Search moodle.org's
Developer Documentation
Developer Documentation
- Bug fixes for general core bugs in 3.11.x will end 14 Nov 2022 (12 months plus 6 months extension).
- Bug fixes for security issues in 3.11.x will end 13 Nov 2023 (18 months plus 12 months extension).
- PHP version: minimum PHP 7.3.0 Note: minimum PHP version has increased since Moodle 3.10. PHP 7.4.x is supported too.
<?php
// This file is part of Moodle - http://moodle.org/
//
// Moodle is free software: you can redistribute it and/or modify
// it under the terms of the GNU General Public License as published by
// the Free Software Foundation, either version 3 of the License, or
// (at your option) any later version.
//
// Moodle is distributed in the hope that it will be useful,
// but WITHOUT ANY WARRANTY; without even the implied warranty of
// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
// GNU General Public License for more details.
//
// You should have received a copy of the GNU General Public License
// along with Moodle. If not, see <http://www.gnu.org/licenses/>.
/**
* Helper functions to implement the complex get_user_capability_course function.
*
* @package core
* @copyright 2017 The Open University
* @license http://www.gnu.org/copyleft/gpl.html GNU GPL v3 or later
*/
namespace core\access;
defined('MOODLE_INTERNAL') || die();
/**
* Helper functions to implement the complex get_user_capability_course function.
*
* @package core
* @copyright 2017 The Open University
* @license http://www.gnu.org/copyleft/gpl.html GNU GPL v3 or later
*/
class get_user_capability_course_helper {
/**
* Based on the given user's access data (roles) and system role definitions, works out
* an array of capability values at each relevant context for the given user and capability.
*
* This is organised by the effective context path (the one at which the capability takes
* effect) and then by role id. Note, however, that the resulting array only has
* the information that will be needed later. If there are Prohibits present in some
* roles, then they cannot be overridden by other roles or role overrides in lower contexts,
* therefore, such information, if any, is absent from the results.
*
* @param int $userid User id
* @param string $capability Capability e.g. 'moodle/course:view'
* @return array Array of capability constants, indexed by context path and role id
*/
protected static function get_capability_info_at_each_context($userid, $capability) {
// Get access data for user.
$accessdata = get_user_accessdata($userid);
// Get list of roles for user (any location) and information about these roles.
$roleids = [];
foreach ($accessdata['ra'] as $path => $roles) {
foreach ($roles as $roleid) {
$roleids[$roleid] = true;
}
}
$rdefs = get_role_definitions(array_keys($roleids));
// A prohibit in any relevant role prevents the capability
// in that context and all subcontexts. We need to track that.
// Here, the array keys are the paths where there is a prohibit the values are the role id.
$prohibitpaths = [];
// Get data for required capability at each context path where the user has a role that can
// affect it.
$pathroleperms = [];
foreach ($accessdata['ra'] as $rapath => $roles) {
foreach ($roles as $roleid) {
// Get role definition for that role.
foreach ($rdefs[$roleid] as $rdefpath => $caps) {
// Ignore if this override/definition doesn't refer to the relevant cap.
if (!array_key_exists($capability, $caps)) {
continue;
}
// Check a role definition or override above ra.
if (self::path_is_above($rdefpath, $rapath)) {
// Note that $rdefs is sorted by path, so if a more specific override
// exists, it will be processed later and override this one.
$effectivepath = $rapath;
} else if (self::path_is_above($rapath, $rdefpath)) {
$effectivepath = $rdefpath;
} else {
// Not inside an area where the user has the role, so ignore.
continue;
}
// Check for already seen prohibits in higher context. Overrides can't change that.
if (self::any_path_is_above($prohibitpaths, $effectivepath)) {
continue;
}
// This is a releavant role assignment / permission combination. Save it.
if (!array_key_exists($effectivepath, $pathroleperms)) {
$pathroleperms[$effectivepath] = [];
}
$pathroleperms[$effectivepath][$roleid] = $caps[$capability];
// Update $prohibitpaths if necessary.
if ($caps[$capability] == CAP_PROHIBIT) {
// First remove any lower-context prohibits that might have come from other roles.
foreach ($prohibitpaths as $otherprohibitpath => $notused) {
if (self::path_is_above($effectivepath, $otherprohibitpath)) {
unset($prohibitpaths[$otherprohibitpath]);
}
}
$prohibitpaths[$effectivepath] = $roleid;
}
}
}
}
// Finally, if a later role had a higher-level prohibit that an earlier role,
// there may be more bits we can prune - but don't prune the prohibits!
foreach ($pathroleperms as $effectivepath => $roleperms) {
if ($roleid = self::any_path_is_above($prohibitpaths, $effectivepath)) {
unset($pathroleperms[$effectivepath]);
$pathroleperms[$effectivepath][$roleid] = CAP_PROHIBIT;
}
}
return $pathroleperms;
}
/**
* Test if a context path $otherpath is the same as, or underneath, $parentpath.
*
* @param string $parentpath the path of the parent context.
* @param string $otherpath the path of another context.
* @return bool true if $otherpath is underneath (or equal to) $parentpath.
*/
protected static function path_is_above($parentpath, $otherpath) {
return preg_match('~^' . $parentpath . '($|/)~', $otherpath);
}
/**
* Test if a context path $otherpath is the same as, or underneath, any of $prohibitpaths.
*
* @param array $prohibitpaths array keys are context paths.
* @param string $otherpath the path of another context.
* @return int releavant $roleid if $otherpath is underneath (or equal to)
* any of the $prohibitpaths, 0 otherwise (so, can be used as a bool).
*/
protected static function any_path_is_above($prohibitpaths, $otherpath) {
foreach ($prohibitpaths as $prohibitpath => $roleid) {
if (self::path_is_above($prohibitpath, $otherpath)) {
return $roleid;
}
}
return 0;
}
/**
* Calculates a permission tree based on an array of information about role permissions.
*
* The input parameter must be in the format returned by get_capability_info_at_each_context.
*
* The output is the root of a tree of stdClass objects with the fields 'path' (a context path),
* 'allow' (true or false), and 'children' (an array of similar objects).
*
* @param array $pathroleperms Array of permissions
* @return \stdClass Root object of permission tree
*/
protected static function calculate_permission_tree(array $pathroleperms) {
// Considering each discovered context path as an inflection point, evaluate the user's
// permission (based on all roles) at each point.
$pathallows = [];
$mindepth = 1000;
$maxdepth = 0;
foreach ($pathroleperms as $path => $roles) {
$evaluatedroleperms = [];
// Walk up the tree starting from this path.
$innerpath = $path;
while ($innerpath !== '') {
$roles = $pathroleperms[$innerpath];
// Evaluate roles at this path level.
foreach ($roles as $roleid => $perm) {
if (!array_key_exists($roleid, $evaluatedroleperms)) {
$evaluatedroleperms[$roleid] = $perm;
} else {
// The existing one is at a more specific level so it takes precedence
// UNLESS this is a prohibit.
if ($perm == CAP_PROHIBIT) {
$evaluatedroleperms[$roleid] = $perm;
}
}
}
// Go up to next path level (if any).
do {
$innerpath = substr($innerpath, 0, strrpos($innerpath, '/'));
if ($innerpath === '') {
// No higher level data.
break;
}
} while (!array_key_exists($innerpath, $pathroleperms));
}
// If we have an allow from any role, and no prohibits, then user can access this path,
// else not.
$allow = false;
foreach ($evaluatedroleperms as $perm) {
if ($perm == CAP_ALLOW) {
$allow = true;
} else if ($perm == CAP_PROHIBIT) {
$allow = false;
break;
}
}
// Store the result based on path and depth so that we can process in depth order in
// the next step.
$depth = strlen(preg_replace('~[^/]~', '', $path));
$mindepth = min($depth, $mindepth);
$maxdepth = max($depth, $maxdepth);
$pathallows[$depth][$path] = $allow;
}
// Organise into a tree structure, processing in depth order so that we have ancestors
// set up before we encounter their children.
$root = (object)['allow' => false, 'path' => null, 'children' => []];
$nodesbypath = [];
for ($depth = $mindepth; $depth <= $maxdepth; $depth++) {
// Skip any missing depth levels.
if (!array_key_exists($depth, $pathallows)) {
continue;
}
foreach ($pathallows[$depth] as $path => $allow) {
// Value for new tree node.
$leaf = (object)['allow' => $allow, 'path' => $path, 'children' => []];
// Try to find a place to join it on if there is one.
$ancestorpath = $path;
$found = false;
while ($ancestorpath) {
$ancestorpath = substr($ancestorpath, 0, strrpos($ancestorpath, '/'));
if (array_key_exists($ancestorpath, $nodesbypath)) {
$found = true;
break;
}
}
if ($found) {
$nodesbypath[$ancestorpath]->children[] = $leaf;
} else {
$root->children[] = $leaf;
}
$nodesbypath[$path] = $leaf;
}
}
return $root;
}
/**
* Given a permission tree (in calculate_permission_tree format), removes any subtrees that
* are negative from the root. For example, if a top-level node of the permission tree has
* 'false' permission then it is meaningless because the default permission is already false;
* this function will remove it. However, if there is a child within that node that is positive,
* then that will need to be kept.
*
* @param \stdClass $root Root object
* @return \stdClass Filtered tree root
*/
protected static function remove_negative_subtrees($root) {
// If a node 'starts' negative, we don't need it (as negative is the default) - extract only
// subtrees that start with a positive value.
$positiveroot = (object)['allow' => false, 'path' => null, 'children' => []];
$consider = [$root];
while ($consider) {
$first = array_shift($consider);
foreach ($first->children as $node) {
if ($node->allow) {
// Add directly to new root.
$positiveroot->children[] = $node;
} else {
// Consider its children for adding to root (if there are any positive ones).
$consider[] = $node;
}
}
}
return $positiveroot;
}
/**
* Removes duplicate nodes of a tree - where a child node has the same permission as its
* parent.
*
* @param \stdClass $parent Tree root node
*/
protected static function remove_duplicate_nodes($parent) {
$length = count($parent->children);
$index = 0;
while ($index < $length) {
$child = $parent->children[$index];
if ($child->allow === $parent->allow) {
// Remove child node, but add its children to this node instead.
array_splice($parent->children, $index, 1);
$length--;
$index--;
foreach ($child->children as $grandchild) {
$parent->children[] = $grandchild;
$length++;
}
} else {
// Keep child node, but recurse to remove its unnecessary children.
self::remove_duplicate_nodes($child);
}
$index++;
}
}
/**
* Gets a permission tree for the given user and capability, representing the value of that
* capability at different contexts across the system. The tree will be simplified as far as
* possible.
*
* The output is the root of a tree of stdClass objects with the fields 'path' (a context path),
* 'allow' (true or false), and 'children' (an array of similar objects).
*
* @param int $userid User id
* @param string $capability Capability e.g. 'moodle/course:view'
* @return \stdClass Root node of tree
*/
protected static function get_tree($userid, $capability) {
// Extract raw capability data for this user and capability.
$pathroleperms = self::get_capability_info_at_each_context($userid, $capability);
// Convert the raw data into a permission tree based on context.
$root = self::calculate_permission_tree($pathroleperms);
unset($pathroleperms);
// Simplify the permission tree by removing unnecessary nodes.
$root = self::remove_negative_subtrees($root);
self::remove_duplicate_nodes($root);
// Return the tree.
return $root;
}
/**
* Creates SQL suitable for restricting by contexts listed in the given permission tree.
*
* This function relies on the permission tree being in the format created by get_tree.
* Specifically, all the children of the root element must be set to 'allow' permission,
* children of those children must be 'not allow', children of those grandchildren 'allow', etc.
*
* @param \stdClass $parent Root node of permission tree
* @return array Two-element array of SQL (containing ? placeholders) and then a params array
*/
protected static function create_sql($parent) {
global $DB;
$sql = '';
$params = [];
if ($parent->path !== null) {
// Except for the root element, create the condition that it applies to the context of
// this element (or anything within it).
$sql = ' (x.path = ? OR ' . $DB->sql_like('x.path', '?') .')';
$params[] = $parent->path;
$params[] = $parent->path . '/%';
if ($parent->children) {
// When there are children, these are assumed to have the opposite sign i.e. if we
// are allowing the parent, we are not allowing the children, and vice versa. So
// the 'OR' clause for children will be inside this 'AND NOT'.
$sql .= ' AND NOT (';
}
} else if (count($parent->children) > 1) {
// Place brackets in the query when it is going to be an OR of multiple conditions.
$sql .= ' (';
}
if ($parent->children) {
$first = true;
foreach ($parent->children as $child) {
if ($first) {
$first = false;
} else {
$sql .= ' OR';
}
// Recuse to get the child requirements - this will be the check that the context
// is within the child, plus possibly and 'AND NOT' for any different contexts
// within the child.
list ($childsql, $childparams) = self::create_sql($child);
$sql .= $childsql;
$params = array_merge($params, $childparams);
}
// Close brackets if opened above.
if ($parent->path !== null || count($parent->children) > 1) {
$sql .= ')';
}
}
return [$sql, $params];
}
/**
* Gets SQL to restrict a query to contexts in which the user has a capability.
*
* This returns an array with two elements (SQL containing ? placeholders, and a params array).
* The SQL is intended to be used as part of a WHERE clause. It relies on the prefix 'x' being
* used for the Moodle context table.
*
* If the user does not have the permission anywhere at all (so that there is no point doing
* the query) then the two returned values will both be false.
*
* @param int $userid User id
* @param string $capability Capability e.g. 'moodle/course:view'
* @return array Two-element array of SQL (containing ? placeholders) and then a params array
*/
public static function get_sql($userid, $capability) {
// Get a tree of capability permission at various contexts for current user.
$root = self::get_tree($userid, $capability);
// The root node always has permission false. If there are no child nodes then the user
// cannot access anything.
if (!$root->children) {
return [false, false];
}
// Get SQL to limit contexts based on the permission tree.
return self::create_sql($root);
}
>
}
> /**
> * Map fieldnames to get ready for the SQL query.
> *
> * @param string $fieldsexceptid A comma-separated list of the fields you require, not including id.
> * Add ctxid, ctxpath, ctxdepth etc to return course context information for preloading.
> * @return string Mapped field list for the SQL query.
> */
> public static function map_fieldnames(string $fieldsexceptid = ''): string {
> // Convert fields list and ordering.
> $fieldlist = '';
> if ($fieldsexceptid) {
> $fields = array_map('trim', explode(',', $fieldsexceptid));
> foreach ($fields as $field) {
> // Context fields have a different alias.
> if (strpos($field, 'ctx') === 0) {
> switch($field) {
> case 'ctxlevel' :
> $realfield = 'contextlevel';
> break;
> case 'ctxinstance' :
> $realfield = 'instanceid';
> break;
> default:
> $realfield = substr($field, 3);
> break;
> }
> $fieldlist .= ',x.' . $realfield . ' AS ' . $field;
> } else {
> $fieldlist .= ',c.'.$field;
> }
> }
> }
> return $fieldlist;
> }
