
$enrol->get_teacher_courses($user);
}
/// deal with $user->students and $user->teachers stuff
unset($user->student);
unset($user->teacher);
}
unset($enrol);
}
unset($inprogress[$user->id]); // Unset the flag
}
/**
* A print form function. This should either grab all the capabilities from
* files or a central table for that particular module instance, then present
* them in check boxes. Only relevant capabilities should print for known
* context.
* @param $mod - module id of the mod
*/
function print_capabilities($modid=0) {
global $CFG;
$capabilities = array();
if ($modid) {
// We are in a module specific context.
// Get the mod's name.
// Call the function that grabs the file and parse.
$cm = get_record('course_modules', 'id', $modid);
$module = get_record('modules', 'id', $cm->module);
} else {
// Print all capabilities.
foreach ($capabilities as $capability) {
// Prints the check box component.
}
}
}
/**
* Installs the roles system.
* This function runs on a fresh install as well as on an upgrade from the old
* hard-coded student/teacher/admin etc. roles to the new roles system.
*/
function moodle_install_roles() {
global $CFG, $db;
/// Create a system wide context for assignemnt.
$systemcontext = $context = get_context_instance(CONTEXT_SYSTEM);
/// Create default/legacy roles and capabilities.
/// (1 legacy capability per legacy role at system level).
$adminrole = create_role(addslashes(get_string('administrator')), 'admin',
addslashes(get_string('administratordescription')), 'moodle/legacy:admin');
$coursecreatorrole = create_role(addslashes(get_string('coursecreators')), 'coursecreator',
addslashes(get_string('coursecreatorsdescription')), 'moodle/legacy:coursecreator');
$editteacherrole = create_role(addslashes(get_string('defaultcourseteacher')), 'editingteacher',
addslashes(get_string('defaultcourseteacherdescription')), 'moodle/legacy:editingteacher');
$noneditteacherrole = create_role(addslashes(get_string('noneditingteacher')), 'teacher',
addslashes(get_string('noneditingteacherdescription')), 'moodle/legacy:teacher');
$studentrole = create_role(addslashes(get_string('defaultcoursestudent')), 'student',
addslashes(get_string('defaultcoursestudentdescription')), 'moodle/legacy:student');
$guestrole = create_role(addslashes(get_string('guest')), 'guest',
addslashes(get_string('guestdescription')), 'moodle/legacy:guest');
$userrole = create_role(addslashes(get_string('authenticateduser')), 'user',
addslashes(get_string('authenticateduserdescription')), 'moodle/legacy:user');
/// Now is the correct moment to install capabilities - after creation of legacy roles, but before assigning of roles
if (!assign_capability('moodle/site:doanything', CAP_ALLOW, $adminrole, $systemcontext->id)) {
error('Could not assign moodle/site:doanything to the admin role');
}
if (!update_capabilities()) {
error('Had trouble upgrading the core capabilities for the Roles System');
}
/// Look inside user_admin, user_creator, user_teachers, user_students and
/// assign above new roles. If a user has both teacher and student role,
/// only teacher role is assigned. The assignment should be system level.
$dbtables = $db->MetaTables('TABLES');
/// Set up the progress bar
$usertables = array('user_admins', 'user_coursecreators', 'user_teachers', 'user_students');
$totalcount = $progresscount = 0;
foreach ($usertables as $usertable) {
if (in_array($CFG->prefix.$usertable, $dbtables)) {
$totalcount += count_records($usertable);
}
}
print_progress(0, $totalcount, 5, 1, 'Processing role assignments');
/// Upgrade the admins.
/// Sort using id ASC, first one is primary admin.
if (in_array($CFG->prefix.'user_admins', $dbtables)) {
if ($rs = get_recordset_sql('SELECT * from '.$CFG->prefix.'user_admins ORDER BY ID ASC')) {
while ($admin = rs_fetch_next_record($rs)) {
role_assign($adminrole, $admin->userid, 0, $systemcontext->id);
$progresscount++;
print_progress($progresscount, $totalcount, 5, 1, 'Processing role assignments');
}
rs_close($rs);
}
} else {
// This is a fresh install.
}
/// Upgrade course creators.
if (in_array($CFG->prefix.'user_coursecreators', $dbtables)) {
if ($rs = get_recordset('user_coursecreators')) {
while ($coursecreator = rs_fetch_next_record($rs)) {
role_assign($coursecreatorrole, $coursecreator->userid, 0, $systemcontext->id);
$progresscount++;
print_progress($progresscount, $totalcount, 5, 1, 'Processing role assignments');
}
rs_close($rs);
}
}
/// Upgrade editting teachers and non-editting teachers.
if (in_array($CFG->prefix.'user_teachers', $dbtables)) {
if ($rs = get_recordset('user_teachers')) {
while ($teacher = rs_fetch_next_record($rs)) {
// removed code here to ignore site level assignments
// since the contexts are separated now
// populate the user_lastaccess table
$access = new object();
$access->timeaccess = $teacher->timeaccess;
$access->userid = $teacher->userid;
$access->courseid = $teacher->course;
insert_record('user_lastaccess', $access);
// assign the default student role
$coursecontext = get_context_instance(CONTEXT_COURSE, $teacher->course); // needs cache
// hidden teacher
if ($teacher->authority == 0) {
$hiddenteacher = 1;
} else {
$hiddenteacher = 0;
}
if ($teacher->editall) { // editting teacher
role_assign($editteacherrole, $teacher->userid, 0, $coursecontext->id, 0, 0, $hiddenteacher);
} else {
role_assign($noneditteacherrole, $teacher->userid, 0, $coursecontext->id, 0, 0, $hiddenteacher);
}
$progresscount++;
print_progress($progresscount, $totalcount, 5, 1, 'Processing role assignments');
}
rs_close($rs);
}
}
/// Upgrade students.
if (in_array($CFG->prefix.'user_students', $dbtables)) {
if ($rs = get_recordset('user_students')) {
while ($student = rs_fetch_next_record($rs)) {
// populate the user_lastaccess table
$access = new object;
$access->timeaccess = $student->timeaccess;
$access->userid = $student->userid;
$access->courseid = $student->course;
insert_record('user_lastaccess', $access);
// assign the default student role
$coursecontext = get_context_instance(CONTEXT_COURSE, $student->course);
role_assign($studentrole, $student->userid, 0, $coursecontext->id);
$progresscount++;
print_progress($progresscount, $totalcount, 5, 1, 'Processing role assignments');
}
rs_close($rs);
}
}
/// Upgrade guest (only 1 entry).
if ($guestuser = get_record('user', 'username', 'guest')) {
role_assign($guestrole, $guestuser->id, 0, $systemcontext->id);
}
print_progress($totalcount, $totalcount, 5, 1, 'Processing role assignments');
/// Insert the correct records for legacy roles
allow_assign($adminrole, $adminrole);
allow_assign($adminrole, $coursecreatorrole);
allow_assign($adminrole, $noneditteacherrole);
allow_assign($adminrole, $editteacherrole);
allow_assign($adminrole, $studentrole);
allow_assign($adminrole, $guestrole);
allow_assign($coursecreatorrole, $noneditteacherrole);
allow_assign($coursecreatorrole, $editteacherrole);
allow_assign($coursecreatorrole, $studentrole);
allow_assign($coursecreatorrole, $guestrole);
allow_assign($editteacherrole, $noneditteacherrole);
allow_assign($editteacherrole, $studentrole);
allow_assign($editteacherrole, $guestrole);
/// Set up default permissions for overrides
allow_override($adminrole, $adminrole);
allow_override($adminrole, $coursecreatorrole);
allow_override($adminrole, $noneditteacherrole);
allow_override($adminrole, $editteacherrole);
allow_override($adminrole, $studentrole);
allow_override($adminrole, $guestrole);
allow_override($adminrole, $userrole);
/// Delete the old user tables when we are done
drop_table(new XMLDBTable('user_students'));
drop_table(new XMLDBTable('user_teachers'));
drop_table(new XMLDBTable('user_coursecreators'));
drop_table(new XMLDBTable('user_admins'));
}
/**
* Returns array of all legacy roles.
*/
function get_legacy_roles() {
return array(
'admin' => 'moodle/legacy:admin',
'coursecreator' => 'moodle/legacy:coursecreator',
'editingteacher' => 'moodle/legacy:editingteacher',
'teacher' => 'moodle/legacy:teacher',
'student' => 'moodle/legacy:student',
'guest' => 'moodle/legacy:guest',
'user' => 'moodle/legacy:user'
);
}
function get_legacy_type($roleid) {
$sitecontext = get_context_instance(CONTEXT_SYSTEM);
$legacyroles = get_legacy_roles();
$result = '';
foreach($legacyroles as $ltype=>$lcap) {
$localoverride = get_local_override($roleid, $sitecontext->id, $lcap);
if (!empty($localoverride->permission) and $localoverride->permission == CAP_ALLOW) {
//choose first selected legacy capability - reset the rest
if (empty($result)) {
$result = $ltype;
} else {
unassign_capability($lcap, $roleid);
}
}
}
return $result;
}
/**
* Assign the defaults found in this capabality definition to roles that have
* the corresponding legacy capabilities assigned to them.
* @param $legacyperms - an array in the format (example):
* 'guest' => CAP_PREVENT,
* 'student' => CAP_ALLOW,
* 'teacher' => CAP_ALLOW,
* 'editingteacher' => CAP_ALLOW,
* 'coursecreator' => CAP_ALLOW,
* 'admin' => CAP_ALLOW
* @return boolean - success or failure.
*/
function assign_legacy_capabilities($capability, $legacyperms) {
$legacyroles = get_legacy_roles();
foreach ($legacyperms as $type => $perm) {
$systemcontext = get_context_instance(CONTEXT_SYSTEM);
if (!array_key_exists($type, $legacyroles)) {
error('Incorrect legacy role definition for type: '.$type);
}
if ($roles = get_roles_with_capability($legacyroles[$type], CAP_ALLOW)) {
foreach ($roles as $role) {
// Assign a site level capability.
if (!assign_capability($capability, $perm, $role->id, $systemcontext->id)) {
return false;
}
}
}
}
return true;
}
/**
* Checks to see if a capability is a legacy capability.
* @param $capabilityname
* @return boolean
*/
function islegacy($capabilityname) {
if (strpos($capabilityname, 'moodle/legacy') === 0) {
return true;
} else {
return false;
}
}
/**********************************
* Context Manipulation functions *
**********************************/
/**
* Create a new context record for use by all roles-related stuff
* @param $level
* @param $instanceid
*
* @return object newly created context (or existing one with a debug warning)
*/
function create_context($contextlevel, $instanceid) {
if (!$context = get_record('context','contextlevel',$contextlevel,'instanceid',$instanceid)) {
if (!validate_context($contextlevel, $instanceid)) {
debugging('Error: Invalid context creation request for level "'.s($contextlevel).'", instance "'.s($instanceid).'".');
return NULL;
}
if ($contextlevel == CONTEXT_SYSTEM) {
return create_system_context();
}
$context = new object();
$context->contextlevel = $contextlevel;
$context->instanceid = $instanceid;
if ($id = insert_record('context',$context)) {
$c = get_record('context','id',$id);
return $c;
} else {
debugging('Error: could not insert new context level "'.s($contextlevel).'", instance "'.s($instanceid).'".');
return NULL;
}
} else {
debugging('Warning: Context id "'.s($context->id).'" not created, because it already exists.');
return $context;
}
}
/**
* This hacky function is needed because we can not change system context instanceid using normal upgrade routine.
*/
function create_system_context() {
if ($context = get_record('context', 'contextlevel', CONTEXT_SYSTEM, 'instanceid', SITEID)) {
// we are going to change instanceid of system context to 0 now
$context->instanceid = 0;
update_record('context', $context);
//context rel not affected
return $context;
} else {
$context = new object();
$context->contextlevel = CONTEXT_SYSTEM;
$context->instanceid = 0;
if ($context->id = insert_record('context',$context)) {
// we need not to populate context_rel for system context
return $context;
} else {
debugging('Can not create system context');
return NULL;
}
}
}
/**
* Remove a context record and any dependent entries
* @param $level
* @param $instanceid
*
* @return bool properly deleted
*/
function delete_context($contextlevel, $instanceid) {
if ($context = get_context_instance($contextlevel, $instanceid)) {
delete_records('context_rel', 'c2', $context->id); // might not be a parent
return delete_records('context', 'id', $context->id) &&
delete_records('role_assignments', 'contextid', $context->id) &&
delete_records('role_capabilities', 'contextid', $context->id) &&
delete_records('context_rel', 'c1', $context->id);
}
return true;
}
/**
* Remove stale context records
*
* @return bool
*/
function cleanup_contexts() {
global $CFG;
$sql = " SELECT " . CONTEXT_COURSECAT . " AS level,
c.instanceid AS instanceid
FROM {$CFG->prefix}context c
LEFT OUTER JOIN {$CFG->prefix}course_categories AS t
ON c.instanceid = t.id
WHERE t.id IS NULL AND c.contextlevel = " . CONTEXT_COURSECAT . "
UNION
SELECT " . CONTEXT_COURSE . " AS level,
c.instanceid AS instanceid
FROM {$CFG->prefix}context c
LEFT OUTER JOIN {$CFG->prefix}course AS t
ON c.instanceid = t.id
WHERE t.id IS NULL AND c.contextlevel = " . CONTEXT_COURSE . "
UNION
SELECT " . CONTEXT_MODULE . " AS level,
c.instanceid AS instanceid
FROM {$CFG->prefix}context c
LEFT OUTER JOIN {$CFG->prefix}course_modules AS t
ON c.instanceid = t.id
WHERE t.id IS NULL AND c.contextlevel = " . CONTEXT_MODULE . "
UNION
SELECT " . CONTEXT_USER . " AS level,
c.instanceid AS instanceid
FROM {$CFG->prefix}context c
LEFT OUTER JOIN {$CFG->prefix}user AS t
ON c.instanceid = t.id
WHERE t.id IS NULL AND c.contextlevel = " . CONTEXT_USER . "
UNION
SELECT " . CONTEXT_BLOCK . " AS level,
c.instanceid AS instanceid
FROM {$CFG->prefix}context c
LEFT OUTER JOIN {$CFG->prefix}block_instance AS t
ON c.instanceid = t.id
WHERE t.id IS NULL AND c.contextlevel = " . CONTEXT_BLOCK . "
UNION
SELECT " . CONTEXT_GROUP . " AS level,
c.instanceid AS instanceid
FROM {$CFG->prefix}context c
LEFT OUTER JOIN {$CFG->prefix}groups AS t
ON c.instanceid = t.id
WHERE t.id IS NULL AND c.contextlevel = " . CONTEXT_GROUP . "
";
$rs = get_recordset_sql($sql);
if ($rs->RecordCount()) {
begin_sql();
$tx = true;
while ($tx && $ctx = rs_fetch_next_record($rs)) {
$tx = $tx && delete_context($ctx->level, $ctx->instanceid);
}
rs_close($rs);
if ($tx) {
commit_sql();
return true;
}
rollback_sql();
return false;
}
return true;
}
/**
* Validate that object with instanceid really exists in given context level.
*
* return if instanceid object exists
*/
function validate_context($contextlevel, $instanceid) {
switch ($contextlevel) {
case CONTEXT_SYSTEM:
return ($instanceid == 0);
case CONTEXT_PERSONAL:
return (boolean)count_records('user', 'id', $instanceid);
case CONTEXT_USER:
return (boolean)count_records('user', 'id', $instanceid);
case CONTEXT_COURSECAT:
if ($instanceid == 0) {
return true; // site course category
}
return (boolean)count_records('course_categories', 'id', $instanceid);
case CONTEXT_COURSE:
return (boolean)count_records('course', 'id', $instanceid);
case CONTEXT_GROUP:
return groups_group_exists($instanceid);
case CONTEXT_MODULE:
return (boolean)count_records('course_modules', 'id', $instanceid);
case CONTEXT_BLOCK:
return (boolean)count_records('block_instance', 'id', $instanceid);
default:
return false;
}
}
/**
* Get the context instance as an object. This function will create the
* context instance if it does not exist yet.
* @param integer $level The context level, for example CONTEXT_COURSE, or CONTEXT_MODULE.
* @param integer $instance The instance id. For $level = CONTEXT_COURSE, this would be $course->id,
* for $level = CONTEXT_MODULE, this would be $cm->id. And so on.
* @return object The context object.
*/
function get_context_instance($contextlevel=NULL, $instance=0) {
global $context_cache, $context_cache_id, $CONTEXT;
static $allowed_contexts = array(CONTEXT_SYSTEM, CONTEXT_PERSONAL, CONTEXT_USER, CONTEXT_COURSECAT, CONTEXT_COURSE, CONTEXT_GROUP, CONTEXT_MODULE, CONTEXT_BLOCK);
// Yu: Separating site and site course context - removed CONTEXT_COURSE override when SITEID
// fix for MDL-9016
if ($contextlevel == 'clearcache') {
// Clear ALL cache
$context_cache = array();
$context_cache_id = array();
$CONTEXT = '';
return false;
}
/// If no level is supplied then return the current global context if there is one
if (empty($contextlevel)) {
if (empty($CONTEXT)) {
//fatal error, code must be fixed
error("Error: get_context_instance() called without a context");
} else {
return $CONTEXT;
}
}
/// Backwards compatibility with obsoleted (CONTEXT_SYSTEM, SITEID)
if ($contextlevel == CONTEXT_SYSTEM) {
$instance = 0;
}
/// check allowed context levels
if (!in_array($contextlevel, $allowed_contexts)) {
// fatal error, code must be fixed - probably typo or switched parameters
error('Error: get_context_instance() called with incorrect context level "'.s($contextlevel).'"');
}
/// Check the cache
if (isset($context_cache[$contextlevel][$instance])) { // Already cached
return $context_cache[$contextlevel][$instance];
}
/// Get it from the database, or create it
if (!$context = get_record('context', 'contextlevel', $contextlevel, 'instanceid', $instance)) {
create_context($contextlevel, $instance);
$context = get_record('context', 'contextlevel', $contextlevel, 'instanceid', $instance);
}
/// Only add to cache if context isn't empty.
if (!empty($context)) {
$context_cache[$contextlevel][$instance] = $context; // Cache it for later
$context_cache_id[$context->id] = $context; // Cache it for later
}
return $context;
}
/**
* Get a context instance as an object, from a given context id.
* @param $id a context id.
* @return object The context object.
*/
function get_context_instance_by_id($id) {
global $context_cache, $context_cache_id;
if (isset($context_cache_id[$id])) { // Already cached
return $context_cache_id[$id];
}
if ($context = get_record('context', 'id', $id)) { // Update the cache and return
$context_cache[$context->contextlevel][$context->instanceid] = $context;
$context_cache_id[$context->id] = $context;
return $context;
}
return false;
}
/**
* Get the local override (if any) for a given capability in a role in a context
* @param $roleid
* @param $contextid
* @param $capability
*/
function get_local_override($roleid, $contextid, $capability) {
return get_record('role_capabilities', 'roleid', $roleid, 'capability', $capability, 'contextid', $contextid);
}
/************************************
* DB TABLE RELATED FUNCTIONS *
************************************/
/**
* function that creates a role
* @param name - role name
* @param shortname - role short name
* @param description - role description
* @param legacy - optional legacy capability
* @return id or false
*/
function create_role($name, $shortname, $description, $legacy='') {
// check for duplicate role name
if ($role = get_record('role','name', $name)) {
error('there is already a role with this name!');
}
if ($role = get_record('role','shortname', $shortname)) {
error('there is already a role with this shortname!');
}
$role = new object();
$role->name = $name;
$role->shortname = $shortname;
$role->description = $description;
//find free sortorder number
$role->sortorder = count_records('role');
while (get_record('role','sortorder', $role->sortorder)) {
$role->sortorder += 1;
}
if (!$context = get_context_instance(CONTEXT_SYSTEM)) {
return false;
}
if ($id = insert_record('role', $role)) {
if ($legacy) {
assign_capability($legacy, CAP_ALLOW, $id, $context->id);
}
/// By default, users with role:manage at site level
/// should be able to assign users to this new role, and override this new role's capabilities
// find all admin roles
if ($adminroles = get_roles_with_capability('moodle/role:manage', CAP_ALLOW, $context)) {
// foreach admin role
foreach ($adminroles as $arole) {
// write allow_assign and allow_overrid
allow_assign($arole->id, $id);
allow_override($arole->id, $id);
}
}
return $id;
} else {
return false;
}
}
/**
* function that deletes a role and cleanups up after it
* @param roleid - id of role to delete
* @return success
*/
function delete_role($roleid) {
global $CFG;
$success = true;
// mdl 10149, check if this is the last active admin role
// if we make the admin role not deletable then this part can go
$systemcontext = get_context_instance(CONTEXT_SYSTEM);
if ($role = get_record('role', 'id', $roleid)) {
if (record_exists('role_capabilities', 'contextid', $systemcontext->id, 'roleid', $roleid, 'capability', 'moodle/site:doanything')) {
// deleting an admin role
$status = false;
if ($adminroles = get_roles_with_capability('moodle/site:doanything', CAP_ALLOW, $systemcontext)) {
foreach ($adminroles as $adminrole) {
if ($adminrole->id != $roleid) {
// some other admin role
if (record_exists('role_assignments', 'roleid', $adminrole->id, 'contextid', $systemcontext->id)) {
// found another admin role with at least 1 user assigned
$status = true;
break;
}
}
}
}
if ($status !== true) {
error ('You can not delete this role because there is no other admin roles with users assigned');
}
}
}
// first unssign all users
if (!role_unassign($roleid)) {
debugging("Error while unassigning all users from role with ID $roleid!");
$success = false;
}
// cleanup all references to this role, ignore errors
if ($success) {
// MDL-10679 find all contexts where this role has an override
$contexts = get_records_sql("SELECT contextid, contextid
FROM {$CFG->prefix}role_capabilities
WHERE roleid = $roleid");
delete_records('role_capabilities', 'roleid', $roleid);
// MDL-10679, delete from context_rel if this role holds the last override in these contexts
if ($contexts) {
foreach ($contexts as $context) {
if (!record_exists('role_capabilities', 'contextid', $context->contextid)) {
delete_records('context_rel', 'c1', $context->contextid);
}
}
}
delete_records('role_allow_assign', 'roleid', $roleid);
delete_records('role_allow_assign', 'allowassign', $roleid);
delete_records('role_allow_override', 'roleid', $roleid);
delete_records('role_allow_override', 'allowoverride', $roleid);
delete_records('role_names', 'roleid', $roleid);
}
// finally delete the role itself
if ($success and !delete_records('role', 'id', $roleid)) {
debugging("Could not delete role record with ID $roleid!");
$success = false;
}
return $success;
}
/**
* Function to write context specific overrides, or default capabilities.
* @param module - string name
* @param capability - string name
* @param contextid - context id
* @param roleid - role id
* @param permission - int 1,-1 or -1000
* should not be writing if permission is 0
*/
function assign_capability($capability, $permission, $roleid, $contextid, $overwrite=false) {
global $USER;
if (empty($permission) || $permission == CAP_INHERIT) { // if permission is not set
unassign_capability($capability, $roleid, $contextid);
return true;
}
$existing = get_record('role_capabilities', 'contextid', $contextid, 'roleid', $roleid, 'capability', $capability);
if ($existing and !$overwrite) { // We want to keep whatever is there already
return true;
}
$cap = new object;
$cap->contextid = $contextid;
$cap->roleid = $roleid;
$cap->capability = $capability;
$cap->permission = $permission;
$cap->timemodified = time();
$cap->modifierid = empty($USER->id) ? 0 : $USER->id;
if ($existing) {
$cap->id = $existing->id;
return update_record('role_capabilities', $cap);
} else {
$c = get_record('context', 'id', $contextid);
/// MDL-10679 insert context rel here
insert_context_rel ($c);
return insert_record('role_capabilities', $cap);
}
}
/**
* Unassign a capability from a role.
* @param $roleid - the role id
* @param $capability - the name of the capability
* @return boolean - success or failure
*/
function unassign_capability($capability, $roleid, $contextid=NULL) {
if (isset($contextid)) {
// delete from context rel, if this is the last override in this context
$status = delete_records('role_capabilities', 'capability', $capability,
'roleid', $roleid, 'contextid', $contextid);
// MDL-10679, if this is no more overrides for this context
// delete entries from context where this context is a child
if (!record_exists('role_capabilities', 'contextid', $contextid)) {
delete_records('context_rel', 'c1', $contextid);
}
} else {
// There is no need to delete from context_rel here because
// this is only used for legacy, for now
$status = delete_records('role_capabilities', 'capability', $capability,
'roleid', $roleid);
}
return $status;
}
/**
* Get the roles that have a given capability assigned to it. This function
* does not resolve the actual permission of the capability. It just checks
* for assignment only.
* @param $capability - capability name (string)
* @param $permission - optional, the permission defined for this capability
* either CAP_ALLOW, CAP_PREVENT or CAP_PROHIBIT
* @return array or role objects
*/
function get_roles_with_capability($capability, $permission=NULL, $context='') {
global $CFG;
if ($context) {
if ($contexts = get_parent_contexts($context)) {
$listofcontexts = '('.implode(',', $contexts).')';
} else {
$sitecontext = get_context_instance(CONTEXT_SYSTEM);
$listofcontexts = '('.$sitecontext->id.')'; // must be site
}
$contextstr = "AND (rc.contextid = '$context->id' OR rc.contextid IN $listofcontexts)";
} else {
$contextstr = '';
}
$selectroles = "SELECT r.*
FROM {$CFG->prefix}role r,
{$CFG->prefix}role_capabilities rc
WHERE rc.capability = '$capability'
AND rc.roleid = r.id $contextstr";
if (isset($permission)) {
$selectroles .= " AND rc.permission = '$permission'";
}
return get_records_sql($selectroles);
}
/**
* This function makes a role-assignment (a role for a user or group in a particular context)
* @param $roleid - the role of the id
* @param $userid - userid
* @param $groupid - group id
* @param $contextid - id of the context
* @param $timestart - time this assignment becomes effective
* @param $timeend - time this assignemnt ceases to be effective
* @uses $USER
* @return id - new id of the assigment
*/
function role_assign($roleid, $userid, $groupid, $contextid, $timestart=0, $timeend=0, $hidden=0, $enrol='manual',$timemodified='') {
global $USER, $CFG;
debugging("Assign roleid $roleid userid $userid contextid $contextid", DEBUG_DEVELOPER);
/// Do some data validation
if (empty($roleid)) {
debugging('Role ID not provided');
return false;
}
if (empty($userid) && empty($groupid)) {
debugging('Either userid or groupid must be provided');
return false;
}
if ($userid && !record_exists('user', 'id', $userid)) {
debugging('User ID '.intval($userid).' does not exist!');
return false;
}
if ($groupid && !groups_group_exists($groupid)) {
debugging('Group ID '.intval($groupid).' does not exist!');
return false;
}
if (!$context = get_context_instance_by_id($contextid)) {
debugging('Context ID '.intval($contextid).' does not exist!');
return false;
}
if (($timestart and $timeend) and ($timestart > $timeend)) {
debugging('The end time can not be earlier than the start time');
return false;
}
if (!$timemodified) {
$timemodified = time();
}
/// Check for existing entry
if ($userid) {
$ra = get_record('role_assignments', 'roleid', $roleid, 'contextid', $context->id, 'userid', $userid);
} else {
$ra = get_record('role_assignments', 'roleid', $roleid, 'contextid', $context->id, 'groupid', $groupid);
}
$newra = new object;
if (empty($ra)) { // Create a new entry
$newra->roleid = $roleid;
$newra->contextid = $context->id;
$newra->userid = $userid;
$newra->hidden = $hidden;
$newra->enrol = $enrol;
/// Always round timestart downto 100 secs to help DBs to use their own caching algorithms
/// by repeating queries with the same exact parameters in a 100 secs time window
$newra->timestart = round($timestart, -2);
$newra->timeend = $timeend;
$newra->timemodified = $timemodified;
$newra->modifierid = empty($USER->id) ? 0 : $USER->id;
$success = insert_record('role_assignments', $newra);
} else { // We already have one, just update it
$newra->id = $ra->id;
$newra->hidden = $hidden;
$newra->enrol = $enrol;
/// Always round timestart downto 100 secs to help DBs to use their own caching algorithms
/// by repeating queries with the same exact parameters in a 100 secs time window
$newra->timestart = round($timestart, -2);
$newra->timeend = $timeend;
$newra->timemodified = $timemodified;
$newra->modifierid = empty($USER->id) ? 0 : $USER->id;
$success = update_record('role_assignments', $newra);
}
if ($success) { /// Role was assigned, so do some other things
/// If the user is the current user, then reload the capabilities too.
if (!empty($USER->id) && $USER->id == $userid) {
load_all_capabilities();
}
/// Ask all the modules if anything needs to be done for this user
if ($mods = get_list_of_plugins('mod')) {
foreach ($mods as $mod) {
include_once($CFG->dirroot.'/mod/'.$mod.'/lib.php');
$functionname = $mod.'_role_assign';
if (function_exists($functionname)) {
$functionname($userid, $context, $roleid);
}
}
}
/// Make sure they have an entry in user_lastaccess for courses they can access
// role_add_lastaccess_entries($userid, $context);
}
/// now handle metacourse role assignments if in course context
if ($success and $context->contextlevel == CONTEXT_COURSE) {
if ($parents = get_records('course_meta', 'child_course', $context->instanceid)) {
foreach ($parents as $parent) {
sync_metacourse($parent->parent_course);
}
}
}
return $success;
}
/**
* Deletes one or more role assignments. You must specify at least one parameter.
* @param $roleid
* @param $userid
* @param $groupid
* @param $contextid
* @param $enrol unassign only if enrolment type matches, NULL means anything
* @return boolean - success or failure
*/
function role_unassign($roleid=0, $userid=0, $groupid=0, $contextid=0, $enrol=NULL) {
global $USER, $CFG;
$success = true;
$args = array('roleid', 'userid', 'groupid', 'contextid');
$select = array();
foreach ($args as $arg) {
if ($$arg) {
$select[] = $arg.' = '.$$arg;
}
}
if (!empty($enrol)) {
$select[] = "enrol='$enrol'";
}
if ($select) {
if ($ras = get_records_select('role_assignments', implode(' AND ', $select))) {
$mods = get_list_of_plugins('mod');
foreach($ras as $ra) {
/// infinite loop protection when deleting recursively
if (!$ra = get_record('role_assignments', 'id', $ra->id)) {
continue;
}
$success = delete_records('role_assignments', 'id', $ra->id) and $success;
/// If the user is the current user, then reload the capabilities too.
if (!empty($USER->id) && $USER->id == $ra->userid) {
load_all_capabilities();
}
$context = get_record('context', 'id', $ra->contextid);
/// Ask all the modules if anything needs to be done for this user
foreach ($mods as $mod) {
include_once($CFG->dirroot.'/mod/'.$mod.'/lib.php');
$functionname = $mod.'_role_unassign';
if (function_exists($functionname)) {
$functionname($ra->userid, $context); // watch out, $context might be NULL if something goes wrong
}
}
/// now handle metacourse role unassigment and removing from goups if in course context
if (!empty($context) and $context->contextlevel == CONTEXT_COURSE) {
// cleanup leftover course groups/subscriptions etc when user has
// no capability to view course
// this may be slow, but this is the proper way of doing it
if (!has_capability('moodle/course:view', $context, $ra->userid)) {
// remove from groups
if ($groups = groups_get_all_groups($context->instanceid)) {
foreach ($groups as $group) {
delete_records('groups_members', 'groupid', $group->id, 'userid', $ra->userid);
}
}
// delete lastaccess records
delete_records('user_lastaccess', 'userid', $ra->userid, 'courseid', $context->instanceid);
}
//unassign roles in metacourses if needed
if ($parents = get_records('course_meta', 'child_course', $context->instanceid)) {
foreach ($parents as $parent) {
sync_metacourse($parent->parent_course);
}
}
}
}
}
}
return $success;
}
/**
* A convenience function to take care of the common case where you
* just want to enrol someone using the default role into a course
*
* @param object $course
* @param object $user
* @param string $enrol - the plugin used to do this enrolment
*/
function enrol_into_course($course, $user, $enrol) {
$timestart = time();
// remove time part from the timestamp and keep only the date part
$timestart = make_timestamp(date('Y', $timestart), date('m', $timestart), date('d', $timestart), 0, 0, 0);
if ($course->enrolperiod) {
$timeend = $timestart + $course->enrolperiod;
} else {
$timeend = 0;
}
if ($role = get_default_course_role($course)) {
$context = get_context_instance(CONTEXT_COURSE, $course->id);
if (!role_assign($role->id, $user->id, 0, $context->id, $timestart, $timeend, 0, $enrol)) {
return false;
}
email_welcome_message_to_user($course, $user);
add_to_log($course->id, 'course', 'enrol', 'view.php?id='.$course->id, $user->id);
return true;
}
return false;
}
/**
* Add last access times to user_lastaccess as required
* @param $userid
* @param $context
* @return boolean - success or failure
*/
function role_add_lastaccess_entries($userid, $context) {
global $USER, $CFG;
if (empty($context->contextlevel)) {
return false;
}
$lastaccess = new object; // Reusable object below
$lastaccess->userid = $userid;
$lastaccess->timeaccess = 0;
switch ($context->contextlevel) {
case CONTEXT_SYSTEM: // For the whole site
if ($courses = get_record('course')) {
foreach ($courses as $course) {
$lastaccess->courseid = $course->id;
role_set_lastaccess($lastaccess);
}
}
break;
case CONTEXT_CATEGORY: // For a whole category
if ($courses = get_record('course', 'category', $context->instanceid)) {
foreach ($courses as $course) {
$lastaccess->courseid = $course->id;
role_set_lastaccess($lastaccess);
}
}
if ($categories = get_record('course_categories', 'parent', $context->instanceid)) {
foreach ($categories as $category) {
$subcontext = get_context_instance(CONTEXT_CATEGORY, $category->id);
role_add_lastaccess_entries($userid, $subcontext);
}
}
break;
case CONTEXT_COURSE: // For a whole course
if ($course = get_record('course', 'id', $context->instanceid)) {
$lastaccess->courseid = $course->id;
role_set_lastaccess($lastaccess);
}
break;
}
}
/**
* Delete last access times from user_lastaccess as required
* @param $userid
* @param $context
* @return boolean - success or failure
*/
function role_remove_lastaccess_entries($userid, $context) {
global $USER, $CFG;
}
/**
* Loads the capability definitions for the component (from file). If no
* capabilities are defined for the component, we simply return an empty array.
* @param $component - examples: 'moodle', 'mod/forum', 'block/quiz_results'
* @return array of capabilities
*/
function load_capability_def($component) {
global $CFG;
if ($component == 'moodle') {
$defpath = $CFG->libdir.'/db/access.php';
$varprefix = 'moodle';
} else {
$compparts = explode('/', $component);
if ($compparts[0] == 'block') {
// Blocks are an exception. Blocks directory is 'blocks', and not
// 'block'. So we need to jump through hoops.
$defpath = $CFG->dirroot.'/'.$compparts[0].
's/'.$compparts[1].'/db/access.php';
$varprefix = $compparts[0].'_'.$compparts[1];
} else if ($compparts[0] == 'format') {
// Similar to the above, course formats are 'format' while they
// are stored in 'course/format'.
$defpath = $CFG->dirroot.'/course/'.$component.'/db/access.php';
$varprefix = $compparts[0].'_'.$compparts[1];
} else if ($compparts[0] == 'gradeimport') {
$defpath = $CFG->dirroot.'/grade/import/'.$compparts[1].'/db/access.php';
$varprefix = $compparts[0].'_'.$compparts[1];
} else if ($compparts[0] == 'gradeexport') {
$defpath = $CFG->dirroot.'/grade/export/'.$compparts[1].'/db/access.php';
$varprefix = $compparts[0].'_'.$compparts[1];
} else if ($compparts[0] == 'gradereport') {
$defpath = $CFG->dirroot.'/grade/report/'.$compparts[1].'/db/access.php';
$varprefix = $compparts[0].'_'.$compparts[1];
} else {
$defpath = $CFG->dirroot.'/'.$component.'/db/access.php';
$varprefix = str_replace('/', '_', $component);
}
}
$capabilities = array();
if (file_exists($defpath)) {
require($defpath);
$capabilities = ${$varprefix.'_capabilities'};
}
return $capabilities;
}
/**
* Gets the capabilities that have been cached in the database for this
* component.
* @param $component - examples: 'moodle', 'mod/forum', 'block/quiz_results'
* @return array of capabilities
*/
function get_cached_capabilities($component='moodle') {
if ($component == 'moodle') {
$storedcaps = get_records_select('capabilities',
"name LIKE 'moodle/%:%'");
} else {
$storedcaps = get_records_select('capabilities',
"name LIKE '$component:%'");
}
return $storedcaps;
}
/**
* Returns default capabilities for given legacy role type.
*
* @param string legacy role name
* @return array
*/
function get_default_capabilities($legacyrole) {
if (!$allcaps = get_records('capabilities')) {
error('Error: no capabilitites defined!');
}
$alldefs = array();
$defaults = array();
$components = array();
foreach ($allcaps as $cap) {
if (!in_array($cap->component, $components)) {
$components[] = $cap->component;
$alldefs = array_merge($alldefs, load_capability_def($cap->component));
}
}
foreach($alldefs as $name=>$def) {
if (isset($def['legacy'][$legacyrole])) {
$defaults[$name] = $def['legacy'][$legacyrole];
}
}
//some exceptions
$defaults['moodle/legacy:'.$legacyrole] = CAP_ALLOW;
if ($legacyrole == 'admin') {
$defaults['moodle/site:doanything'] = CAP_ALLOW;
}
return $defaults;
}
/**
* Reset role capabilitites to default according to selected legacy capability.
* If several legacy caps selected, use the first from get_default_capabilities.
* If no legacy selected, removes all capabilities.
*
* @param int @roleid
*/
function reset_role_capabilities($roleid) {
$sitecontext = get_context_instance(CONTEXT_SYSTEM);
$legacyroles = get_legacy_roles();
$defaultcaps = array();
foreach($legacyroles as $ltype=>$lcap) {
$localoverride = get_local_override($roleid, $sitecontext->id, $lcap);
if (!empty($localoverride->permission) and $localoverride->permission == CAP_ALLOW) {
//choose first selected legacy capability
$defaultcaps = get_default_capabilities($ltype);
break;
}
}
delete_records('role_capabilities', 'roleid', $roleid);
if (!empty($defaultcaps)) {
foreach($defaultcaps as $cap=>$permission) {
assign_capability($cap, $permission, $roleid, $sitecontext->id);
}
}
}
/**
* Updates the capabilities table with the component capability definitions.
* If no parameters are given, the function updates the core moodle
* capabilities.
*
* Note that the absence of the db/access.php capabilities definition file
* will cause any stored capabilities for the component to be removed from
* the database.
*
* @param $component - examples: 'moodle', 'mod/forum', 'block/quiz_results'
* @return boolean
*/
function update_capabilities($component='moodle') {
$storedcaps = array();
$filecaps = load_capability_def($component);
$cachedcaps = get_cached_capabilities($component);
if ($cachedcaps) {
foreach ($cachedcaps as $cachedcap) {
array_push($storedcaps, $cachedcap->name);
// update risk bitmasks and context levels in existing capabilities if needed
if (array_key_exists($cachedcap->name, $filecaps)) {
if (!array_key_exists('riskbitmask', $filecaps[$cachedcap->name])) {
$filecaps[$cachedcap->name]['riskbitmask'] = 0; // no risk if not specified
}
if ($cachedcap->riskbitmask != $filecaps[$cachedcap->name]['riskbitmask']) {
$updatecap = new object();
$updatecap->id = $cachedcap->id;
$updatecap->riskbitmask = $filecaps[$cachedcap->name]['riskbitmask'];
if (!update_record('capabilities', $updatecap)) {
return false;
}
}
if (!array_key_exists('contextlevel', $filecaps[$cachedcap->name])) {
$filecaps[$cachedcap->name]['contextlevel'] = 0; // no context level defined
}
if ($cachedcap->contextlevel != $filecaps[$cachedcap->name]['contextlevel']) {
$updatecap = new object();
$updatecap->id = $cachedcap->id;
$updatecap->contextlevel = $filecaps[$cachedcap->name]['contextlevel'];
if (!update_record('capabilities', $updatecap)) {
return false;
}
}
}
}
}
// Are there new capabilities in the file definition?
$newcaps = array();
foreach ($filecaps as $filecap => $def) {
if (!$storedcaps ||
($storedcaps && in_array($filecap, $storedcaps) === false)) {
if (!array_key_exists('riskbitmask', $def)) {
$def['riskbitmask'] = 0; // no risk if not specified
}
$newcaps[$filecap] = $def;
}
}
// Add new capabilities to the stored definition.
foreach ($newcaps as $capname => $capdef) {
$capability = new object;
$capability->name = $capname;
$capability->captype = $capdef['captype'];
$capability->contextlevel = $capdef['contextlevel'];
$capability->component = $component;
$capability->riskbitmask = $capdef['riskbitmask'];
if (!insert_record('capabilities', $capability, false, 'id')) {
return false;
}
if (isset($capdef['clonepermissionsfrom']) && in_array($capdef['clonepermissionsfrom'], $storedcaps)){
if ($rolecapabilities = get_records('role_capabilities', 'capability', $capdef['clonepermissionsfrom'])){
foreach ($rolecapabilities as $rolecapability){
//assign_capability will update rather than insert if capability exists
if (!assign_capability($capname, $rolecapability->permission,
$rolecapability->roleid, $rolecapability->contextid, true)){
notify('Could not clone capabilities for '.$capname);
}
}
}
// Do we need to assign the new capabilities to roles that have the
// legacy capabilities moodle/legacy:* as well?
// we ignore legacy key if we have cloned permissions
} else if (isset($capdef['legacy']) && is_array($capdef['legacy']) &&
!assign_legacy_capabilities($capname, $capdef['legacy'])) {
notify('Could not assign legacy capabilities for '.$capname);
}
}
// Are there any capabilities that have been removed from the file
// definition that we need to delete from the stored capabilities and
// role assignments?
capabilities_cleanup($component, $filecaps);
return true;
}
/**
* Deletes cached capabilities that are no longer needed by the component.
* Also unassigns these capabilities from any roles that have them.
* @param $component - examples: 'moodle', 'mod/forum', 'block/quiz_results'
* @param $newcapdef - array of the new capability definitions that will be
* compared with the cached capabilities
* @return int - number of deprecated capabilities that have been removed
*/
function capabilities_cleanup($component, $newcapdef=NULL) {
$removedcount = 0;
if ($cachedcaps = get_cached_capabilities($component)) {
foreach ($cachedcaps as $cachedcap) {
if (empty($newcapdef) ||
array_key_exists($cachedcap->name, $newcapdef) === false) {
// Remove from capabilities cache.
if (!delete_records('capabilities', 'name', $cachedcap->name)) {
error('Could not delete deprecated capability '.$cachedcap->name);
} else {
$removedcount++;
}
// Delete from roles.
if($roles = get_roles_with_capability($cachedcap->name)) {
foreach($roles as $role) {
if (!unassign_capability($cachedcap->name, $role->id)) {
error('Could not unassign deprecated capability '.
$cachedcap->name.' from role '.$role->name);
}
}
}
} // End if.
}
}
return $removedcount;
}
/****************
* UI FUNCTIONS *
****************/
/**
* prints human readable context identifier.
*/
function print_context_name($context, $withprefix = true, $short = false) {
$name = '';
switch ($context->contextlevel) {
case CONTEXT_SYSTEM: // by now it's a definite an inherit
$name = get_string('coresystem');
break;
case CONTEXT_PERSONAL:
$name = get_string('personal');
break;
case CONTEXT_USER:
if ($user = get_record('user', 'id', $context->instanceid)) {
if ($withprefix){
$name = get_string('user').': ';
}
$name .= fullname($user);
}
break;
case CONTEXT_COURSECAT: // Coursecat -> coursecat or site
if ($category = get_record('course_categories', 'id', $context->instanceid)) {
if ($withprefix){
$name = get_string('category').': ';
}
$name .=format_string($category->name);
}
break;
case CONTEXT_COURSE: // 1 to 1 to course cat
if ($course = get_record('course', 'id', $context->instanceid)) {
if ($withprefix){
if ($context->instanceid == SITEID) {
$name = get_string('site').': ';
} else {
$name = get_string('course').': ';
}
}
if ($short){
$name .=format_string($course->shortname);
} else {
$name .=format_string($course->fullname);
}
}
break;
case CONTEXT_GROUP: // 1 to 1 to course
if ($name = groups_get_group_name($context->instanceid)) {
if ($withprefix){
$name = get_string('group').': '. $name;
}
}
break;
case CONTEXT_MODULE: // 1 to 1 to course
if ($cm = get_record('course_modules','id',$context->instanceid)) {
if ($module = get_record('modules','id',$cm->module)) {
if ($mod = get_record($module->name, 'id', $cm->instance)) {
if ($withprefix){
$name = get_string('activitymodule').': ';
}
$name .= $mod->name;
}
}
}
break;
case CONTEXT_BLOCK: // not necessarily 1 to 1 to course
if ($blockinstance = get_record('block_instance','id',$context->instanceid)) {
if ($block = get_record('block','id',$blockinstance->blockid)) {
global $CFG;
require_once("$CFG->dirroot/blocks/moodleblock.class.php");
require_once("$CFG->dirroot/blocks/$block->name/block_$block->name.php");
$blockname = "block_$block->name";
if ($blockobject = new $blockname()) {
if ($withprefix){
$name = get_string('block').': ';
}
$name .= $blockobject->title;
}
}
}
break;
default:
error ('This is an unknown context (' . $context->contextlevel . ') in print_context_name!');
return false;
}
return $name;
}
/**
* Extracts the relevant capabilities given a contextid.
* All case based, example an instance of forum context.
* Will fetch all forum related capabilities, while course contexts
* Will fetch all capabilities
* @param object context
* @return array();
*
* capabilities
* `name` varchar(150) NOT NULL,
* `captype` varchar(50) NOT NULL,
* `contextlevel` int(10) NOT NULL,
* `component` varchar(100) NOT NULL,
*/
function fetch_context_capabilities($context) {
global $CFG;
$sort = 'ORDER BY contextlevel,component,id'; // To group them sensibly for display
switch ($context->contextlevel) {
case CONTEXT_SYSTEM: // all
$SQL = "select * from {$CFG->prefix}capabilities";
break;
case CONTEXT_PERSONAL:
$SQL = "select * from {$CFG->prefix}capabilities where contextlevel = ".CONTEXT_PERSONAL;
break;
case CONTEXT_USER:
$SQL = "SELECT *
FROM {$CFG->prefix}capabilities
WHERE contextlevel = ".CONTEXT_USER;
break;
case CONTEXT_COURSECAT: // all
$SQL = "select * from {$CFG->prefix}capabilities";
break;
case CONTEXT_COURSE: // all
$SQL = "select * from {$CFG->prefix}capabilities";
break;
case CONTEXT_GROUP: // group caps
break;
case CONTEXT_MODULE: // mod caps
$cm = get_record('course_modules', 'id', $context->instanceid);
$module = get_record('modules', 'id', $cm->module);
$SQL = "select * from {$CFG->prefix}capabilities where contextlevel = ".CONTEXT_MODULE."
and component = 'mod/$module->name'";
break;
case CONTEXT_BLOCK: // block caps
$cb = get_record('block_instance', 'id', $context->instanceid);
$block = get_record('block', 'id', $cb->blockid);
$SQL = "select * from {$CFG->prefix}capabilities where contextlevel = ".CONTEXT_BLOCK."
and ( component = 'block/$block->name' or component = 'moodle')";
break;
default:
return false;
}
if (!$records = get_records_sql($SQL.' '.$sort)) {
$records = array();
}
/// the rest of code is a bit hacky, think twice before modifying it :-(
// special sorting of core system capabiltites and enrollments
if (in_array($context->contextlevel, array(CONTEXT_SYSTEM, CONTEXT_COURSECAT, CONTEXT_COURSE))) {
$first = array();
foreach ($records as $key=>$record) {
if (preg_match('|^moodle/|', $record->name) and $record->contextlevel == CONTEXT_SYSTEM) {
$first[$key] = $record;
unset($records[$key]);
} else if (count($first)){
break;
}
}
if (count($first)) {
$records = $first + $records; // merge the two arrays keeping the keys
}
} else {
$contextindependentcaps = fetch_context_independent_capabilities();
$records = array_merge($contextindependentcaps, $records);
}
return $records;
}
/**
* Gets the context-independent capabilities that should be overrridable in
* any context.
* @return array of capability records from the capabilities table.
*/
function fetch_context_independent_capabilities() {
//only CONTEXT_SYSTEM capabilities here or it will break the hack in fetch_context_capabilities()
$contextindependentcaps = array(
'moodle/site:accessallgroups'
);
$records = array();
foreach ($contextindependentcaps as $capname) {
$record = get_record('capabilities', 'name', $capname);
array_push($records, $record);
}
return $records;
}
/**
* This function pulls out all the resolved capabilities (overrides and
* defaults) of a role used in capability overrides in contexts at a given
* context.
* @param obj $context
* @param int $roleid
* @param bool self - if set to true, resolve till this level, else stop at immediate parent level
* @return array
*/
function role_context_capabilities($roleid, $context, $cap='') {
global $CFG;
$contexts = get_parent_contexts($context);
$contexts[] = $context->id;
$contexts = '('.implode(',', $contexts).')';
if ($cap) {
$search = " AND rc.capability = '$cap' ";
} else {
$search = '';
}
$SQL = "SELECT rc.*
FROM {$CFG->prefix}role_capabilities rc,
{$CFG->prefix}context c
WHERE rc.contextid in $contexts
AND rc.roleid = $roleid
AND rc.contextid = c.id $search
ORDER BY c.contextlevel DESC,
rc.capability DESC";
$capabilities = array();
if ($records = get_records_sql($SQL)) {
// We are traversing via reverse order.
foreach ($records as $record) {
// If not set yet (i.e. inherit or not set at all), or currently we have a prohibit
if (!isset($capabilities[$record->capability]) || $record->permission<-500) {
$capabilities[$record->capability] = $record->permission;
}
}
}
return $capabilities;
}
/**
* Recursive function which, given a context, find all parent context ids,
* and return the array in reverse order, i.e. parent first, then grand
* parent, etc.
* @param object $context
* @return array()
*/
function get_parent_contexts($context) {
static $pcontexts; // cache
if (isset($pcontexts[$context->id])) {
return ($pcontexts[$context->id]);
}
switch ($context->contextlevel) {
case CONTEXT_SYSTEM: // no parent
return array();
break;
case CONTEXT_PERSONAL:
if (!$parent = get_context_instance(CONTEXT_SYSTEM)) {
return array();
} else {
$res = array($parent->id);
$pcontexts[$context->id] = $res;
return $res;
}
break;
case CONTEXT_USER:
if (!$parent = get_context_instance(CONTEXT_SYSTEM)) {
return array();
} else {
$res = array($parent->id);
$pcontexts[$context->id] = $res;
return $res;
}
break;
case CONTEXT_COURSECAT: // Coursecat -> coursecat or site
case CONTEXT_COURSE: // 1 to 1 to course cat
$parents = get_parent_cats($context);
$parents = array_reverse($parents);
$systemcontext = get_context_instance(CONTEXT_SYSTEM);
return $pcontexts[$context->id] = array_merge($parents, array($systemcontext->id));
break;
case CONTEXT_GROUP: // 1 to 1 to course
if (! $group = groups_get_group($context->instanceid)) {
return array();
}
if ($parent = get_context_instance(CONTEXT_COURSE, $group->courseid)) {
$res = array_merge(array($parent->id), get_parent_contexts($parent));
$pcontexts[$context->id] = $res;
return $res;
} else {
return array();
}
break;
case CONTEXT_MODULE: // 1 to 1 to course
if (!$cm = get_record('course_modules','id',$context->instanceid)) {
return array();
}
if ($parent = get_context_instance(CONTEXT_COURSE, $cm->course)) {
$res = array_merge(array($parent->id), get_parent_contexts($parent));
$pcontexts[$context->id] = $res;
return $res;
} else {
return array();
}
break;
case CONTEXT_BLOCK: // not necessarily 1 to 1 to course
if (!$block = get_record('block_instance','id',$context->instanceid)) {
return array();
}
// fix for MDL-9656, block parents are not necessarily courses
if ($block->pagetype == 'course-view') {
$parent = get_context_instance(CONTEXT_COURSE, $block->pageid);
} else {
$parent = get_context_instance(CONTEXT_SYSTEM);
}
if ($parent) {
$res = array_merge(array($parent->id), get_parent_contexts($parent));
$pcontexts[$context->id] = $res;
return $res;
} else {
return array();
}
break;
default:
error('This is an unknown context (' . $context->contextlevel . ') in get_parent_contexts!');
return false;
}
}
/**
* Recursive function which, given a context, find all its children context ids.
*
* When called for a course context, it will return the modules and blocks
* displayed in the course page.
*
* For course category contexts it will return categories and courses. It will
* NOT recurse into courses - if you want to do that, call it on the returned
* courses.
*
* Note: if a "deep" recurse is needed, it can be done very cheaply on the SQL
* side. Ask MartinL how ;-)
*
* @param object $context.
* @return array of child records
*/
function get_child_contexts($context) {
global $CFG, $context_cache;
// We *MUST* populate the context_cache as the callers
// will probably ask for the full record anyway soon after
// soon after calling us ;-)
switch ($context->contextlevel) {
case CONTEXT_BLOCK:
// No children.
return array();
break;
case CONTEXT_MODULE:
// No children.
return array();
break;
case CONTEXT_GROUP:
// No children.
return array();
break;
case CONTEXT_COURSE:
// Find
// - module instances - easy
// - groups
// - blocks assigned to the course-view page explicitly - easy
// - blocks pinned (note! we get all of them here, regardless of vis)
$sql = " SELECT ctx.*
FROM {$CFG->prefix}context ctx
WHERE ctx.path LIKE '{$context->path}/%'
AND ctx.contextlevel IN (".CONTEXT_MODULE.",".CONTEXT_BLOCK.")
UNION
SELECT ctx.*
FROM {$CFG->prefix}context ctx
JOIN {$CFG->prefix}groups g
ON (ctx.instanceid=g.id AND ctx.contextlevel=".CONTEXT_GROUP.")
WHERE g.courseid={$context->instanceid}
UNION
SELECT ctx.*
FROM {$CFG->prefix}context ctx
JOIN {$CFG->prefix}block_pinned b
ON (ctx.instanceid=b.blockid AND ctx.contextlevel=".CONTEXT_BLOCK.")
WHERE b.pagetype='course-view'
";
$rs = get_recordset_sql($sql);
$records = array();
if ($rs->RecordCount()) {
while ($rec = rs_fetch_next_record($rs)) {
$records[$rec->id] = $rec;
$context_cache[$rec->contextlevel][$rec->instanceid] = $rec;
}
}
rs_close($rs);
return $records;
break;
case CONTEXT_COURSECAT:
// Find
// - categories
// - courses
$sql = " SELECT ctx.*
FROM {$CFG->prefix}context ctx
WHERE ctx.path LIKE '{$context->path}/%'
AND ctx.contextlevel IN (".CONTEXT_COURSECAT.",".CONTEXT_COURSE.")
";
$rs = get_recordset_sql($sql);
$records = array();
if ($rs->RecordCount()) {
while ($rec = rs_fetch_next_record($rs)) {
$records[$rec->id] = $rec;
$context_cache[$rec->contextlevel][$rec->instanceid] = $rec;
}
}
rs_close($rs);
return $records;
break;
case CONTEXT_USER:
// No children.
return array();
break;
case CONTEXT_PERSONAL:
// No children.
return array();
break;
case CONTEXT_SYSTEM:
// Just get all the contexts except for CONTEXT_SYSTEM level
// and hope we don't OOM in the process - don't cache
$sql = 'SELECT c.*'.
'FROM '.$CFG->prefix.'context AS c '.
'WHERE contextlevel != '.CONTEXT_SYSTEM;
return get_records_sql($sql);
break;
default:
error('This is an unknown context (' . $context->contextlevel . ') in get_child_contexts!');
return false;
}
}
/**
* Gets a string for sql calls, searching for stuff in this context or above
* @param object $context
* @return string
*/
function get_related_contexts_string($context) {
if ($parents = get_parent_contexts($context)) {
return (' IN ('.$context->id.','.implode(',', $parents).')');
} else {
return (' ='.$context->id);
}
}
/**
* This function gets the capability of a role in a given context.
* It is needed when printing override forms.
* @param int $contextid
* @param string $capability
* @param array $capabilities - array loaded using role_context_capabilities
* @return int (allow, prevent, prohibit, inherit)
*/
function get_role_context_capability($contextid, $capability, $capabilities) {
if (isset($capabilities[$contextid][$capability])) {
return $capabilities[$contextid][$capability];
}
else {
return false;
}
}
/**
* Returns the human-readable, translated version of the capability.
* Basically a big switch statement.
* @param $capabilityname - e.g. mod/choice:readresponses
*/
function get_capability_string($capabilityname) {
// Typical capabilityname is mod/choice:readresponses
$names = split('/', $capabilityname);
$stringname = $names[1]; // choice:readresponses
$components = split(':', $stringname);
$componentname = $components[0]; // choice
switch ($names[0]) {
case 'mod':
$string = get_string($stringname, $componentname);
break;
case 'block':
$string = get_string($stringname, 'block_'.$componentname);
break;
case 'moodle':
$string = get_string($stringname, 'role');
break;
case 'enrol':
$string = get_string($stringname, 'enrol_'.$componentname);
break;
case 'format':
$string = get_string($stringname, 'format_'.$componentname);
break;
case 'gradeexport':
$string = get_string($stringname, 'gradeexport_'.$componentname);
break;
case 'gradeimport':
$string = get_string($stringname, 'gradeimport_'.$componentname);
break;
case 'gradereport':
$string = get_string($stringname, 'gradereport_'.$componentname);
break;
default:
$string = get_string($stringname);
break;
}
return $string;
}
/**
* This gets the mod/block/course/core etc strings.
* @param $component
* @param $contextlevel
*/
function get_component_string($component, $contextlevel) {
switch ($contextlevel) {
case CONTEXT_SYSTEM:
if (preg_match('|^enrol/|', $component)) {
$langname = str_replace('/', '_', $component);
$string = get_string('enrolname', $langname);
} else if (preg_match('|^block/|', $component)) {
$langname = str_replace('/', '_', $component);
$string = get_string('blockname', $langname);
} else {
$string = get_string('coresystem');
}
break;
case CONTEXT_PERSONAL:
$string = get_string('personal');
break;
case CONTEXT_USER:
$string = get_string('users');
break;
case CONTEXT_COURSECAT:
$string = get_string('categories');
break;
case CONTEXT_COURSE:
if (preg_match('|^gradeimport/|', $component)
|| preg_match('|^gradeexport/|', $component)
|| preg_match('|^gradereport/|', $component)) {
$string = get_string('gradebook', 'admin');
} else {
$string = get_string('course');
}
break;
case CONTEXT_GROUP:
$string = get_string('group');
break;
case CONTEXT_MODULE:
$string = get_string('modulename', basename($component));
break;
case CONTEXT_BLOCK:
if( $component == 'moodle' ){
$string = get_string('block');
}else{
$string = get_string('blockname', 'block_'.basename($component));
}
break;
default:
error ('This is an unknown context $contextlevel (' . $contextlevel . ') in get_component_string!');
return false;
}
return $string;
}
/**
* Gets the list of roles assigned to this context and up (parents)
* @param object $context
* @param view - set to true when roles are pulled for display only
* this is so that we can filter roles with no visible
* assignment, for example, you might want to "hide" all
* course creators when browsing the course participants
* list.
* @return array
*/
function get_roles_used_in_context($context, $view = false) {
global $CFG;
// filter for roles with all hidden assignments
// no need to return when only pulling roles for reviewing
// e.g. participants page.
$hiddensql = ($view && !has_capability('moodle/role:viewhiddenassigns', $context))? ' AND ra.hidden = 0 ':'';
$contextlist = get_related_contexts_string($context);
$sql = "SELECT DISTINCT r.id,
r.name,
r.shortname,
r.sortorder
FROM {$CFG->prefix}role_assignments ra,
{$CFG->prefix}role r
WHERE r.id = ra.roleid
AND ra.contextid $contextlist
$hiddensql
ORDER BY r.sortorder ASC";
return get_records_sql($sql);
}
/** this function is used to print roles column in user profile page.
* @param int userid
* @param int contextid
* @return string
*/
function get_user_roles_in_context($userid, $contextid){
global $CFG;
$rolestring = '';
$SQL = 'select * from '.$CFG->prefix.'role_assignments ra, '.$CFG->prefix.'role r where ra.userid='.$userid.' and ra.contextid='.$contextid.' and ra.roleid = r.id';
if ($roles = get_records_sql($SQL)) {
foreach ($roles as $userrole) {
$rolestring .= '<a href="'.$CFG->wwwroot.'/user/index.php?contextid='.$userrole->contextid.'&amp;roleid='.$userrole->roleid.'">'.$userrole->name.'</a>, ';
}
}
return rtrim($rolestring, ', ');
}
/**
* Checks if a user can override capabilities of a particular role in this context
* @param object $context
* @param int targetroleid - the id of the role you want to override
* @return boolean
*/
function user_can_override($context, $targetroleid) {
// first check if user has override capability
// if not return false;
if (!has_capability('moodle/role:override', $context)) {
return false;
}
// pull out all active roles of this user from this context(or above)
if ($userroles = get_user_roles($context)) {
foreach ($userroles as $userrole) {
// if any in the role_allow_override table, then it's ok
if (get_record('role_allow_override', 'roleid', $userrole->roleid, 'allowoverride', $targetroleid)) {
return true;
}
}
}
return false;
}
/**
* Checks if a user can assign users to a particular role in this context
* @param object $context
* @param int targetroleid - the id of the role you want to assign users to
* @return boolean
*/
function user_can_assign($context, $targetroleid) {
// first check if user has override capability
// if not return false;
if (!has_capability('moodle/role:assign', $context)) {
return false;
}
// pull out all active roles of this user from this context(or above)
if ($userroles = get_user_roles($context)) {
foreach ($userroles as $userrole) {
// if any in the role_allow_override table, then it's ok
if (get_record('role_allow_assign', 'roleid', $userrole->roleid, 'allowassign', $targetroleid)) {
return true;
}
}
}
return false;
}
/** Returns all site roles in correct sort order.
*
*/
function get_all_roles() {
return get_records('role', '', '', 'sortorder ASC');
}
/**
* gets all the user roles assigned in this context, or higher contexts
* this is mainly used when checking if a user can assign a role, or overriding a role
* i.e. we need to know what this user holds, in order to verify against allow_assign and
* allow_override tables
* @param object $context
* @param int $userid
* @param view - set to true when roles are pulled for display only
* this is so that we can filter roles with no visible
* assignment, for example, you might want to "hide" all
* course creators when browsing the course participants
* list.
* @return array
*/
function get_user_roles($context, $userid=0, $checkparentcontexts=true, $order='c.contextlevel DESC, r.sortorder ASC', $view=false) {
global $USER, $CFG, $db;
if (empty($userid)) {
if (empty($USER->id)) {
return array();
}
$userid = $USER->id;
}
// set up hidden sql
$hiddensql = ($view && !has_capability('moodle/role:viewhiddenassigns', $context))? ' AND ra.hidden = 0 ':'';
if ($checkparentcontexts && ($parents = get_parent_contexts($context))) {
$contexts = ' ra.contextid IN ('.implode(',' , $parents).','.$context->id.')';
} else {
$contexts = ' ra.contextid = \''.$context->id.'\'';
}
return get_records_sql('SELECT ra.*, r.name, r.shortname
FROM '.$CFG->prefix.'role_assignments ra,
'.$CFG->prefix.'role r,
'.$CFG->prefix.'context c
WHERE ra.userid = '.$userid.
' AND ra.roleid = r.id
AND ra.contextid = c.id
AND '.$contexts . $hiddensql .
' ORDER BY '.$order);
}
/**
* Creates a record in the allow_override table
* @param int sroleid - source roleid
* @param int troleid - target roleid
* @return int - id or false
*/
function allow_override($sroleid, $troleid) {
$record = new object();
$record->roleid = $sroleid;
$record->allowoverride = $troleid;
return insert_record('role_allow_override', $record);
}
/**
* Creates a record in the allow_assign table
* @param int sroleid - source roleid
* @param int troleid - target roleid
* @return int - id or false
*/
function allow_assign($sroleid, $troleid) {
$record = new object;
$record->roleid = $sroleid;
$record->allowassign = $troleid;
return insert_record('role_allow_assign', $record);
}
/**
* Gets a list of roles that this user can assign in this context
* @param object $context
* @return array
*/
function get_assignable_roles ($context, $field="name") {
$options = array();
if ($roles = get_all_roles()) {
foreach ($roles as $role) {
if (user_can_assign($context, $role->id)) {
$options[$role->id] = strip_tags(format_string($role->{$field}, true));
}
}
}
return $options;
}
/**
* Gets a list of roles that this user can override in this context
* @param object $context
* @return array
*/
function get_overridable_roles($context) {
$options = array();
if ($roles = get_all_roles()) {
foreach ($roles as $role) {
if (user_can_override($context, $role->id)) {
$options[$role->id] = strip_tags(format_string($role->name, true));
}
}
}
return $options;
}
/**
* Returns a role object that is the default role for new enrolments
* in a given course
*
* @param object $course
* @return object $role
*/
function get_default_course_role($course) {
global $CFG;
/// First let's take the default role the course may have
if (!empty($course->defaultrole)) {
if ($role = get_record('role', 'id', $course->defaultrole)) {
return $role;
}
}
/// Otherwise the site setting should tell us
if ($CFG->defaultcourseroleid) {
if ($role = get_record('role', 'id', $CFG->defaultcourseroleid)) {
return $role;
}
}
/// It's unlikely we'll get here, but just in case, try and find a student role
if ($studentroles = get_roles_with_capability('moodle/legacy:student', CAP_ALLOW)) {
return array_shift($studentroles); /// Take the first one
}
return NULL;
}
/**
* who has this capability in this context
* does not handling user level resolving!!!
* (!)pleaes note if $fields is empty this function attempts to get u.*
* which can get rather large.
* i.e 1 person has 2 roles 1 allow, 1 prevent, this will not work properly
* @param $context - object
* @param $capability - string capability
* @param $fields - fields to be pulled
* @param $sort - the sort order
* @param $limitfrom - number of records to skip (offset)
* @param $limitnum - number of records to fetch
* @param $groups - single group or array of groups - only return
* users who are in one of these group(s).
* @param $exceptions - list of users to exclude
* @param view - set to true when roles are pulled for display only
* this is so that we can filter roles with no visible
* assignment, for example, you might want to "hide" all
* course creators when browsing the course participants
* list.
* @param boolean $useviewallgroups if $groups is set the return users who
* have capability both $capability and moodle/site:accessallgroups
* in this context, as well as users who have $capability and who are
* in $groups.
*/
function get_users_by_capability($context, $capability, $fields='', $sort='',
$limitfrom='', $limitnum='', $groups='', $exceptions='', $doanything=true,
$view=false, $useviewallgroups=false) {
global $CFG;
/// Sorting out groups
if ($groups) {
if (is_array($groups)) {
$grouptest = 'gm.groupid IN (' . implode(',', $groups) . ')';
} else {
$grouptest = 'gm.groupid = ' . $groups;
}
$grouptest = 'ra.userid IN (SELECT userid FROM ' .
$CFG->prefix . 'groups_members gm WHERE ' . $grouptest . ')';
if ($useviewallgroups) {
$viewallgroupsusers = get_users_by_capability($context,
'moodle/site:accessallgroups', 'u.id, u.id', '', '', '', '', $exceptions);
$groupsql = ' AND (' . $grouptest . ' OR ra.userid IN (' .
implode(',', array_keys($viewallgroupsusers)) . '))';
} else {
$groupsql = ' AND ' . $grouptest;
}
} else {
$groupsql = '';
}
/// Sorting out exceptions
$exceptionsql = $exceptions ? "AND u.id NOT IN ($exceptions)" : '';
/// Set up default fields
if (empty($fields)) {
$fields = 'u.*, ul.timeaccess as lastaccess, ra.hidden';
}
/// Set up default sort
if (empty($sort)) {
$sort = 'ul.timeaccess';
}
$sortby = $sort ? " ORDER BY $sort " : '';
/// Set up hidden sql
$hiddensql = ($view && !has_capability('moodle/role:viewhiddenassigns', $context))? ' AND ra.hidden = 0 ':'';
/// If context is a course, then construct sql for ul
if ($context->contextlevel == CONTEXT_COURSE) {
$courseid = $context->instanceid;
$coursesql1 = "AND ul.courseid = $courseid";
} else {
$coursesql1 = '';
}
/// Sorting out roles with this capability set
if ($possibleroles = get_roles_with_capability($capability, CAP_ALLOW, $context)) {
if (!$doanything) {
if (!$sitecontext = get_context_instance(CONTEXT_SYSTEM)) {
return false; // Something is seriously wrong
}
$doanythingroles = get_roles_with_capability('moodle/site:doanything', CAP_ALLOW, $sitecontext);
}
$validroleids = array();
foreach ($possibleroles as $possiblerole) {
if (!$doanything) {
if (isset($doanythingroles[$possiblerole->id])) { // We don't want these included
continue;
}
}
if ($caps = role_context_capabilities($possiblerole->id, $context, $capability)) { // resolved list
if (isset($caps[$capability]) && $caps[$capability] > 0) { // resolved capability > 0
$validroleids[] = $possiblerole->id;
}
}
}
if (empty($validroleids)) {
return false;
}
$roleids = '('.implode(',', $validroleids).')';
} else {
return false; // No need to continue, since no roles have this capability set
}
/// Construct the main SQL
$select = " SELECT $fields";
$from = " FROM {$CFG->prefix}user u
INNER JOIN {$CFG->prefix}role_assignments ra ON ra.userid = u.id
INNER JOIN {$CFG->prefix}role r ON r.id = ra.roleid
LEFT OUTER JOIN {$CFG->prefix}user_lastaccess ul ON (ul.userid = u.id $coursesql1)";
$where = " WHERE ra.contextid ".get_related_contexts_string($context)."
AND u.deleted = 0
AND ra.roleid in $roleids
$exceptionsql
$groupsql
$hiddensql";
return get_records_sql($select.$from.$where.$sortby, $limitfrom, $limitnum);
}
/**
* gets all the users assigned this role in this context or higher
* @param int roleid (can also be an array of ints!)
* @param int contextid
* @param bool parent if true, get list of users assigned in higher context too
* @param string fields - fields from user (u.) , role assignment (ra) or role (r.)
* @param string sort - sort from user (u.) , role assignment (ra) or role (r.)
* @param bool gethidden - whether to fetch hidden enrolments too
* @return array()
*/
function get_role_users($roleid, $context, $parent=false, $fields='', $sort='u.lastname ASC', $gethidden=true) {
global $CFG;
if (empty($fields)) {
$fields = 'u.id, u.confirmed, u.username, u.firstname, u.lastname, '.
'u.maildisplay, u.mailformat, u.maildigest, u.email, u.city, '.
'u.country, u.picture, u.idnumber, u.department, u.institution, '.
'u.emailstop, u.lang, u.timezone, r.name as rolename';
}
// whether this assignment is hidden
$hiddensql = $gethidden ? '': ' AND ra.hidden = 0 ';
$parentcontexts = '';
if ($parent) {
$parentcontexts = substr($context->path, 1); // kill leading slash
$parentcontexts = str_replace('/', ',', $parentcontexts);
if ($parentcontexts !== '') {
$parentcontexts = ' OR ra.contextid IN ('.$parentcontexts.' )';
}
}
if (is_array($roleid)) {
$roleselect = ' AND ra.roleid IN (' . join(',',$roleid) .')';
} elseif (is_int($roleid)) {
$roleselect = "AND ra.roleid = $roleid";
} else {
$roleselect = '';
}
if ($group) {
$groupjoin = "JOIN {$CFG->prefix}groups_members gm
ON gm.userid = u.id";
$groupselect = " AND gm.groupid = $group ";
} else {
$groupjoin = '';
$groupselect = '';
}
$SQL = "SELECT $fields, ra.roleid
FROM {$CFG->prefix}role_assignments ra
JOIN {$CFG->prefix}user u
ON u.id = ra.userid
JOIN {$CFG->prefix}role r
ON ra.roleid = r.id
$groupjoin
WHERE (ra.contextid = $context->id $parentcontexts)
$roleselect
$groupselect
$hiddensql
ORDER BY $sort
"; // join now so that we can just use fullname() later
return get_records_sql($SQL);
}
/**
* Counts all the users assigned this role in this context or higher
* @param int roleid
* @param int contextid
* @param bool parent if true, get list of users assigned in higher context too
* @return array()
*/
function count_role_users($roleid, $context, $parent=false) {
global $CFG;
if ($parent) {
if ($contexts = get_parent_contexts($context)) {
$parentcontexts = ' OR r.contextid IN ('.implode(',', $contexts).')';
} else {
$parentcontexts = '';
}
} else {
$parentcontexts = '';
}
$SQL = "SELECT count(*)
FROM {$CFG->prefix}role_assignments r
WHERE (r.contextid = $context->id $parentcontexts)
AND r.roleid = $roleid";
return count_records_sql($SQL);
}
/**
* This function gets the list of courses that this user has a particular capability in.
* It is still not very efficient.
* @param string $capability Capability in question
* @param int $userid User ID or null for current user
* @param bool $doanything True if 'doanything' is permitted (default)
* @param string $fieldsexceptid Leave blank if you only need 'id' in the course records;
* otherwise use a comma-separated list of the fields you require, not including id
* @param string $orderby If set, use a comma-separated list of fields from course
* table with sql modifiers (DESC) if needed
* @return array Array of courses, may have zero entries. Or false if query failed.
*/
function get_user_capability_course($capability, $userid=NULL,$doanything=true,$fieldsexceptid='',$orderby='') {
// Convert fields list and ordering
$fieldlist='';
if($fieldsexceptid) {
$fields=explode(',',$fieldsexceptid);
foreach($fields as $field) {
$fieldlist.=',c.'.$field;
}
}
if($orderby) {
$fields=explode(',',$orderby);
$orderby='';
foreach($fields as $field) {
if($orderby) {
$orderby.=',';
}
$orderby.='c.'.$field;
}
$orderby='ORDER BY '.$orderby;
}
// Obtain a list of everything relevant about all courses including context.
// Note the result can be used directly as a context (we are going to), the course
// fields are just appended.
global $CFG;
$rs=get_recordset_sql("
SELECT
x.*,c.id AS courseid$fieldlist
FROM
{$CFG->prefix}course c
INNER JOIN {$CFG->prefix}context x ON c.id=x.instanceid AND x.contextlevel=".CONTEXT_COURSE."
$orderby
");
if(!$rs) {
return false;
}
// Check capability for each course in turn
$courses=array();
while($coursecontext=rs_fetch_next_record($rs)) {
if(has_capability($capability,$coursecontext,$userid,$doanything)) {
// We've got the capability. Make the record look like a course record
// and store it
$coursecontext->id=$coursecontext->courseid;
unset($coursecontext->courseid);
unset($coursecontext->contextlevel);
unset($coursecontext->instanceid);
$courses[]=$coursecontext;
}
}
return $courses;
}
/** This function finds the roles assigned directly to this context only
* i.e. no parents role
* @param object $context
* @return array
*/
function get_roles_on_exact_context($context) {
global $CFG;
return get_records_sql("SELECT r.*
FROM {$CFG->prefix}role_assignments ra,
{$CFG->prefix}role r
WHERE ra.roleid = r.id
AND ra.contextid = $context->id");
}
/**
* Switches the current user to another role for the current session and only
* in the given context.
*
* The caller *must* check
* - that this op is allowed
* - that the requested role can be assigned in this ctx
* (hint, use get_assignable_roles())
* - that the requested role is NOT $CFG->defaultuserroleid
*
* To "unswitch" pass 0 as the roleid.
*
* This function *will* modify $USER->access - beware
*
* @param integer $roleid
* @param object $context
* @return bool
*/
function role_switch($roleid, $context) {
global $USER, $CFG;
//
// Plan of action
//
// - Add the ghost RA to $USER->access
// as $USER->access['rsw'][$path] = $roleid
//
// - Make sure $USER->access['rdef'] has the roledefs
// it needs to honour the switcheroo
//
// Roledefs will get loaded "deep" here - down to the last child
// context. Note that
//
// - When visiting subcontexts, our selective accessinfo loading
// will still work fine - though those ra/rdefs will be ignored
// appropriately while the switch is in place
//
// - If a switcheroo happens at a category with tons of courses
// (that have many overrides for switched-to role), the session
// will get... quite large. Sometimes you just can't win.
//
// To un-switch just unset($USER->access['rsw'][$path])
//
if ($roleid == 0) {
unset($USER->access['rsw'][$context->path]);
if (empty($USER->access['rsw'])) {
unset($USER->access['rsw']);
}
return true;
}
// Add the switch RA
if (!isset($USER->access['rsw'])) {
$USER->access['rsw'] = array();
}
$USER->access['rsw'][$context->path]=$roleid;
// Load roledefs
$USER->access = get_role_access_bycontext($roleid, $context,
$USER->access);
/* DO WE NEED THIS AT ALL???
// Add some permissions we are really going
// to always need, even if the role doesn't have them!
$USER->capabilities[$context->id]['moodle/course:view'] = CAP_ALLOW;
*/
return true;
}
// get any role that has an override on exact context
function get_roles_with_override_on_context($context) {
global $CFG;
return get_records_sql("SELECT r.*
FROM {$CFG->prefix}role_capabilities rc,
{$CFG->prefix}role r
WHERE rc.roleid = r.id
AND rc.contextid = $context->id");
}
// get all capabilities for this role on this context (overrids)
function get_capabilities_from_role_on_context($role, $context) {
global $CFG;
return get_records_sql("SELECT *
FROM {$CFG->prefix}role_capabilities
WHERE contextid = $context->id
AND roleid = $role->id");
}
// find out which roles has assignment on this context
function get_roles_with_assignment_on_context($context) {
global $CFG;
return get_records_sql("SELECT r.*
FROM {$CFG->prefix}role_assignments ra,
{$CFG->prefix}role r
WHERE ra.roleid = r.id
AND ra.contextid = $context->id");
}
/**
* Find all user assignemnt of users for this role, on this context
*/
function get_users_from_role_on_context($role, $context) {
global $CFG;
return get_records_sql("SELECT *
FROM {$CFG->prefix}role_assignments
WHERE contextid = $context->id
AND roleid = $role->id");
}
/**
* Simple function returning a boolean true if roles exist, otherwise false
*/
function user_has_role_assignment($userid, $roleid, $contextid=0) {
if ($contextid) {
return record_exists('role_assignments', 'userid', $userid, 'roleid', $roleid, 'contextid', $contextid);
} else {
return record_exists('role_assignments', 'userid', $userid, 'roleid', $roleid);
}
}
/**
* Inserts all parental context and self into context_rel table
*
* @param object $context-context to be deleted
* @param bool deletechild - deltes child contexts dependencies
*/
function insert_context_rel($context, $deletechild=true, $deleteparent=true) {
// first check validity
// MDL-9057
if (!validate_context($context->contextlevel, $context->instanceid)) {
debugging('Error: Invalid context creation request for level "' .
s($context->contextlevel) . '", instance "' . s($context->instanceid) . '".');
return NULL;
}
// removes all parents
if ($deletechild) {
delete_records('context_rel', 'c2', $context->id);
}
if ($deleteparent) {
delete_records('context_rel', 'c1', $context->id);
}
// insert all parents
if ($parents = get_parent_contexts($context)) {
$parents[] = $context->id;
foreach ($parents as $parent) {
$rec = new object;
$rec ->c1 = $context->id;
$rec ->c2 = $parent;
insert_record('context_rel', $rec);
}
}
}
/**
* rebuild context_rel table without deleting
*/
function build_context_rel() {
global $CFG, $db;
$savedb = $db->debug;
// MDL-10679, only identify contexts with overrides in them
$contexts = get_records_sql("SELECT c.* FROM {$CFG->prefix}context c,
{$CFG->prefix}role_capabilities rc
WHERE c.id = rc.contextid");
// total number of records
// subtract one because the site context should not be calculated, will not be processed
$total = count($contexts) - 1;
// processed records
$done = 0;
print_progress($done, $total, 10, 0, 'Processing context relations');
$db->debug = false;
//if ($contexts = get_records('context')) {
foreach ($contexts as $context) {
// no need to delete because it's all empty
insert_context_rel($context, false, false);
$db->debug = true;
print_progress(++$done, $total, 10, 0, 'Processing context relations');
$db->debug = false;
}
$db->debug = $savedb;
}
// gets the custom name of the role in course
// TODO: proper documentation
function role_get_name($role, $context) {
if ($r = get_record('role_names','roleid', $role->id,'contextid', $context->id)) {
return format_string($r->text);
} else {
return format_string($role->name);
}
}
/*
* @param int object - context object (node), from which we find all it's children
* and rebuild all associated context_rel info
* this is needed when a course or course category is moved
* as the children's relationship to grandparents needs to be fixed
* @return int number of contexts rebuilt
*/
function rebuild_context_rel($context) {
$contextlist = array();
if (record_exists('role_capabilities', 'contextid', $context->id)) {
$contextlist[] = $context;
}
// find all children used in context_rel
if ($childcontexts = get_records('context_rel', 'c2', $context->id)) {
foreach ($childcontexts as $childcontext) {
$contextlist[$childcontext->c1] = get_record('context', 'id', $childcontext->c1);
}
}
$i = 0;
// rebuild all the contexts of this list
foreach ($contextlist as $c) {
insert_context_rel($c);
$i++;
}
return $i;
}
/**
* This function helps admin/roles/manage.php etc to detect if a new line should be printed
* when we read in a new capability
* most of the time, if the 2 components are different we should print a new line, (e.g. course system->rss client)
* but when we are in grade, all reports/import/export capabilites should be together
* @param string a - component string a
* @param string b - component string b
* @return bool - whether 2 component are in different "sections"
*/
function component_level_changed($cap, $comp, $contextlevel) {
if ($cap->component == 'enrol/authorize' && $comp =='enrol/authorize') {
return false;
}
if (strstr($cap->component, '/') && strstr($comp, '/')) {
$compsa = explode('/', $cap->component);
$compsb = explode('/', $comp);
// we are in gradebook, still
if (($compsa[0] == 'gradeexport' || $compsa[0] == 'gradeimport' || $compsa[0] == 'gradereport') &&
($compsb[0] == 'gradeexport' || $compsb[0] == 'gradeimport' || $compsb[0] == 'gradereport')) {
return false;
}
}
return ($cap->component != $comp || $cap->contextlevel != $contextlevel);
}
/**
* Populate context.path and context.depth
*/
function build_context_path() {
global $CFG;
// Site
$sitectx = get_field('context', 'id','contextlevel', CONTEXT_SYSTEM);
$base = "/$sitectx";
set_field('context', 'path', $base, 'id', $sitectx);
set_field('context', 'depth', 1, 'id', $sitectx);
// Sitecourse
$ctxid = get_field('context', 'id','contextlevel', CONTEXT_COURSE,
'instanceid', SITEID);
set_field('context', 'path', "$base/$ctxid", 'id', $ctxid);
set_field('context', 'depth', 2, 'id', $ctxid);
// Top level categories
$sql = "UPDATE {$CFG->prefix}context
SET depth=2, path='$base/' || id
WHERE contextlevel=".CONTEXT_COURSECAT."
AND instanceid IN
(SELECT id
FROM {$CFG->prefix}course_categories
WHERE depth=1)";
execute_sql($sql, false);
// Deeper categories - one query per depthlevel
$maxdepth = get_field_sql("SELECT MAX(depth)
FROM {$CFG->prefix}course_categories");
for ($n=2;$n<=$maxdepth;$n++) {
$sql = "UPDATE {$CFG->prefix}context
SET depth=$n+1, path=it.ppath || '/' || id
FROM (SELECT c.id AS instanceid, pctx.path AS ppath
FROM {$CFG->prefix}course_categories c
JOIN {$CFG->prefix}context pctx
ON (c.parent=pctx.instanceid
AND pctx.contextlevel=".CONTEXT_COURSECAT.")
WHERE c.depth=$n) it
WHERE contextlevel=".CONTEXT_COURSECAT."
AND {$CFG->prefix}context.instanceid=it.instanceid";
execute_sql($sql, false);
}
// Courses -- except sitecourse
$sql = "UPDATE {$CFG->prefix}context
SET depth=it.pdepth+1, path=it.ppath || '/' || id
FROM (SELECT c.id AS instanceid, pctx.path AS ppath,
pctx.depth as pdepth
FROM {$CFG->prefix}course c
JOIN {$CFG->prefix}context pctx
ON (c.category=pctx.instanceid
AND pctx.contextlevel=".CONTEXT_COURSECAT.")
WHERE c.id != ".SITEID.") it
WHERE contextlevel=".CONTEXT_COURSE."
AND {$CFG->prefix}context.instanceid=it.instanceid";
execute_sql($sql, false);
// Module instances
$sql = "UPDATE {$CFG->prefix}context
SET depth=it.pdepth+1, path=it.ppath || '/' || id
FROM (SELECT cm.id AS instanceid, pctx.path AS ppath,
pctx.depth as pdepth
FROM {$CFG->prefix}course_modules cm
JOIN {$CFG->prefix}context pctx
ON (cm.course=pctx.instanceid
AND pctx.contextlevel=".CONTEXT_COURSE.")
) it
WHERE contextlevel=".CONTEXT_MODULE."
AND {$CFG->prefix}context.instanceid=it.instanceid";
execute_sql($sql, false);
// Blocks - non-pinned only
$sql = "UPDATE {$CFG->prefix}context
SET depth=it.pdepth+1, path=it.ppath || '/' || id
FROM (SELECT bi.id AS instanceid, pctx.path AS ppath,
pctx.depth as pdepth
FROM {$CFG->prefix}block_instance bi
JOIN {$CFG->prefix}context pctx
ON (bi.pageid=pctx.instanceid
AND bi.pagetype='course-view'
AND pctx.contextlevel=".CONTEXT_COURSE.")
) it
WHERE contextlevel=".CONTEXT_BLOCK."
AND {$CFG->prefix}context.instanceid=it.instanceid";
execute_sql($sql, false);
// User
$sql = "UPDATE {$CFG->prefix}context
SET depth=2, path='$base/' || id
WHERE contextlevel=".CONTEXT_USER."
AND instanceid IN
(SELECT id
FROM {$CFG->prefix}user)";
execute_sql($sql, false);
// Personal TODO
}
/**
* Turn the ctx* fields in an objectlike record
* into a context subobject. This allows
* us to SELECT from major tables JOINing with
* context at no cost, saving a ton of context
* lookups...
*/
function make_context_subobj($rec) {
$ctx = new StdClass;
$ctx->id = $rec->ctxid; unset($rec->ctxid);
$ctx->path = $rec->ctxpath; unset($rec->ctxpath);
$ctx->depth = $rec->ctxdepth; unset($rec->ctxdepth);
$ctx->instanceid = $rec->id;
$ctx->contextlevel = CONTEXT_COURSE;
$rec->context = $ctx;
return $rec;
}
/*
* Fetch recent dirty contexts to know cheaply whether our $USER->access
* is stale and needs to be reloaded.
*
* Uses config_plugins.
*
*/
function get_dirty_contexts($time=NULL) {
global $CFG;
$timecond = '';
if (!is_null($time)) {
$timecond = " AND CAST(value to integer) > $time";
}
$sql = "SELECT name, value
FROM {$CFG->prefix}config_plugins
WHERE plugin='accesslib/dirtycontexts'
$timecond";
if ($ctx = get_records_sql($sql)) {
return $ctx;
}
return array();
}
/*
* Mark a context as dirty (with timestamp)
* so as to force reloading of the context.
*
*/
function mark_context_dirty($path) {
// Trivial (for now?)
set_config($path, time(), 'accesslib/dirtycontexts');
}
/*
* Cleanup all the old/stale dirty contexts.
* Any context exceeding our session
* timeout is stale. We only keep these for ongoing
* sessions.
*
*/
function cleanup_dirty_contexts() {
global $CFG;
$sql = "plugin='accesslib/dirtycontexts' AND
CAST(value to integer) < " . time() - $CFG->sessiontimeout;
delete_records_select('config_plugins', $sql);
}
?>
Reference in New Issue View Git Blame Copy Permalink