merge

16 years ago · 4f3daa8205
parent d8000d79d2 bb145fd3de
commit 4f3daa8205
18 changed files with 57 additions and 52 deletions
--- a/main/admin/sub_language.class.php
+++ b/main/admin/sub_language.class.php
@ -213,7 +213,7 @@ class SubLanguageManager {
 	/**
 	 * Make available the language
 	 * @param Integer The language id
-	 * @return void()
+	 * @return void
 	 */
 	public static function make_available_language ($language_id) {
 	 	$tbl_admin_languages= Database :: get_main_table(TABLE_MAIN_LANGUAGE);
--- a/main/gradebook/gradebook_edit_all.php
+++ b/main/gradebook/gradebook_edit_all.php
@ -157,7 +157,7 @@ if ($my_api_cidreq=='') {
 }
 ?>
 <div class="actions">
-<a href="<?php echo $_SESSION['gradebook_dest'].'?id_session='.$_SESSION['id_session'].'&amp;'.$my_api_cidreq ?>&selectcat=<?php echo $category_id ?>"> <?php echo Display::return_icon('back.png',get_lang('FolderView')) . get_lang('FolderView') ?></a>
+<a href="<?php echo Security::remove_XSS($_SESSION['gradebook_dest']).'?id_session='.api_get_session_id().'&amp;'.$my_api_cidreq ?>&selectcat=<?php echo $category_id ?>"> <?php echo Display::return_icon('back.png',get_lang('FolderView')) . get_lang('FolderView') ?></a>
 </div>
 <form method="post" action="gradebook_edit_all.php?id_session=<?php echo $_SESSION['id_session'].'&amp;'.$my_api_cidreq ?>&selectcat=<?php echo $category_id?>">
 <table class="data_table">
--- a/main/gradebook/index.php
+++ b/main/gradebook/index.php
@ -714,7 +714,7 @@ if (isset ($_GET['studentoverview'])) {
 		$pdf->ezText($organization_name,22,array('justification'=>'left'));
 		$pdf->ezSetY(580);
 		$pdf->ezText($portal_name,22,array('justification'=>'right'));
-		$pdf->ezStream();
+		$pdf->ezStream();*/
 	}
 	exit;
 } else { //in any other case (no search, no pdf), print the available gradebooks
--- a/main/gradebook/lib/be/abstractlink.class.php
+++ b/main/gradebook/lib/be/abstractlink.class.php
@ -166,7 +166,7 @@ abstract class AbstractLink implements GradebookItem
 			$sql .= ' visible = '.intval($visible);
 			$paramcount ++;
 		}
-
+		
 		$result = Database::query($sql);
 		$links = AbstractLink::create_objects_from_sql_result($result);
 		return $links;
--- a/main/gradebook/lib/be/evaluation.class.php
+++ b/main/gradebook/lib/be/evaluation.class.php
@ -131,7 +131,7 @@ class Evaluation implements GradebookItem
 	public function load ($id = null, $user_id = null, $course_code = null, $category_id = null, $visible = null)
 	{
    	$tbl_grade_evaluations = Database :: get_main_table(TABLE_MAIN_GRADEBOOK_EVALUATION);
-		$sql='SELECT id,name,description,user_id,course_code,category_id,date,weight,max,visible,type FROM '.$tbl_grade_evaluations;
+		$sql='SELECT id,name,description,user_id,course_code,category_id,created_at,weight,max,visible,type FROM '.$tbl_grade_evaluations;
 		$paramcount = 0;
 		if (isset ($id)) {
 			$sql.= ' WHERE id = '.intval($id);
@ -161,7 +161,7 @@ class Evaluation implements GradebookItem
 			$sql .= ' visible = '.intval($visible);
 			$paramcount ++;
 		}
-
+		
 		$result = Database::query($sql);
 		$alleval = Evaluation::create_evaluation_objects_from_sql_result($result);
 		return $alleval;
--- a/main/gradebook/lib/be/linkfactory.class.php
+++ b/main/gradebook/lib/be/linkfactory.class.php
@ -6,13 +6,14 @@
 // - add include
 // - change create() and get_all_types()
 // Please do not change existing values, they are used in the database !
-define('LINK_EXERCISE',		1);
-define('LINK_DROPBOX',2);
-define('LINK_STUDENTPUBLICATION',3);
-define('LINK_LEARNPATH',4);
-define('LINK_FORUM_THREAD',5);
+define('LINK_EXERCISE',				1);
+define('LINK_DROPBOX',				2);
+define('LINK_STUDENTPUBLICATION',	3);
+define('LINK_LEARNPATH',			4);
+define('LINK_FORUM_THREAD',			5);
 //define('LINK_WORK',6);
-define('LINK_ATTENDANCE',7);
+define('LINK_ATTENDANCE',			7);
+
 require_once 'gradebookitem.class.php';
 require_once 'abstractlink.class.php';
 require_once 'exerciselink.class.php';
@ -22,6 +23,7 @@ require_once 'studentpublicationlink.class.php';
 require_once 'learnpathlink.class.php';
 require_once 'forumthreadlink.class.php';
 require_once 'attendancelink.class.php';
+
 /**
 * Factory for link objects
 * @author Bert Steppé
--- a/main/gradebook/lib/gradebook_functions.inc.php
+++ b/main/gradebook/lib/gradebook_functions.inc.php
@ -1,14 +1,15 @@
 <?php
 /* For licensing terms, see /license.txt */
-/*
+
+/**
 * These are functions used in gradebook
 *
 * @author Stijn Konings <konings.stijn@skynet.be>, Hogeschool Ghent
+* @author Julio Montoya <gugli100@gmail.com> adding security functions
 * @version april 2007
 */
 require_once ('gradebook_functions_users.inc.php');

-
 /**
 * Adds a resource to the unique gradebook of a given course
 * @param   string  Course code
@ -118,7 +119,7 @@ function block_students() {
 */
 function get_course_name_from_code($code) {
 	$tbl_main_categories= Database :: get_main_table(TABLE_MAIN_COURSE);
-	$sql= 'SELECT title,code FROM ' . $tbl_main_categories . 'WHERE code = "' . $code . '"';
+	$sql= 'SELECT title, code FROM ' . $tbl_main_categories . 'WHERE code = "' . Database::escape_string($code) . '"';
 	$result= Database::query($sql);
 	if ($col= Database::fetch_array($result)) {
 		return $col['title'];
@ -235,17 +236,10 @@ function build_edit_icons_link($link, $selectcat) {
 * @return   int     false on error or link ID
 */
 function is_resource_in_course_gradebook($course_code, $resource_type, $resource_id, $session_id = 0) {
-    /* See defines in lib/be/linkfactory.class.php
-    define('LINK_EXERCISE',1);
-    define('LINK_DROPBOX',2);
-    define('LINK_STUDENTPUBLICATION',3);
-    define('LINK_LEARNPATH',4);
-    define('LINK_FORUM_THREAD',5),
-    define('LINK_WORK',6);
-    */
-    require_once(api_get_path(SYS_CODE_PATH).'gradebook/lib/be/linkfactory.class.php');
-    require_once (api_get_path(SYS_CODE_PATH).'gradebook/lib/be.inc.php');
-	require_once(api_get_path(SYS_CODE_PATH).'gradebook/lib/be/linkfactory.class.php');
+    require_once api_get_path(SYS_CODE_PATH).'gradebook/lib/be/linkfactory.class.php';
+    require_once api_get_path(SYS_CODE_PATH).'gradebook/lib/be.inc.php';
+	require_once api_get_path(SYS_CODE_PATH).'gradebook/lib/be/linkfactory.class.php';
+	
    // TODO find the corresponding category (the first one for this course, ordered by ID)
    $t = Database::get_main_table(TABLE_MAIN_GRADEBOOK_CATEGORY);
    $l = Database::get_main_table(TABLE_MAIN_GRADEBOOK_LINK);
@ -262,7 +256,7 @@ function is_resource_in_course_gradebook($course_code, $resource_type, $resource
    }
    $row = Database::fetch_array($res);
    $category = $row['id'];
-    $sql = "SELECT * FROM $l l WHERE l.category_id = $category AND type = ".(int) $resource_type." and ref_id = ".(int) $resource_id;
+    $sql = "SELECT id FROM $l l WHERE l.category_id = $category AND type = ".(int) $resource_type." and ref_id = ".(int) $resource_id;
    $res = Database::query($sql);
    if (Database::num_rows($res)<1) {
    	return false;
@ -285,15 +279,15 @@ function remove_resource_from_course_gradebook($link_id) {
    return true;
 }
 /**
- * return the database name
+ * Return the database name
 * @param    int
 * @return   String
 */
 function get_database_name_by_link_id($id_link) {
 	$course_table = Database::get_main_table(TABLE_MAIN_COURSE);
 	$tbl_grade_links = Database :: get_main_table(TABLE_MAIN_GRADEBOOK_LINK);
-	$res=Database::query('SELECT db_name from '.$course_table.' c inner join '.$tbl_grade_links.' l
-	on c.code=l.course_code WHERE l.id='.$id_link.' OR l.category_id='.$id_link);
+	$res=Database::query('SELECT db_name FROM '.$course_table.' c INNER JOIN '.$tbl_grade_links.' l
+			ON c.code=l.course_code WHERE l.id='.intval($id_link).' OR l.category_id='.intval($id_link));
 	$my_db_name=Database::fetch_array($res,'ASSOC');
 	return $my_db_name['db_name'];
 }
@ -402,8 +396,8 @@ function parse_xml_data($file) {
  function update_user_info_about_certificate ($cat_id,$user_id,$path_certificate) {
  	$table_certificate = Database::get_main_table(TABLE_MAIN_GRADEBOOK_CERTIFICATE);
  	if (!UserManager::is_user_certified($cat_id,$user_id)) {
-  		$sql='UPDATE '.$table_certificate.' SET path_certificate="'.$path_certificate.'"  
-		WHERE cat_id="'.$cat_id.'" AND user_id="'.$user_id.'" ';
+  		$sql='UPDATE '.$table_certificate.' SET path_certificate="'.Database::escape_string($path_certificate).'"  
+			 WHERE cat_id="'.intval($cat_id).'" AND user_id="'.intval($user_id).'" ';
 		$rs=Database::query($sql,__FILE__,__LINE__);
  	}
  }
@ -419,12 +413,12 @@ function parse_xml_data($file) {
  function register_user_info_about_certificate ($cat_id,$user_id,$score_certificate, $date_certificate) {
  	$table_certificate = Database::get_main_table(TABLE_MAIN_GRADEBOOK_CERTIFICATE);
  	$sql_exist='SELECT COUNT(*) as count FROM '.$table_certificate.' gc 
-				WHERE gc.cat_id="'.$cat_id.'" AND user_id="'.$user_id.'" ';
+				WHERE gc.cat_id="'.intval($cat_id).'" AND user_id="'.intval($user_id).'" ';
 	$rs_exist=Database::query($sql_exist,__FILE__,__LINE__);
 	$row=Database::fetch_array($rs_exist);
 	if ($row['count']==0) {
-		echo $sql='INSERT INTO '.$table_certificate.' (cat_id,user_id,score_certificate,date_certificate)
-			  VALUES("'.$cat_id.'","'.$user_id.'","'.$score_certificate.'","'.$date_certificate.'")';
+		$sql='INSERT INTO '.$table_certificate.' (cat_id,user_id,score_certificate,date_certificate)
+			  VALUES("'.intval($cat_id).'","'.intval($user_id).'","'.Database::escape_string($score_certificate).'","'.Database::escape_string($date_certificate).'")';
 		$rs=Database::query($sql,__FILE__,__LINE__);  
 	}
 	
@ -437,7 +431,7 @@ function parse_xml_data($file) {
  */  
  function get_certificate_date_by_user_id ($cat_id,$user_id) {
    	$table_certificate = Database::get_main_table(TABLE_MAIN_GRADEBOOK_CERTIFICATE);
-    	$sql_get_date='SELECT date_certificate FROM '.$table_certificate.' WHERE cat_id="'.$cat_id.'" AND user_id="'.$user_id.'"';
+    	$sql_get_date='SELECT date_certificate FROM '.$table_certificate.' WHERE cat_id="'.intval($cat_id).'" AND user_id="'.intval($user_id).'"';
    	$rs_get_date=Database::query($sql_get_date,__FILE__,__LINE__);
    	$row_get_date=Database::fetch_array($rs_get_date,'ASSOC');
    	return $row_get_date['date_certificate'];
--- a/main/img/attendance.gif
+++ b/main/img/attendance.gif
--- a/main/img/attendance_na.gif
+++ b/main/img/attendance_na.gif
--- a/main/img/view_choose_na.gif
+++ b/main/img/view_choose_na.gif
--- a/main/img/view_fullscreen_na.gif
+++ b/main/img/view_fullscreen_na.gif
--- a/main/inc/global.inc.php
+++ b/main/inc/global.inc.php
@ -446,7 +446,7 @@ if (!empty($valid_languages)) {
 // to use it within the function get_lang(...).
 $language_interface_initial_value = $language_interface;

-/*
+/**
 * Include all necessary language files
 * - trad4all
 * - notification
--- a/main/inc/introductionSection.inc.php
+++ b/main/inc/introductionSection.inc.php
@ -30,6 +30,8 @@ require_once api_get_path(LIBRARY_PATH).'course_description.lib.php';

 $TBL_INTRODUCTION = Database::get_course_table(TABLE_TOOL_INTRO);
 $intro_editAllowed = $is_allowed_to_edit;
+$session_id = api_get_session_id();
+

 global $charset;
 $intro_cmdEdit = empty($_GET['intro_cmdEdit']) ? '' : $_GET['intro_cmdEdit'];
@ -91,9 +93,9 @@ if ($intro_editAllowed) {

 			$form_values = $form->exportValues();
 			$intro_content = Security::remove_XSS(stripslashes(api_html_entity_decode($form_values['intro_content'])), COURSEMANAGERLOWSECURITY);
-
 			if (!empty($intro_content)) {
-				$sql = "REPLACE $TBL_INTRODUCTION SET id='$moduleId',intro_text='".Database::escape_string($intro_content)."'";
+				$sql = "REPLACE $TBL_INTRODUCTION SET id='$moduleId',intro_text='".Database::escape_string($intro_content)."', session_id='".$session_id."'";
+				
 				Database::query($sql);
 				Display::display_confirmation_message(get_lang('IntroductionTextUpdated'), false);
 			} else {
@ -107,7 +109,7 @@ if ($intro_editAllowed) {
 	/* Delete Command */

 	if ($intro_cmdDel) {
-		Database::query("DELETE FROM $TBL_INTRODUCTION WHERE id='".$moduleId."'");
+		Database::query("DELETE FROM $TBL_INTRODUCTION WHERE id='".$moduleId."' AND session_id='".$session_id."'");
 		Display::display_confirmation_message(get_lang('IntroductionTextDeleted'));
 	}
 }
@ -117,7 +119,7 @@ if ($intro_editAllowed) {

 /* Retrieves the module introduction text, if exist */

-$sql = "SELECT intro_text FROM $TBL_INTRODUCTION WHERE id='".$moduleId."'";
+$sql = "SELECT intro_text FROM $TBL_INTRODUCTION WHERE id='".$moduleId."' AND session_id='".$session_id."'";
 $intro_dbQuery = Database::query($sql);
 $intro_dbResult = Database::fetch_array($intro_dbQuery);
 $intro_content = $intro_dbResult['intro_text'];
--- a/main/inc/lib/add_course.lib.inc.php
+++ b/main/inc/lib/add_course.lib.inc.php
@ -1105,7 +1105,8 @@ function update_Db_course($courseDbName, $language = null)
 		CREATE TABLE `".$TABLEINTROS . "` (
 		id varchar(50) NOT NULL,
 		intro_text text NOT NULL,
-		PRIMARY KEY (id)
+		session_id INT  NOT NULL DEFAULT 0,
+		PRIMARY KEY (id, session_id)
 		)" . $charset_clause);

 	/*
@ -2324,12 +2325,12 @@ function fill_Db_course($courseDbName, $courseRepository, $language,$default_doc
 		*/

 		$intro_text='<table width="100%" border="0" cellpadding="0" cellspacing="0"><tr><td width="110" valign="middle" align="left"><img src="'.api_get_path(REL_CODE_PATH).'img/mr_dokeos.png" alt="mr. Dokeos" title="mr. Dokeos" /></td><td valign="middle" align="left">'.lang2db(get_lang('IntroductionText')).'</td></tr></table>';
-		Database::query("INSERT INTO `".$TABLEINTROS . "` VALUES ('" . TOOL_COURSE_HOMEPAGE . "','".$intro_text. "')");
-		Database::query("INSERT INTO `".$TABLEINTROS . "` VALUES ('" . TOOL_STUDENTPUBLICATION . "','".lang2db(get_lang('IntroductionTwo')) . "')");
+		Database::query("INSERT INTO `".$TABLEINTROS . "` VALUES ('" . TOOL_COURSE_HOMEPAGE . "','".$intro_text. "', 0)");
+		Database::query("INSERT INTO `".$TABLEINTROS . "` VALUES ('" . TOOL_STUDENTPUBLICATION . "','".lang2db(get_lang('IntroductionTwo')) . "', 0)");

 		//wiki intro
 		$intro_wiki='<table width="100%" border="0" cellpadding="0" cellspacing="0"><tr><td width="110" valign="top" align="left"></td><td valign="top" align="left">'.lang2db(get_lang('IntroductionWiki')).'</td></tr></table>';
-		Database::query("INSERT INTO `".$TABLEINTROS . "` VALUES ('" . TOOL_WIKI . "','".$intro_wiki. "')");
+		Database::query("INSERT INTO `".$TABLEINTROS . "` VALUES ('" . TOOL_WIKI . "','".$intro_wiki. "', 0)");

 		/*
 		-----------------------------------------------------------
--- a/main/inc/lib/mail.lib.inc.php
+++ b/main/inc/lib/mail.lib.inc.php
@ -140,6 +140,10 @@ function api_mail_html($recipient_name, $recipient_email, $subject, $message, $s
 	$mail->IsHTML(0);
 	$mail->SMTPKeepAlive = true;

+	if (($sender_email != "") && ($sender_name != "")) {
+		$mail->AddReplyTo ($sender_email,$sender_name);
+	}
+
 	// attachments
 	// $mail->AddAttachment($path);
 	// $mail->AddAttachment($path,$filename);
--- a/main/inc/lib/pear/HTML/QuickForm/date.php
+++ b/main/inc/lib/pear/HTML/QuickForm/date.php
@ -56,11 +56,7 @@ class HTML_QuickForm_date extends HTML_QuickForm_group
        'language'         => 'en',
        'format'           => 'dMY',
        'minYear'          => 2001,
-        // Modified by Chamilo team, 16-MAR-2010.
-        // TODO: This modification to be re-thought.
-        //'maxYear'          => 2090,
-        'maxYear'          => 2010,
-        //
+        'maxYear'          => 2090,
        'addEmptyOption'   => false,
        'emptyOptionValue' => '',
        'emptyOptionText'  => '&nbsp;',
@ -288,6 +284,11 @@ class HTML_QuickForm_date extends HTML_QuickForm_group
        $this->_persistantFreeze = true;
        $this->_appendName = true;
        $this->_type = 'date';
+        // Added by Ivan Tcholakov, 16-MAR-2010.
+        $current_year = intval(api_get_local_time());
+        $this->_options['minYear'] = $current_year - 9;
+        $this->_options['maxYear'] = $current_year + 1;
+        //
        // set the options, do not bother setting bogus ones
        if (is_array($options)) {
            foreach ($options as $name => $value) {
--- a/main/install/db_main.sql
+++ b/main/install/db_main.sql
@ -757,7 +757,7 @@ VALUES
 ('show_tabs', 'dashboard', 'checkbox', 'Platform', 'true', 'ShowTabsTitle', 'ShowTabsComment', NULL, 'TabsDashboard', 1),
 ('use_users_timezone', 'timezones', 'radio', 'Timezones', 'true', 'UseUsersTimezoneTitle','UseUsersTimezoneComment',NULL,'Timezones', 1),
 ('timezone_value', 'timezones', 'select', 'Timezones', '', 'TimezoneValueTitle','TimezoneValueComment',NULL,'Timezones', 1),
-('dokeos_database_version', NULL, 'textfield', NULL,'1.8.7.10879','DokeosDatabaseVersion','',NULL,NULL,0);
+('dokeos_database_version', NULL, 'textfield', NULL,'1.8.7.10983','DokeosDatabaseVersion','',NULL,NULL,0);


 UNLOCK TABLES;
--- a/main/install/migrate-db-1.8.6.2-1.8.7-pre.sql
+++ b/main/install/migrate-db-1.8.6.2-1.8.7-pre.sql
@ -68,7 +68,7 @@ INSERT INTO settings_current (variable, subkey, type, category, selected_value,
 ALTER TABLE user_field_values CHANGE id id BIGINT NOT NULL AUTO_INCREMENT;
 ALTER TABLE user_field_values ADD INDEX (user_id, field_id);

-UPDATE settings_current SET selected_value = '1.8.7.10741' WHERE variable = 'dokeos_database_version';
+UPDATE settings_current SET selected_value = '1.8.7.10983' WHERE variable = 'dokeos_database_version';

 ALTER TABLE course_rel_user DROP PRIMARY KEY, ADD PRIMARY KEY (course_code, user_id, relation_type);
 ALTER TABLE session_rel_user DROP PRIMARY KEY, ADD PRIMARY KEY (id_session, id_user, relation_type);
@ -117,3 +117,4 @@ ALTER TABLE attendance ADD INDEX(active);
 ALTER TABLE lp_view ADD session_id INT NOT NULL DEFAULT 0;
 ALTER TABLE lp_view ADD INDEX(session_id);
 INSERT INTO course_setting (variable,value,category) VALUES ('allow_user_view_user_list',1,'user');
+ALTER TABLE tool_intro ADD COLUMN session_id INT  NOT NULL DEFAULT 0 AFTER intro_text, DROP PRIMARY KEY, ADD PRIMARY KEY  USING BTREE(id, session_id);