Student publications: Allow teacher to access work in session BT#18352

If config: assignment_base_course_teacher_access_to_all_session
5 years ago · 0adabeb947
parent d81494bfeb
commit 0adabeb947
3 changed files with 65 additions and 42 deletions
--- a/main/work/download_comment_file.php
+++ b/main/work/download_comment_file.php
@ -1,4 +1,5 @@
 <?php
+
 /* For licensing terms, see /license.txt */

 /**
@ -6,55 +7,60 @@
 *  Html files are parsed to fix a few problems with URLs,
 *  but this code will hopefully be replaced soon by an Apache URL
 *  rewrite mechanism.
- *
- * @package chamilo.work
 */
 require_once __DIR__.'/../inc/global.inc.php';
 require_once 'work.lib.php';

-// Course protection
 api_protect_course_script(true);

-$commentId = isset($_GET['comment_id']) ? intval($_GET['comment_id']) : null;
+$commentId = isset($_GET['comment_id']) ? (int) $_GET['comment_id'] : null;
 if (empty($commentId)) {
    api_not_allowed(true);
 }
 $workData = getWorkComment($commentId);
 $courseInfo = api_get_course_info();

-if (!empty($workData)) {
-    if (empty($workData['file_path']) ||
-        (isset($workData['file_path']) && !file_exists($workData['file_path']))
-    ) {
-        api_not_allowed(true);
-    }
+if (empty($workData)) {
+    api_not_allowed(true);
+}

-    $work = get_work_data_by_id($workData['work_id']);
+if (empty($workData['file_path']) ||
+    (isset($workData['file_path']) && !file_exists($workData['file_path']))
+) {
+    api_not_allowed(true);
+}
+
+$work = get_work_data_by_id($workData['work_id']);
+
+protectWork($courseInfo, $work['parent_id']);

-    protectWork($courseInfo, $work['parent_id']);
+$userHasAccess = api_is_coach() ||
+    api_is_allowed_to_edit(false, false, true) ||
+    user_is_author($workData['work_id']);

-    $userHasAccess = api_is_coach() ||
-        api_is_allowed_to_edit(false, false, true) ||
-        user_is_author($workData['work_id']);
+$allowBaseCourseTeacher = api_get_configuration_value('assignment_base_course_teacher_access_to_all_session');
+if (false === $userHasAccess && $allowBaseCourseTeacher) {
+    // Check if user is base course teacher.
+    if (CourseManager::is_course_teacher(api_get_user_id(), $courseInfo['code'])) {
+        $userHasAccess = true;
+    }
+}

-    if ($userHasAccess ||
-        $courseInfo['show_score'] == 0 &&
-        $work['active'] == 1 &&
-        $work['accepted'] == 1
+if ($userHasAccess ||
+    $courseInfo['show_score'] == 0 &&
+    $work['active'] == 1 &&
+    $work['accepted'] == 1
+) {
+    if (Security::check_abs_path(
+        $workData['file_path'],
+        api_get_path(SYS_COURSE_PATH).api_get_course_path().'/'
+    )
    ) {
-        if (Security::check_abs_path(
+        DocumentManager::file_send_for_download(
            $workData['file_path'],
-            api_get_path(SYS_COURSE_PATH).api_get_course_path().'/'
-        )
-        ) {
-            DocumentManager::file_send_for_download(
-                $workData['file_path'],
-                true,
-                $workData['file_name_to_show']
-            );
-        }
-    } else {
-        api_not_allowed(true);
+            true,
+            $workData['file_name_to_show']
+        );
    }
 } else {
    api_not_allowed(true);
--- a/main/work/edit.php
+++ b/main/work/edit.php
@ -1,4 +1,5 @@
 <?php
+
 /* For licensing terms, see /license.txt */

 require_once __DIR__.'/../inc/global.inc.php';
@ -24,8 +25,7 @@ $is_allowed_to_edit = api_is_allowed_to_edit();
 $course_id = api_get_course_int_id();
 $user_id = api_get_user_id();
 $session_id = api_get_session_id();
-$course_code = api_get_course_id();
-$course_info = api_get_course_info();
+$courseInfo = api_get_course_info();

 if (empty($work_id) || empty($item_id)) {
    api_not_allowed(true);
@ -45,6 +45,16 @@ $is_course_member = CourseManager::is_user_subscribed_in_real_or_linked_course(

 $is_course_member = $is_course_member || api_is_platform_admin();

+$allowBaseCourseTeacher = api_get_configuration_value('assignment_base_course_teacher_access_to_all_session');
+$isCourseTeacher = false;
+if (false === $is_course_member && $allowBaseCourseTeacher) {
+    // Check if user is base course teacher.
+    if (CourseManager::is_course_teacher(api_get_user_id(), $courseInfo['code'])) {
+        $is_course_member = true;
+        $isCourseTeacher = true;
+    }
+}
+
 if (false == $is_course_member) {
    api_not_allowed(true);
 }
@ -54,11 +64,10 @@ $token = Security::get_token();

 $student_can_edit_in_session = api_is_allowed_to_session_edit(false, true);
 $has_ended = false;
-$is_author = false;
 $work_item = get_work_data_by_id($item_id);

 // Get the author ID for that document from the item_property table
-$is_author = user_is_author($item_id);
+$is_author = user_is_author($item_id) || $isCourseTeacher;

 if (!$is_author) {
    api_not_allowed(true);
--- a/main/work/view.php
+++ b/main/work/view.php
@ -14,7 +14,8 @@ if (empty($work)) {
    api_not_allowed(true);
 }

-protectWork(api_get_course_info(), $work['parent_id']);
+$courseInfo = api_get_course_info();
+protectWork($courseInfo, $work['parent_id']);

 $action = isset($_REQUEST['action']) ? $_REQUEST['action'] : null;
 $page = isset($_REQUEST['page']) ? $_REQUEST['page'] : null;
@ -29,10 +30,17 @@ $interbreadcrumb[] = [
 ];

 $folderData = get_work_data_by_id($work['parent_id']);
-$courseInfo = api_get_course_info();
-
+$currentUserId = api_get_user_id();
 $isCourseManager = api_is_platform_admin() || api_is_coach() || api_is_allowed_to_edit(false, false, true);

+$allowBaseCourseTeacher = api_get_configuration_value('assignment_base_course_teacher_access_to_all_session');
+if (false === $isCourseManager && $allowBaseCourseTeacher) {
+    // Check if user is base course teacher.
+    if (CourseManager::is_course_teacher($currentUserId, $courseInfo['code'])) {
+        $isCourseManager = true;
+    }
+}
+
 $allowEdition = false;
 if ($isCourseManager) {
    $allowEdition = true;
@ -46,13 +54,13 @@ if (api_is_platform_admin()) {
 }

 $isDrhOfCourse = CourseManager::isUserSubscribedInCourseAsDrh(
-    api_get_user_id(),
+    $currentUserId,
    $courseInfo
 );

-$isDrhOfSession = !empty(SessionManager::getSessionFollowedByDrh(api_get_user_id(), $work['session_id']));
+$isDrhOfSession = !empty(SessionManager::getSessionFollowedByDrh($currentUserId, $work['session_id']));

-if ((user_is_author($id) || $isDrhOfCourse || $allowEdition || $isDrhOfSession) ||
+if (($isDrhOfCourse || $allowEdition || $isDrhOfSession  || user_is_author($id)) ||
    (
        0 == $courseInfo['show_score'] &&
        1 == $work['active'] &&
@ -75,7 +83,7 @@ if ((user_is_author($id) || $isDrhOfCourse || $allowEdition || $isDrhOfSession)
        1 == $work['active'] &&
        1 == $work['accepted']
        ) ||
-        $isCourseManager || user_is_author($id) || $isDrhOfCourse || $isDrhOfSession
+        $isCourseManager || $isDrhOfCourse || $isDrhOfSession || user_is_author($id)
    ) {
        if ($page === 'edit') {
            $url = api_get_path(WEB_CODE_PATH).'work/edit.php?id='.$folderData['id'].'&item_id='.$work['id'].'&'.api_get_cidreq();