Fixed access to other sessions by session admins - refs #3823

main/admin/add_courses_to_session.php

@@ -48,14 +48,6 @@ if(isset($_GET['add_type']) && $_GET['add_type']!=''){
 	$add_type = Security::remove_XSS($_REQUEST['add_type']);
 }
 
-if (!api_is_platform_admin()) {
-	$sql = 'SELECT session_admin_id FROM '.Database :: get_main_table(TABLE_MAIN_SESSION).' WHERE id='.$id_session;
-	$rs = Database::query($sql);
-	if (Database::result($rs,0,0)!=$_user['user_id']) {
-		api_not_allowed(true);
-	}
-}
-
 $xajax -> processRequests();
 
 $htmlHeadXtra[] = $xajax->getJavascript('../inc/lib/xajax/');

main/admin/add_users_to_session.php

@@ -49,14 +49,6 @@ if(isset($_REQUEST['add_type']) && $_REQUEST['add_type']!=''){
 	$add_type = Security::remove_XSS($_REQUEST['add_type']);
 }
 
-if (!api_is_platform_admin()) {
-	$sql = 'SELECT session_admin_id FROM '.Database :: get_main_table(TABLE_MAIN_SESSION).' WHERE id='.$id_session;
-	$rs = Database::query($sql);
-	if(Database::result($rs,0,0)!=$_user['user_id']) {
-		api_not_allowed(true);
-	}
-}
-
 //checking for extra field with filter on
 
 $extra_field_list= UserManager::get_extra_fields();
@@ -685,4 +677,4 @@ function makepost(select){
 </script>
 <?php
 /*		FOOTER */
-Display::display_footer();
+Display::display_footer();

main/admin/resume_session.php

@@ -45,10 +45,6 @@ $rs      = Database::query($sql);
 $session = Database::store_result($rs);
 $session = $session[0];
 
-if(!api_is_platform_admin() && $session['session_admin_id'] != $_user['user_id']) {
-	api_not_allowed(true);
-}
-
 $sql = 'SELECT name FROM  '.$tbl_session_category.' WHERE id = "'.intval($session['session_category_id']).'"';
 $rs = Database::query($sql);
 $session_category = '';
@@ -342,4 +338,4 @@ if ($session['nbr_users']==0) {
 </table>
 <?php
 // footer
-Display :: display_footer();
+Display :: display_footer();