diff --git a/main/document/document.php b/main/document/document.php index 2c78a0b303..3408f06662 100755 --- a/main/document/document.php +++ b/main/document/document.php @@ -211,9 +211,13 @@ if ($to_group_id != 0 && $curdirpath == '/') { $curdirpathurl = urlencode($group_properties['directory']); } + // Check visibility of the current dir path. Don't show anything if not allowed -if (!(DocumentManager::is_visible($curdirpath, $_course) || $is_allowed_to_edit)) { - api_not_allowed(); + +if (!$is_allowed_to_edit || api_is_coach()) { + if (!(DocumentManager::is_visible($curdirpath, $_course, api_get_session_id()))) { + api_not_allowed(); + } } /* Constants and variables */ @@ -317,7 +321,6 @@ if (isset($_GET['action']) && $_GET['action'] == 'downloadfolder' && (api_get_se } - // Slideshow inititalisation $_SESSION['image_files_only'] = ''; $image_files_only = ''; @@ -422,6 +425,13 @@ if ($is_allowed_to_edit || $group_member_with_upload_rights) { // TEACHER ONLY $my_get_move = Security::remove_XSS($_GET['move']); if (isset($_GET['move']) && $_GET['move'] != '') { + + if (api_is_coach()) { + if (!DocumentManager::is_visible_by_id($my_get_move, $_course,api_get_session_id())) { + api_not_allowed(); + } + } + if (!$is_allowed_to_edit) { if (DocumentManager::check_readonly($_course, $_user['user_id'], $my_get_move)) { api_not_allowed(); @@ -430,6 +440,8 @@ if ($is_allowed_to_edit || $group_member_with_upload_rights) { // TEACHER ONLY if (DocumentManager::get_document_id($_course, $my_get_move)) { $folders = DocumentManager::get_all_document_folders($_course, $to_group_id, $is_allowed_to_edit || $group_member_with_upload_rights); + + echo '
'.get_lang('Move').'
'; echo build_move_to_selector($folders, Security::remove_XSS($_GET['curdirpath']), $my_get_move, $group_properties['directory']); } @@ -441,6 +453,13 @@ if ($is_allowed_to_edit || $group_member_with_upload_rights) { // TEACHER ONLY api_not_allowed(); } } + + if (api_is_coach()) { + if (!DocumentManager::is_visible_by_id($my_get_move, $_course,api_get_session_id())) { + api_not_allowed(); + } + } + require_once $lib_path.'fileManage.lib.php'; // This is needed for the update_db_info function @@ -466,12 +485,19 @@ if ($is_allowed_to_edit || $group_member_with_upload_rights) { // TEACHER ONLY /* DELETE FILE OR DIRECTORY */ if (isset($_GET['delete'])) { + + if (api_is_coach()) { + if (!DocumentManager::is_visible($_GET['delete'], $_course)) { + api_not_allowed(); + } + } + if (!$is_allowed_to_edit) { if (DocumentManager::check_readonly($_course, $_user['user_id'], $_GET['delete'], '', true)) { api_not_allowed(); } } - + require_once api_get_path(LIBRARY_PATH).'fileManage.lib.php'; if (DocumentManager::delete_document($_course, $_GET['delete'], $base_work_dir)) { @@ -563,7 +589,13 @@ if ($is_allowed_to_edit || $group_member_with_upload_rights) { // TEACHER ONLY $update_id = $_GET['set_invisible']; $visibility_command = 'invisible'; } - + + if (api_is_coach()) { + if (!DocumentManager::is_visible_by_id($update_id, $_course)) { + api_not_allowed(); + } + } + if (!$is_allowed_to_edit) { if(DocumentManager::check_readonly($_course, $_user['user_id'], '', $update_id)) { api_not_allowed(); @@ -682,9 +714,9 @@ if (isset($_GET['curdirpath']) && $_GET['curdirpath'] == '/certificates' && isse /* GET ALL DOCUMENT DATA FOR CURDIRPATH */ if(isset($_GET['keyword']) && !empty($_GET['keyword'])){ -$docs_and_folders = DocumentManager::get_all_document_data($_course, $curdirpath, $to_group_id, null, $is_allowed_to_edit || $group_member_with_upload_rights, $search=true); + $docs_and_folders = DocumentManager::get_all_document_data($_course, $curdirpath, $to_group_id, null, $is_allowed_to_edit || $group_member_with_upload_rights, $search=true); }else{ -$docs_and_folders = DocumentManager::get_all_document_data($_course, $curdirpath, $to_group_id, null, $is_allowed_to_edit || $group_member_with_upload_rights, $search=false); + $docs_and_folders = DocumentManager::get_all_document_data($_course, $curdirpath, $to_group_id, null, $is_allowed_to_edit || $group_member_with_upload_rights, $search=false); } $folders = DocumentManager::get_all_document_folders($_course, $to_group_id, $is_allowed_to_edit || $group_member_with_upload_rights); @@ -731,8 +763,9 @@ if (isset($docs_and_folders) && is_array($docs_and_folders)) { $use_document_title = api_get_setting('use_document_title'); // Create a sortable table with our data $sortable_data = array(); - - while (list($key, $id) = each($docs_and_folders)) { + + //while (list($key, $id) = each($docs_and_folders)) { + foreach($docs_and_folders as $key=>$id) { $row = array(); // If the item is invisible, wrap it in a span with class invisible diff --git a/main/inc/lib/document.lib.php b/main/inc/lib/document.lib.php index 2520b66053..aadaa72bfd 100755 --- a/main/inc/lib/document.lib.php +++ b/main/inc/lib/document.lib.php @@ -473,9 +473,9 @@ class DocumentManager { //if they can't see invisible files, they can only see files with visibility 1 $visibility_bit = ' = 1'; //if they can see invisible files, only deleted files (visibility 2) are filtered out - if ($can_see_invisible) { + //if ($can_see_invisible) { $visibility_bit = ' <> 2'; - } + //} //the given path will not end with a slash, unless it's the root '/' //so no root -> add slash @@ -484,21 +484,21 @@ class DocumentManager { //condition for the session $current_session_id = api_get_session_id(); $condition_session = " AND (id_session = '$current_session_id' OR id_session = '0')"; - - if( !$can_see_invisible) { - $condition_session = " AND (id_session = '$current_session_id' ) "; + + if (!$can_see_invisible) { + //$condition_session = " AND (id_session = '$current_session_id' ) "; } //condition for search (get ALL folders and documents) - if($search){ - $sql = "SELECT docs.id, docs.filetype, docs.path, docs.title, docs.comment, docs.size, docs.readonly, docs.session_id, last.lastedit_date, last.visibility + if ($search) { + $sql = "SELECT docs.id, docs.filetype, docs.path, docs.title, docs.comment, docs.size, docs.readonly, docs.session_id, last.id_session item_property_session_id, last.lastedit_date, last.visibility FROM ".$TABLE_ITEMPROPERTY." AS last, ".$TABLE_DOCUMENT." AS docs WHERE docs.id = last.ref AND last.tool = '".TOOL_DOCUMENT."' AND ".$to_field." = ".$to_value." AND last.visibility".$visibility_bit . $condition_session; - }else{ - $sql = "SELECT docs.id, docs.filetype, docs.path, docs.title, docs.comment, docs.size, docs.readonly, docs.session_id, last.lastedit_date, last.visibility + } else { + $sql = "SELECT docs.id, docs.filetype, docs.path, docs.title, docs.comment, docs.size, docs.readonly, docs.session_id, last.id_session item_property_session_id, last.lastedit_date, last.visibility FROM ".$TABLE_ITEMPROPERTY." AS last, ".$TABLE_DOCUMENT." AS docs WHERE docs.id = last.ref AND docs.path LIKE '".$path.$added_slash."%' @@ -507,10 +507,35 @@ class DocumentManager { AND ".$to_field." = ".$to_value." AND last.visibility".$visibility_bit . $condition_session; } + + $result = Database::query($sql); - + + $doc_list = array(); + $document_data = array(); + $is_allowed_to_edit = api_is_allowed_to_edit(null, true); + if ($result!==false && Database::num_rows($result) != 0) { while ($row = Database::fetch_array($result, 'ASSOC')) { + + if (api_is_coach()) { + //Looking for course items that are invisible to hide it in the session + if (in_array($row['id'], array_keys($doc_list))) { + if ($doc_list[$row['id']]['item_property_session_id'] == 0 && $doc_list[$row['id']]['session_id'] == 0) { + if ($doc_list[$row['id']]['visibility'] == 0) { + unset($document_data[$row['id']]); + continue; + } + } + } + $doc_list[$row['id']] = $row; + } + + if (!api_is_coach() && !$is_allowed_to_edit) { + $doc_list[] = $row; + } + + if ($row['filetype'] == 'file' && pathinfo($row['path'], PATHINFO_EXTENSION) == 'html') { //Templates management $table_template = Database::get_main_table(TABLE_MAIN_TEMPLATES); @@ -523,6 +548,61 @@ class DocumentManager { } $document_data[$row['id']] = $row; } + + + //Only for the student we filter the results see BT#1652 + if (!api_is_coach() && !$is_allowed_to_edit) { + $ids_to_remove = array(); + $my_repeat_ids = $temp= array(); + + //Selecting repetead ids + foreach($doc_list as $row ) { + if (in_array($row['id'], array_keys($temp))) { + $my_repeat_ids[] = $row['id']; + } + $temp[$row['id']] = $row; + } + + //Checking disponibility in a session + //var_dump($my_repeat_ids); + foreach($my_repeat_ids as $id) { + foreach($doc_list as $row ) { + if ($id == $row['id']) { + //var_dump($row['visibility'].' - '.$row['session_id'].' - '.$row['item_property_session_id']); + if ($row['visibility'] == 0 && $row['item_property_session_id'] == 0) { + $delete_repeated[$id] = true; + } + if ($row['visibility'] == 0 && $row['item_property_session_id'] != 0) { + $delete_repeated[$id] = true; + } + } + } + } + + //var_dump($delete_repeated); + + foreach($doc_list as $key=>$row) { + //&& !in_array($row['id'],$my_repeat_ids) + //var_dump($row['id'].' - '.$row['visibility']); + if (in_array($row['visibility'], array('0','2')) && !in_array($row['id'],$my_repeat_ids) ) { + $ids_to_remove[] = $row['id']; + unset($doc_list[$key]); + } + } + //var_dump($ids_to_remove); + + foreach($document_data as $row) { + if (in_array($row['id'], $ids_to_remove)) { + unset($document_data[$row['id']]); + } + if (isset($delete_repeated[$row['id']]) && $delete_repeated[$row['id']]) { + unset($document_data[$row['id']]); + } + } + } + + + return $document_data; } else { //display_error("Error getting document info from database (".Database::error().")!"); @@ -555,21 +635,19 @@ class DocumentManager { //condition for the session $session_id = api_get_session_id(); $condition_session = api_get_session_condition($session_id); - $sql = "SELECT path - FROM ".$TABLE_ITEMPROPERTY." AS last, ".$TABLE_DOCUMENT." AS docs + $sql = "SELECT path FROM ".$TABLE_ITEMPROPERTY." AS last, ".$TABLE_DOCUMENT." AS docs WHERE docs.id = last.ref AND docs.filetype = 'folder' AND last.tool = '".TOOL_DOCUMENT."' AND last.to_group_id = ".$to_group_id." AND last.visibility <> 2 $condition_session"; - + $result = Database::query($sql); if ($result && Database::num_rows($result) != 0) { while ($row = Database::fetch_array($result, 'ASSOC')) { $document_folders[] = $row['path']; } - //sort($document_folders); natsort($document_folders); @@ -578,9 +656,9 @@ class DocumentManager { } else { return false; } - } - //no invisible folders - else { + } else { + //no invisible folders + //condition for the session $session_id = api_get_session_id(); $condition_session = api_get_session_condition($session_id); @@ -963,26 +1041,54 @@ class DocumentManager { * @param string $document_path the relative complete path of the document * @param array $course the _course array info of the document's course */ - public static function is_visible($doc_path, $course) { + public static function is_visible($doc_path, $course, $session_id = 0) { $docTable = Database::get_course_table(TABLE_DOCUMENT, $course['dbName']); $propTable = Database::get_course_table(TABLE_ITEM_PROPERTY, $course['dbName']); //note the extra / at the end of doc_path to match every path in the // document table that is part of the document path $doc_path = Database::escape_string($doc_path); - - $sql = "SELECT path FROM $docTable d, $propTable ip " . - "where d.id=ip.ref AND ip.tool='".TOOL_DOCUMENT."' AND d.filetype='file' AND visibility=0 AND ". - "locate(concat(path,'/'),'".$doc_path."/')=1"; + + $session_id = intval($session_id); + $condition = "AND id_session = $session_id"; + + $sql = "SELECT path FROM $docTable d, $propTable ip " . + "WHERE d.id=ip.ref AND ip.tool='".TOOL_DOCUMENT."' AND visibility=0 $condition AND locate(concat(path,'/'),'".$doc_path."/')=1"; $result = Database::query($sql); if (Database::num_rows($result) > 0) { $row = Database::fetch_array($result); //echo "$row[0] not visible"; return false; } - //improved protection of documents viewable directly through the url: incorporates the same protections of the course at the url of documents: access allowed for the whole world Open, access allowed for users registered on the platform Private access, document accessible only to course members (see the Users list), Completely closed; the document is only accessible to the course admin and teaching assistants. return $_SESSION ['is_allowed_in_course'] || api_is_platform_admin(); } + + /** + * return true if the documentpath have visibility=1 as item_property + * + * @param string $document_path the relative complete path of the document + * @param array $course the _course array info of the document's course + */ + public static function is_visible_by_id($id, $course, $session_id = 0) { + $docTable = Database::get_course_table(TABLE_DOCUMENT, $course['dbName']); + $propTable = Database::get_course_table(TABLE_ITEM_PROPERTY, $course['dbName']); + $id = intval($id); + + $session_id = intval($session_id); + $condition = "AND id_session = $session_id"; + + echo $sql = "SELECT path FROM $docTable d, $propTable ip " . + "WHERE d.id=ip.ref AND ip.tool='".TOOL_DOCUMENT."' AND visibility=0 $condition AND d.id = $id"; + $result = Database::query($sql); + if (Database::num_rows($result) > 0) { + $row = Database::fetch_array($result); + //echo "$row[0] not visible"; + return false; + } + //improved protection of documents viewable directly through the url: incorporates the same protections of the course at the url of documents: access allowed for the whole world Open, access allowed for users registered on the platform Private access, document accessible only to course members (see the Users list), Completely closed; the document is only accessible to the course admin and teaching assistants. + return $_SESSION ['is_allowed_in_course'] || api_is_platform_admin(); + } + /** * Allow attach a certificate to a course