chamilo
/
chamilo-lms
mirror of https://github.com/chamilo/chamilo-lms/tree/1.11.x
2
0
Fork 0
Code Issues Projects Releases Wiki Activity

Tuning coach and student in a session permissions see BT#1652

Browse Source
skala
Julio Montoya 15 years ago
parent 26f4bd1652
commit 52156772c7
2 changed files with 171 additions and 32 deletions
Show all changes Ignore whitespace when comparing lines Ignore changes in amount of whitespace Ignore changes in whitespace at EOL
Show Stats Download Patch File Download Diff File
  1. 51
      main/document/document.php
  2. 152
      main/inc/lib/document.lib.php

51
main/document/document.php
Unescape View File

@ -211,9 +211,13 @@ if ($to_group_id != 0 && $curdirpath == '/') {
$curdirpathurl = urlencode($group_properties['directory']);
}
// Check visibility of the current dir path. Don't show anything if not allowed
if (!(DocumentManager::is_visible($curdirpath, $_course) || $is_allowed_to_edit)) {
api_not_allowed();
if (!$is_allowed_to_edit || api_is_coach()) {
if (!(DocumentManager::is_visible($curdirpath, $_course, api_get_session_id()))) {
api_not_allowed();
}
}
/* Constants and variables */
@ -317,7 +321,6 @@ if (isset($_GET['action']) && $_GET['action'] == 'downloadfolder' && (api_get_se
}
// Slideshow inititalisation
$_SESSION['image_files_only'] = '';
$image_files_only = '';
@ -422,6 +425,13 @@ if ($is_allowed_to_edit || $group_member_with_upload_rights) { // TEACHER ONLY
$my_get_move = Security::remove_XSS($_GET['move']);
if (isset($_GET['move']) && $_GET['move'] != '') {
if (api_is_coach()) {
if (!DocumentManager::is_visible_by_id($my_get_move, $_course,api_get_session_id())) {
api_not_allowed();
}
}
if (!$is_allowed_to_edit) {
if (DocumentManager::check_readonly($_course, $_user['user_id'], $my_get_move)) {
api_not_allowed();
@ -430,6 +440,8 @@ if ($is_allowed_to_edit || $group_member_with_upload_rights) { // TEACHER ONLY
if (DocumentManager::get_document_id($_course, $my_get_move)) {
$folders = DocumentManager::get_all_document_folders($_course, $to_group_id, $is_allowed_to_edit || $group_member_with_upload_rights);
echo '<div class="row"><div class="form_header">'.get_lang('Move').'</div></div>';
echo build_move_to_selector($folders, Security::remove_XSS($_GET['curdirpath']), $my_get_move, $group_properties['directory']);
}
@ -441,6 +453,13 @@ if ($is_allowed_to_edit || $group_member_with_upload_rights) { // TEACHER ONLY
api_not_allowed();
}
}
if (api_is_coach()) {
if (!DocumentManager::is_visible_by_id($my_get_move, $_course,api_get_session_id())) {
api_not_allowed();
}
}
require_once $lib_path.'fileManage.lib.php';
// This is needed for the update_db_info function
@ -466,12 +485,19 @@ if ($is_allowed_to_edit || $group_member_with_upload_rights) { // TEACHER ONLY
/* DELETE FILE OR DIRECTORY */
if (isset($_GET['delete'])) {
if (api_is_coach()) {
if (!DocumentManager::is_visible($_GET['delete'], $_course)) {
api_not_allowed();
}
}
if (!$is_allowed_to_edit) {
if (DocumentManager::check_readonly($_course, $_user['user_id'], $_GET['delete'], '', true)) {
api_not_allowed();
}
}
require_once api_get_path(LIBRARY_PATH).'fileManage.lib.php';
if (DocumentManager::delete_document($_course, $_GET['delete'], $base_work_dir)) {
@ -563,7 +589,13 @@ if ($is_allowed_to_edit || $group_member_with_upload_rights) { // TEACHER ONLY
$update_id = $_GET['set_invisible'];
$visibility_command = 'invisible';
}
if (api_is_coach()) {
if (!DocumentManager::is_visible_by_id($update_id, $_course)) {
api_not_allowed();
}
}
if (!$is_allowed_to_edit) {
if(DocumentManager::check_readonly($_course, $_user['user_id'], '', $update_id)) {
api_not_allowed();
@ -682,9 +714,9 @@ if (isset($_GET['curdirpath']) && $_GET['curdirpath'] == '/certificates' && isse
/* GET ALL DOCUMENT DATA FOR CURDIRPATH */
if(isset($_GET['keyword']) && !empty($_GET['keyword'])){
$docs_and_folders = DocumentManager::get_all_document_data($_course, $curdirpath, $to_group_id, null, $is_allowed_to_edit || $group_member_with_upload_rights, $search=true);
$docs_and_folders = DocumentManager::get_all_document_data($_course, $curdirpath, $to_group_id, null, $is_allowed_to_edit || $group_member_with_upload_rights, $search=true);
}else{
$docs_and_folders = DocumentManager::get_all_document_data($_course, $curdirpath, $to_group_id, null, $is_allowed_to_edit || $group_member_with_upload_rights, $search=false);
$docs_and_folders = DocumentManager::get_all_document_data($_course, $curdirpath, $to_group_id, null, $is_allowed_to_edit || $group_member_with_upload_rights, $search=false);
}
$folders = DocumentManager::get_all_document_folders($_course, $to_group_id, $is_allowed_to_edit || $group_member_with_upload_rights);
@ -731,8 +763,9 @@ if (isset($docs_and_folders) && is_array($docs_and_folders)) {
$use_document_title = api_get_setting('use_document_title');
// Create a sortable table with our data
$sortable_data = array();
while (list($key, $id) = each($docs_and_folders)) {
//while (list($key, $id) = each($docs_and_folders)) {
foreach($docs_and_folders as $key=>$id) {
$row = array();
// If the item is invisible, wrap it in a span with class invisible

152
main/inc/lib/document.lib.php
Unescape View File

@ -473,9 +473,9 @@ class DocumentManager {
//if they can't see invisible files, they can only see files with visibility 1
$visibility_bit = ' = 1';
//if they can see invisible files, only deleted files (visibility 2) are filtered out
if ($can_see_invisible) {
//if ($can_see_invisible) {
$visibility_bit = ' <> 2';
}
//}
//the given path will not end with a slash, unless it's the root '/'
//so no root -> add slash
@ -484,21 +484,21 @@ class DocumentManager {
//condition for the session
$current_session_id = api_get_session_id();
$condition_session = " AND (id_session = '$current_session_id' OR id_session = '0')";
if( !$can_see_invisible) {
$condition_session = " AND (id_session = '$current_session_id' ) ";
if (!$can_see_invisible) {
//$condition_session = " AND (id_session = '$current_session_id' ) ";
}
//condition for search (get ALL folders and documents)
if($search){
$sql = "SELECT docs.id, docs.filetype, docs.path, docs.title, docs.comment, docs.size, docs.readonly, docs.session_id, last.lastedit_date, last.visibility
if ($search) {
$sql = "SELECT docs.id, docs.filetype, docs.path, docs.title, docs.comment, docs.size, docs.readonly, docs.session_id, last.id_session item_property_session_id, last.lastedit_date, last.visibility
FROM ".$TABLE_ITEMPROPERTY." AS last, ".$TABLE_DOCUMENT." AS docs
WHERE docs.id = last.ref
AND last.tool = '".TOOL_DOCUMENT."'
AND ".$to_field." = ".$to_value."
AND last.visibility".$visibility_bit . $condition_session;
}else{
$sql = "SELECT docs.id, docs.filetype, docs.path, docs.title, docs.comment, docs.size, docs.readonly, docs.session_id, last.lastedit_date, last.visibility
} else {
$sql = "SELECT docs.id, docs.filetype, docs.path, docs.title, docs.comment, docs.size, docs.readonly, docs.session_id, last.id_session item_property_session_id, last.lastedit_date, last.visibility
FROM ".$TABLE_ITEMPROPERTY." AS last, ".$TABLE_DOCUMENT." AS docs
WHERE docs.id = last.ref
AND docs.path LIKE '".$path.$added_slash."%'
@ -507,10 +507,35 @@ class DocumentManager {
AND ".$to_field." = ".$to_value."
AND last.visibility".$visibility_bit . $condition_session;
}
$result = Database::query($sql);
$doc_list = array();
$document_data = array();
$is_allowed_to_edit = api_is_allowed_to_edit(null, true);
if ($result!==false && Database::num_rows($result) != 0) {
while ($row = Database::fetch_array($result, 'ASSOC')) {
if (api_is_coach()) {
//Looking for course items that are invisible to hide it in the session
if (in_array($row['id'], array_keys($doc_list))) {
if ($doc_list[$row['id']]['item_property_session_id'] == 0 && $doc_list[$row['id']]['session_id'] == 0) {
if ($doc_list[$row['id']]['visibility'] == 0) {
unset($document_data[$row['id']]);
continue;
}
}
}
$doc_list[$row['id']] = $row;
}
if (!api_is_coach() && !$is_allowed_to_edit) {
$doc_list[] = $row;
}
if ($row['filetype'] == 'file' && pathinfo($row['path'], PATHINFO_EXTENSION) == 'html') {
//Templates management
$table_template = Database::get_main_table(TABLE_MAIN_TEMPLATES);
@ -523,6 +548,61 @@ class DocumentManager {
}
$document_data[$row['id']] = $row;
}
//Only for the student we filter the results see BT#1652
if (!api_is_coach() && !$is_allowed_to_edit) {
$ids_to_remove = array();
$my_repeat_ids = $temp= array();
//Selecting repetead ids
foreach($doc_list as $row ) {
if (in_array($row['id'], array_keys($temp))) {
$my_repeat_ids[] = $row['id'];
}
$temp[$row['id']] = $row;
}
//Checking disponibility in a session
//var_dump($my_repeat_ids);
foreach($my_repeat_ids as $id) {
foreach($doc_list as $row ) {
if ($id == $row['id']) {
//var_dump($row['visibility'].' - '.$row['session_id'].' - '.$row['item_property_session_id']);
if ($row['visibility'] == 0 && $row['item_property_session_id'] == 0) {
$delete_repeated[$id] = true;
}
if ($row['visibility'] == 0 && $row['item_property_session_id'] != 0) {
$delete_repeated[$id] = true;
}
}
}
}
//var_dump($delete_repeated);
foreach($doc_list as $key=>$row) {
//&& !in_array($row['id'],$my_repeat_ids)
//var_dump($row['id'].' - '.$row['visibility']);
if (in_array($row['visibility'], array('0','2')) && !in_array($row['id'],$my_repeat_ids) ) {
$ids_to_remove[] = $row['id'];
unset($doc_list[$key]);
}
}
//var_dump($ids_to_remove);
foreach($document_data as $row) {
if (in_array($row['id'], $ids_to_remove)) {
unset($document_data[$row['id']]);
}
if (isset($delete_repeated[$row['id']]) && $delete_repeated[$row['id']]) {
unset($document_data[$row['id']]);
}
}
}
return $document_data;
} else {
//display_error("Error getting document info from database (".Database::error().")!");
@ -555,21 +635,19 @@ class DocumentManager {
//condition for the session
$session_id = api_get_session_id();
$condition_session = api_get_session_condition($session_id);
$sql = "SELECT path
FROM ".$TABLE_ITEMPROPERTY." AS last, ".$TABLE_DOCUMENT." AS docs
$sql = "SELECT path FROM ".$TABLE_ITEMPROPERTY." AS last, ".$TABLE_DOCUMENT." AS docs
WHERE docs.id = last.ref
AND docs.filetype = 'folder'
AND last.tool = '".TOOL_DOCUMENT."'
AND last.to_group_id = ".$to_group_id."
AND last.visibility <> 2 $condition_session";
$result = Database::query($sql);
if ($result && Database::num_rows($result) != 0) {
while ($row = Database::fetch_array($result, 'ASSOC')) {
$document_folders[] = $row['path'];
}
//sort($document_folders);
natsort($document_folders);
@ -578,9 +656,9 @@ class DocumentManager {
} else {
return false;
}
}
//no invisible folders
else {
} else {
//no invisible folders
//condition for the session
$session_id = api_get_session_id();
$condition_session = api_get_session_condition($session_id);
@ -963,26 +1041,54 @@ class DocumentManager {
* @param string $document_path the relative complete path of the document
* @param array $course the _course array info of the document's course
*/
public static function is_visible($doc_path, $course) {
public static function is_visible($doc_path, $course, $session_id = 0) {
$docTable = Database::get_course_table(TABLE_DOCUMENT, $course['dbName']);
$propTable = Database::get_course_table(TABLE_ITEM_PROPERTY, $course['dbName']);
//note the extra / at the end of doc_path to match every path in the
// document table that is part of the document path
$doc_path = Database::escape_string($doc_path);
$sql = "SELECT path FROM $docTable d, $propTable ip " .
"where d.id=ip.ref AND ip.tool='".TOOL_DOCUMENT."' AND d.filetype='file' AND visibility=0 AND ".
"locate(concat(path,'/'),'".$doc_path."/')=1";
$session_id = intval($session_id);
$condition = "AND id_session = $session_id";
$sql = "SELECT path FROM $docTable d, $propTable ip " .
"WHERE d.id=ip.ref AND ip.tool='".TOOL_DOCUMENT."' AND visibility=0 $condition AND locate(concat(path,'/'),'".$doc_path."/')=1";
$result = Database::query($sql);
if (Database::num_rows($result) > 0) {
$row = Database::fetch_array($result);
//echo "$row[0] not visible";
return false;
}
//improved protection of documents viewable directly through the url: incorporates the same protections of the course at the url of documents: access allowed for the whole world Open, access allowed for users registered on the platform Private access, document accessible only to course members (see the Users list), Completely closed; the document is only accessible to the course admin and teaching assistants.
return $_SESSION ['is_allowed_in_course'] || api_is_platform_admin();
}
/**
* return true if the documentpath have visibility=1 as item_property
*
* @param string $document_path the relative complete path of the document
* @param array $course the _course array info of the document's course
*/
public static function is_visible_by_id($id, $course, $session_id = 0) {
$docTable = Database::get_course_table(TABLE_DOCUMENT, $course['dbName']);
$propTable = Database::get_course_table(TABLE_ITEM_PROPERTY, $course['dbName']);
$id = intval($id);
$session_id = intval($session_id);
$condition = "AND id_session = $session_id";
echo $sql = "SELECT path FROM $docTable d, $propTable ip " .
"WHERE d.id=ip.ref AND ip.tool='".TOOL_DOCUMENT."' AND visibility=0 $condition AND d.id = $id";
$result = Database::query($sql);
if (Database::num_rows($result) > 0) {
$row = Database::fetch_array($result);
//echo "$row[0] not visible";
return false;
}
//improved protection of documents viewable directly through the url: incorporates the same protections of the course at the url of documents: access allowed for the whole world Open, access allowed for users registered on the platform Private access, document accessible only to course members (see the Users list), Completely closed; the document is only accessible to the course admin and teaching assistants.
return $_SESSION ['is_allowed_in_course'] || api_is_platform_admin();
}
/**
* Allow attach a certificate to a course

Write Preview
Loading…
Cancel
Save