Internal: Add cidReq to validate course access in Lp - refs BT#21540

1 year ago · 0e26fd9a63
parent d36d2d7fab
commit 0e26fd9a63
5 changed files with 30 additions and 25 deletions
--- a/public/main/exercise/exercise.class.php
+++ b/public/main/exercise/exercise.class.php
@ -9784,7 +9784,7 @@ class Exercise
        ];
    }

-    public static function saveExerciseInLp($safe_item_id, $safe_exe_id)
+    public static function saveExerciseInLp($safe_item_id, $safe_exe_id, $course_id = null)
    {
        $lp = Session::read('oLP');

@ -9796,7 +9796,9 @@ class Exercise
        }

        $viewId = $lp->get_view_id();
-        $course_id = api_get_course_int_id();
+        if (!isset($course_id)) {
+            $course_id = api_get_course_int_id();
+        }
        $userId = (int) api_get_user_id();
        $viewId = (int) $viewId;

--- a/public/main/inc/lib/api.lib.php
+++ b/public/main/inc/lib/api.lib.php
@ -888,6 +888,9 @@ function api_valid_email($address)
 function api_protect_course_script($print_headers = false, $allow_session_admins = false, string $checkTool = '', $cid = null): bool
 {
    $course_info = api_get_course_info();
+    if (empty($course_info) && isset($_REQUEST['cid'])) {
+        $course_info = api_get_course_info_by_id((int) $_REQUEST['cid']);
+    }

    if (isset($cid)) {
        $course_info = api_get_course_info_by_id($cid);
--- a/public/main/inc/lib/usermanager.lib.php
+++ b/public/main/inc/lib/usermanager.lib.php
@ -4559,11 +4559,11 @@ class UserManager
            if (1 == $num_rows) {
                $row = Database::fetch_array($rs);

-                return $row['uid'];
+                return (int) $row['uid'];
            } else {
                $my_num_rows = $num_rows;

-                return Database::result($rs, $my_num_rows - 1, 'uid');
+                return (int) Database::result($rs, $my_num_rows - 1, 'uid');
            }
        } elseif ($session > 0) {
            $sql = 'SELECT u.id as uid FROM '.$table_user.' u
@ -4576,7 +4576,7 @@ class UserManager
            if (Database::num_rows($rs) > 0) {
                $row = Database::fetch_assoc($rs);

-                return $row['uid'];
+                return (int) $row['uid'];
            }
        }

--- a/public/main/lp/lp_controller.php
+++ b/public/main/lp/lp_controller.php
@ -27,12 +27,12 @@ $debug = false;
 $current_course_tool = TOOL_LEARNPATH;
 $lpItemId = isset($_REQUEST['id']) ? (int) $_REQUEST['id'] : 0;
 $lpId = isset($_REQUEST['lp_id']) ? (int) $_REQUEST['lp_id'] : 0;
-$course_id = api_get_course_int_id();
-$session_id = api_get_session_id();
+$courseId = isset($_REQUEST['cid']) ? (int) $_REQUEST['cid'] : api_get_course_int_id();
+$sessionId = isset($_REQUEST['sid']) ? (int) $_REQUEST['sid'] : api_get_session_id();
 $lpRepo = Container::getLpRepository();
 $lpItemRepo = Container::getLpItemRepository();
-$courseInfo = api_get_course_info();
-$course = api_get_course_entity();
+$courseInfo = api_get_course_info_by_id($courseId);
+$course = api_get_course_entity($courseId);
 $userId = api_get_user_id();
 $glossaryExtraTools = api_get_setting('show_glossary_in_extra_tools');
 $showGlossary = in_array($glossaryExtraTools, ['true', 'lp', 'exercise_and_lp']);
@ -71,15 +71,15 @@ if (!empty($lpObject)) {
    if (isset($oLP) && is_object($oLP)) {
        if (1 == $myrefresh ||
            empty($oLP->cc) ||
-            $oLP->cc != api_get_course_id() ||
-            $oLP->lp_view_session_id != $session_id
+            $oLP->cc != $course->getCode() ||
+            $oLP->lp_view_session_id != $sessionId
        ) {
            if ($debug) {
                error_log('Course has changed, discard lp object');
                error_log('$oLP->lp_view_session_id: '.$oLP->lp_view_session_id);
-                error_log('api_get_session_id(): '.$session_id);
+                error_log('api_get_session_id(): '.$sessionId);
                error_log('$oLP->cc: '.$oLP->cc);
-                error_log('api_get_course_id(): '.api_get_course_id());
+                error_log('api_get_course_id(): '.$course->getCode());
            }

            if (1 === $myrefresh) {
@ -237,11 +237,8 @@ switch ($action) {
    case 'send_notify_teacher':
        // Send notification to the teacher
        $studentInfo = api_get_user_info();
-        $course_info = api_get_course_info();
-        $sessionId = api_get_session_id();
-
-        $courseName = $course_info['title'];
-        $courseUrl = $course_info['course_public_url'];
+        $courseName = $courseInfo['title'];
+        $courseUrl = $courseInfo['course_public_url'];
        if (!empty($sessionId)) {
            $sessionInfo = api_get_session_info($sessionId);
            $courseName = $sessionInfo['name'];
@ -249,7 +246,7 @@ switch ($action) {
        }

        $url = Display::url($courseName, $courseUrl, ['title' => get_lang('Go to the course')]);
-        $coachList = CourseManager::get_coachs_from_course($sessionId, api_get_course_int_id());
+        $coachList = CourseManager::get_coachs_from_course($sessionId, $courseId);
        foreach ($coachList as $coach_course) {
            $recipientName = $coach_course['full_name'];
            $coachInfo = api_get_user_info($coach_course['user_id']);
@ -693,7 +690,7 @@ switch ($action) {
        if (!$lp_found) {
            require 'lp_list.php';
        } else {
-            $result = ScormExport::exportToPdf($lpId, api_get_course_info());
+            $result = ScormExport::exportToPdf($lpId, $courseInfo);
            if (!$result) {
                require 'lp_list.php';
            }
@ -1005,7 +1002,7 @@ switch ($action) {
            $redirectTo = isset($_GET['redirectTo']) ? $_GET['redirectTo'] : '';
            switch ($redirectTo) {
                case 'course_home':
-                    $url = api_get_path(WEB_PATH).'course/'.api_get_course_int_id().'/home?'.api_get_cidreq();
+                    $url = api_get_path(WEB_PATH).'course/'.$courseId.'/home?'.api_get_cidreq();
                    break;
                case 'lp_list':
                    $url = 'lp_controller.php?'.api_get_cidreq();
--- a/public/main/lp/lp_view.php
+++ b/public/main/lp/lp_view.php
@ -28,9 +28,12 @@ $lp_id = !empty($_GET['lp_id']) ? (int) $_GET['lp_id'] : 0;
 if (empty($lp_id)) {
    api_not_allowed();
 }
-$sessionId = api_get_session_id();
-$course_code = api_get_course_id();
-$course_id = api_get_course_int_id();
+
+$course_id = isset($_REQUEST['cid']) ? (int) $_REQUEST['cid'] : api_get_course_int_id();
+$sessionId = isset($_REQUEST['sid']) ? (int) $_REQUEST['sid'] : api_get_session_id();
+
+$courseInfo = api_get_course_info_by_id($course_id);
+$course_code = $courseInfo['code'];
 $user_id = api_get_user_id();
 $course = api_get_course_entity($course_id);
 $session = api_get_session_entity($sessionId);
@ -282,7 +285,7 @@ if (!empty($_REQUEST['exeId']) &&
    $safe_exe_id = (int) $_REQUEST['exeId'];

    if (!empty($safe_id) && !empty($safe_item_id)) {
-        Exercise::saveExerciseInLp($safe_item_id, $safe_exe_id);
+        Exercise::saveExerciseInLp($safe_item_id, $safe_exe_id, $course_id);
    }
    if (EXERCISE_FEEDBACK_TYPE_END != intval($_GET['fb_type'])) {
        $src = 'blank.php?msg=exerciseFinished&'.api_get_cidreq(true, true, 'learnpath');