Removing $is_allowed_in_course already checked in api_protect_course

12 years ago · 4523d7c6e5
parent 84c9a630f3
commit 4523d7c6e5
16 changed files with 22 additions and 79 deletions
--- a/main/blog/blog_admin.php
+++ b/main/blog/blog_admin.php
@ -23,7 +23,7 @@ $blog_table_attachment 	= Database::get_course_table(TABLE_BLOGS_ATTACHMENT);
 api_protect_course_script(true);

 //	 ONLY USERS REGISTERED IN THE COURSE
-if((!$is_allowed_in_course || !$is_courseMember) && !api_is_allowed_to_edit()) {
+if((!$is_courseMember) && !api_is_allowed_to_edit()) {
 	api_not_allowed(true);//print headers/footers
 }

--- a/main/document/create_audio.php
+++ b/main/document/create_audio.php
@ -27,6 +27,7 @@ $nameTools = get_lang('CreateAudio');

 api_protect_course_script();
 api_block_anonymous_users();
+
 if (api_get_setting('enabled_text2audio') == 'false') {
    api_not_allowed(true);
 }
@ -92,11 +93,6 @@ $interbreadcrumb[] = array(
    "name" => get_lang('Documents')
 );

-if (!$is_allowed_in_course) {
-    api_not_allowed(true);
-}
-
-
 if (!($is_allowed_to_edit || $_SESSION['group_member_with_upload_rights'] || is_my_shared_folder(
    api_get_user_id(),
    Security::remove_XSS($dir),
--- a/main/document/create_document.php
+++ b/main/document/create_document.php
@ -15,11 +15,12 @@ $language_file = array('document', 'gradebook');

 require_once '../inc/global.inc.php';

+api_protect_course_script();
+
 $_SESSION['whereami'] = 'document/create';
 $this_section = SECTION_COURSES;

-$htmlHeadXtra[] = '
-<script>
+$htmlHeadXtra[] = '<script>

 var hide_bar = function() {
    $("#template_col").hide();
@ -293,10 +294,6 @@ if (!$is_certificate_mode) {
 } else {
    $interbreadcrumb[] = array('url' => '../gradebook/'.$_SESSION['gradebook_dest'], 'name' => get_lang('Gradebook'));
 }
-
-if (!$is_allowed_in_course) {
-    api_not_allowed(true);
-}
 if (!($is_allowed_to_edit || $_SESSION['group_member_with_upload_rights'] || is_my_shared_folder(
    $_user['user_id'],
    Security::remove_XSS($dir),
@ -306,8 +303,6 @@ if (!($is_allowed_to_edit || $_SESSION['group_member_with_upload_rights'] || is_
    api_not_allowed(true);
 }

-/*	Header */
-
 event_access_tool(TOOL_DOCUMENT);

 $display_dir = $dir;
@ -691,6 +686,7 @@ if ($form->validate()) {
        Display :: display_footer();
    }
 } else {
+
    // Interbreadcrumb for the current directory root path
    // Copied from document.php
    $dir_array = explode('/', $dir);
@ -709,7 +705,7 @@ if ($form->validate()) {
    }

    Display :: display_header($nameTools, "Doc");
-    //api_display_tool_title($nameTools);
+
    // actions
    echo '<div class="actions">';

@ -757,4 +753,4 @@ if ($form->validate()) {
            </div>
          </div>';
    Display :: display_footer();
-}
+}
--- a/main/document/create_draw.php
+++ b/main/document/create_draw.php
@ -93,10 +93,6 @@ if (isset ($_SESSION['_gid']) && $_SESSION['_gid'] != 0) {

 $interbreadcrumb[] = array ("url" => "./document.php?id=".$parent_id.$req_gid, "name" => get_lang('Documents'));

-if (!$is_allowed_in_course) {
-	api_not_allowed(true);
-}
-
 if (!($is_allowed_to_edit || $_SESSION['group_member_with_upload_rights'] || is_my_shared_folder(api_get_user_id(), Security::remove_XSS($dir), api_get_session_id()))) {
 	api_not_allowed(true);
 }
--- a/main/document/create_paint.php
+++ b/main/document/create_paint.php
@ -33,7 +33,7 @@ if (api_get_setting('enabled_support_paint') == 'false') {
 $document_data = DocumentManager::get_document_data_by_id($_GET['id'], api_get_course_id(), true);
 if (empty($document_data)) {
    if (api_is_in_group()) {
-        $group_properties   = GroupManager::get_group_properties(api_get_group_id());        
+        $group_properties   = GroupManager::get_group_properties(api_get_group_id());
        $document_id        = DocumentManager::get_document_id(api_get_course_info(), $group_properties['directory']);
        $document_data      = DocumentManager::get_document_data_by_id($document_id, api_get_course_id());
    }
@ -92,10 +92,6 @@ if (isset ($_SESSION['_gid']) && $_SESSION['_gid'] != 0) {

 $interbreadcrumb[] = array ("url" => "./document.php?curdirpath=".urlencode($dir).$req_gid, "name" => get_lang('Documents'));

-if (!$is_allowed_in_course) {
-	api_not_allowed(true);
-}
-
 if (!($is_allowed_to_edit || $_SESSION['group_member_with_upload_rights'] || is_my_shared_folder($_user['user_id'], Security::remove_XSS($dir),api_get_session_id()))) {
 	api_not_allowed(true);
 }
--- a/main/document/document.php
+++ b/main/document/document.php
@ -32,6 +32,7 @@

 // Language files that need to be included
 $language_file = array('document', 'slideshow', 'gradebook', 'create_course');
+
 require_once '../inc/global.inc.php';

 $current_course_tool = TOOL_DOCUMENT;
--- a/main/document/download.php
+++ b/main/document/download.php
@ -37,7 +37,8 @@ if (strpos($doc_url,'../') OR strpos($doc_url,'/..')) {
 // survey while not being authenticated on the plateform.
 // The administrator should probably be able to disable this code through admin
 // inteface.
-$refer_script = strrchr($_SERVER["HTTP_REFERER"], '/');
+
+$refer_script = isset($_SERVER["HTTP_REFERER"]) ? strrchr($_SERVER["HTTP_REFERER"], '/') : null;

 $sys_course_path = api_get_path(SYS_COURSE_PATH).$_course['path'].'/document';

@ -62,11 +63,11 @@ if (substr($refer_script, 0, 15) == '/fillsurvey.php') {
 		$document_explorer = api_get_path(WEB_CODE_PATH).'document/document.php?curdirpath='.urlencode($doc_url).'&cidReq='.Security::remove_XSS($_GET['cidReq']).$gid_req;
 		// Redirect
 		header('Location: '.$document_explorer);
-	}	
+	}
 }

-        
-//Fixes swf upload problem in chamilo 1.8.x. When uploading a file with 
+
+//Fixes swf upload problem in chamilo 1.8.x. When uploading a file with
 //the character "-" the filename was changed from "-" to "_" in the DB for no reason
 $path_info = pathinfo($doc_url);

@ -79,22 +80,21 @@ if (isset($path_info['extension']) && $path_info['extension'] == 'swf') {
    }
 }

-
 if (Security::check_abs_path($sys_course_path.$doc_url, $sys_course_path.'/')) {
-    $full_file_name = $sys_course_path.$doc_url;    
+    $full_file_name = $sys_course_path.$doc_url;
    if ($fix_file_name) {
        $doc_url = $fixed_url;
    }
    // Check visibility of document and paths
    $is_visible = DocumentManager::is_visible($doc_url, $_course, api_get_session_id());
-    
+
 	//Documents' slideshow thumbnails
 	//correct $is_visible used in below and ??. Now the students can view the thumbnails too
-	if ( preg_match('/\.thumbs\/\./',  $doc_url)){ 
+	if ( preg_match('/\.thumbs\/\./',  $doc_url)){
 		$doc_url_thumbs = str_replace('.thumbs/.', '', $doc_url);
 		$is_visible = DocumentManager::is_visible($doc_url_thumbs, $_course, api_get_session_id());
 	}
-	
+
    if (!api_is_allowed_to_edit() && !$is_visible) {
    	Display::display_error_message(get_lang('ProtectedDocument'));//api_not_allowed backbutton won't work.
    	exit; // You shouldn't be here anyway.
--- a/main/document/record_audio.php
+++ b/main/document/record_audio.php
@ -84,10 +84,6 @@ if (isset ($_SESSION['_gid']) && $_SESSION['_gid'] != 0) {

 $interbreadcrumb[] = array ("url" => "./document.php?id=".$document_id.$req_gid, "name" => get_lang('Documents'));

-if (!$is_allowed_in_course) {
-	api_not_allowed(true);
-}
-
 if (!($is_allowed_to_edit || $_SESSION['group_member_with_upload_rights'] || is_my_shared_folder(api_get_user_id(), Security::remove_XSS($dir),api_get_session_id()))) {
 	api_not_allowed(true);
 }
--- a/main/document/record_audio_wami.php
+++ b/main/document/record_audio_wami.php
@ -92,10 +92,6 @@ if (isset ($_SESSION['_gid']) && $_SESSION['_gid'] != 0) {

 $interbreadcrumb[] = array ("url" => "./document.php?id=".$document_id.$req_gid, "name" => get_lang('Documents'));

-if (!$is_allowed_in_course) {
-	api_not_allowed(true);
-}
-
 if (!($is_allowed_to_edit || $_SESSION['group_member_with_upload_rights'] || is_my_shared_folder(api_get_user_id(), Security::remove_XSS($dir),api_get_session_id()))) {
 	api_not_allowed(true);
 }
--- a/main/document/show_content.php
+++ b/main/document/show_content.php
@ -58,14 +58,6 @@ if (is_dir($file_url_sys)) {
    api_not_allowed(true);
 }

-//fix the screen when you try to access a protected course through the url
-$is_allowed_in_course = $_SESSION ['is_allowed_in_course'];
-
-if ($is_allowed_in_course == false) {
-    api_not_allowed(true);
-}
-
-

 //Check user visibility
 //$is_visible = DocumentManager::is_visible_by_id($document_id, $course_info, api_get_session_id(), api_get_user_id());
--- a/main/document/showinframes.php
+++ b/main/document/showinframes.php
@ -73,13 +73,6 @@ if (is_dir($file_url_sys)) {
    api_not_allowed(true);
 }

-//fix the screen when you try to access a protected course through the url
-$is_allowed_in_course = $_SESSION ['is_allowed_in_course'];
-
-if ($is_allowed_in_course == false) {
-    api_not_allowed(true);
-}
-
 //Check user visibility
 //$is_visible = DocumentManager::is_visible_by_id($document_id, $course_info, api_get_session_id(), api_get_user_id());
 $is_visible = DocumentManager::check_visibility_tree($document_id, api_get_course_id(), api_get_session_id(), api_get_user_id());
--- a/main/document/showinframesmin.php
+++ b/main/document/showinframesmin.php
@ -57,14 +57,6 @@ if (!file_exists($file_url_sys)) {
 if (is_dir($file_url_sys)) {
    api_not_allowed(true);
 }
-
-//fix the screen when you try to access a protected course through the url
-$is_allowed_in_course = $_SESSION ['is_allowed_in_course'];
-
-if ($is_allowed_in_course == false) {
-    api_not_allowed(true);
-}
-
 //Check user visibility
 //$is_visible = DocumentManager::is_visible_by_id($document_id, $course_info, api_get_session_id(), api_get_user_id());
 $is_visible = DocumentManager::check_visibility_tree($document_id, api_get_course_id(), api_get_session_id(), api_get_user_id());
--- a/main/document/webcam_clip.php
+++ b/main/document/webcam_clip.php
@ -91,10 +91,6 @@ if (isset ($_SESSION['_gid']) && $_SESSION['_gid'] != 0) {

 $interbreadcrumb[] = array ("url" => "./document.php?id=".$document_id.$req_gid, "name" => get_lang('Documents'));

-if (!$is_allowed_in_course) {
-	api_not_allowed(true);
-}
-
 if (!($is_allowed_to_edit || $_SESSION['group_member_with_upload_rights'] || is_my_shared_folder(api_get_user_id(), Security::remove_XSS($dir),api_get_session_id()))) {
 	api_not_allowed(true);
 }
--- a/main/group/group.php
+++ b/main/group/group.php
@ -55,9 +55,6 @@ if (api_get_setting('allow_group_categories') == 'false') {
 if (!isset ($_GET['origin']) || $_GET['origin'] != 'learnpath') {
 	// So we are not in learnpath tool
 	event_access_tool(TOOL_GROUP);
-	if (!$is_allowed_in_course) {
-		api_not_allowed(true);
-	}
 }

 Display::display_header(get_lang('Groups'));
--- a/main/group/group_overview.php
+++ b/main/group/group_overview.php
@ -61,10 +61,6 @@ if (isset($_GET['action'])) {

 $interbreadcrumb[] = array('url' => 'group.php', 'name' => get_lang('Groups'));
 if (!isset ($_GET['origin']) || $_GET['origin'] != 'learnpath') {
-	// So we are not in learnpath tool
-	if (!$is_allowed_in_course) {
-		api_not_allowed(true);
-	}
 	if (!api_is_allowed_to_edit(false, true)) {
 		api_not_allowed(true);
 	} else {
--- a/main/metadata/phpdig/search.php
+++ b/main/metadata/phpdig/search.php
@ -1,4 +1,4 @@
-<?php 
+<?php
 /**
 * Chamilo phpdig/search.php
 * 2006/12/14
@ -26,8 +26,8 @@ If you modify code and redistribute, you may ADD your copyright to this notice.

 // name of the language file that needs to be included
 $language_file = "md_mix";
-include('../../../main/inc/global.inc.php');
-if (! $is_allowed_in_course) api_not_allowed();
+require_once '../../../main/inc/global.inc.php';
+api_protect_course_script();

 // start of part copied (with some changes) from standard PhpDig search.php
 $relative_script_path = '.';