Fixed access to other sessions by session admins - refs #3823

13 years ago · 40c6dd9de1
parent 8bb583cbae
commit 40c6dd9de1
3 changed files with 2 additions and 22 deletions
--- a/main/admin/add_courses_to_session.php
+++ b/main/admin/add_courses_to_session.php
@ -48,14 +48,6 @@ if(isset($_GET['add_type']) && $_GET['add_type']!=''){
 	$add_type = Security::remove_XSS($_REQUEST['add_type']);
 }
 if (!api_is_platform_admin()) {
 	$sql = 'SELECT session_admin_id FROM '.Database :: get_main_table(TABLE_MAIN_SESSION).' WHERE id='.$id_session;
 	$rs = Database::query($sql);
 	if (Database::result($rs,0,0)!=$_user['user_id']) {
 		api_not_allowed(true);
 	}
 }
 $xajax -> processRequests();
 $htmlHeadXtra[] = $xajax->getJavascript('../inc/lib/xajax/');
--- a/main/admin/add_users_to_session.php
+++ b/main/admin/add_users_to_session.php
@ -49,14 +49,6 @@ if(isset($_REQUEST['add_type']) && $_REQUEST['add_type']!=''){
 	$add_type = Security::remove_XSS($_REQUEST['add_type']);
 }
 if (!api_is_platform_admin()) {
 	$sql = 'SELECT session_admin_id FROM '.Database :: get_main_table(TABLE_MAIN_SESSION).' WHERE id='.$id_session;
 	$rs = Database::query($sql);
 	if(Database::result($rs,0,0)!=$_user['user_id']) {
 		api_not_allowed(true);
 	}
 }
 //checking for extra field with filter on
 $extra_field_list= UserManager::get_extra_fields();
--- a/main/admin/resume_session.php
+++ b/main/admin/resume_session.php
@ -45,10 +45,6 @@ $rs      = Database::query($sql);
 $session = Database::store_result($rs);
 $session = $session[0];
 if(!api_is_platform_admin() && $session['session_admin_id'] != $_user['user_id']) {
 	api_not_allowed(true);
 }
 $sql = 'SELECT name FROM  '.$tbl_session_category.' WHERE id = "'.intval($session['session_category_id']).'"';
 $rs = Database::query($sql);
 $session_category = '';