From 568d5fd2d505cefe23a50859b8bc4fb241e81f50 Mon Sep 17 00:00:00 2001 From: jmontoyaa Date: Wed, 18 Apr 2018 09:57:20 +0200 Subject: [PATCH] Fix PHP warnings, improve security access. --- main/announcements/announcements.php | 51 ++++++++++++++++++---------- main/inc/ajax/statistics.ajax.php | 8 +++++ main/inc/lib/AnnouncementEmail.php | 8 ++--- main/inc/lib/AnnouncementManager.php | 22 ++++++------ 4 files changed, 55 insertions(+), 34 deletions(-) diff --git a/main/announcements/announcements.php b/main/announcements/announcements.php index 74c45d94d0..f04483afad 100755 --- a/main/announcements/announcements.php +++ b/main/announcements/announcements.php @@ -97,6 +97,11 @@ $searchFormToString = ''; switch ($action) { case 'move': + + if (!$allowToEdit) { + api_not_allowed(true); + } + /* Move announcement up/down */ if (!empty($_GET['down'])) { $thisAnnouncementId = intval($_GET['down']); @@ -282,7 +287,7 @@ switch ($action) { if (empty($count)) { $html = ''; - if ($allowToEdit && (empty($_GET['origin']) or $_GET['origin'] !== 'learnpath')) { + if ($allowToEdit && (empty($_GET['origin']) || $_GET['origin'] !== 'learnpath')) { $html .= '
'; $html .= '

'.get_lang('Announcements').'

'; $html .= Display::return_icon('valves.png', '', [], 64); @@ -346,6 +351,10 @@ switch ($action) { api_not_allowed(); } + if (!$allowToEdit) { + api_not_allowed(true); + } + if (!api_is_session_general_coach() || api_is_element_in_the_session(TOOL_ANNOUNCEMENT, $_GET['id']) ) { @@ -368,6 +377,10 @@ switch ($action) { api_not_allowed(true); } + if (!$allowToEdit) { + api_not_allowed(true); + } + // DISPLAY ADD ANNOUNCEMENT COMMAND $id = isset($_GET['id']) ? intval($_GET['id']) : 0; $url = api_get_self().'?action='.$action.'&id='.$id.'&'.api_get_cidreq(); @@ -616,25 +629,27 @@ switch ($action) { $sendToUsersInSession ); } - - Display::addFlash( - Display::return_message( - get_lang('AnnouncementAdded'), - 'success' - ) - ); - - // Send mail - if (isset($data['email_ann']) && $data['email_ann']) { - AnnouncementManager::sendEmail( - api_get_course_info(), - api_get_session_id(), - $insert_id, - $sendToUsersInSession + if ($insert_id) { + Display::addFlash( + Display::return_message( + get_lang('AnnouncementAdded'), + 'success' + ) ); + + // Send mail + if (isset($data['email_ann']) && $data['email_ann']) { + AnnouncementManager::sendEmail( + api_get_course_info(), + api_get_session_id(), + $insert_id, + $sendToUsersInSession + ); + } + header('Location: '.$homeUrl); + exit; } - header('Location: '.$homeUrl); - exit; + api_not_allowed(true); } // end condition token } } diff --git a/main/inc/ajax/statistics.ajax.php b/main/inc/ajax/statistics.ajax.php index b373878702..62462e6bcb 100644 --- a/main/inc/ajax/statistics.ajax.php +++ b/main/inc/ajax/statistics.ajax.php @@ -12,6 +12,14 @@ $action = isset($_REQUEST['a']) ? $_REQUEST['a'] : null; $sessionDuration = isset($_GET['session_duration']) ? (int) $_GET['session_duration'] : 0; switch ($action) { + case 'get_user_session': + $list = []; + + $sql = ""; + + echo json_encode($list); + break; + break; case 'recentlogins': header('Content-type: application/json'); $list = []; diff --git a/main/inc/lib/AnnouncementEmail.php b/main/inc/lib/AnnouncementEmail.php index 3cc2cac85b..312099e6ff 100644 --- a/main/inc/lib/AnnouncementEmail.php +++ b/main/inc/lib/AnnouncementEmail.php @@ -30,9 +30,8 @@ class AnnouncementEmail $this->session_id = empty($sessionId) ? api_get_session_id() : (int) $sessionId; if (is_numeric($announcementId)) { - $announcementId = AnnouncementManager::get_by_id($courseInfo['real_id'], $announcementId); + $this->announcement = AnnouncementManager::get_by_id($courseInfo['real_id'], $announcementId); } - $this->announcement = $announcementId; $this->logger = $logger; } @@ -279,9 +278,8 @@ class AnnouncementEmail * Send emails to users. * * @param bool $sendToUsersInSession - * @param bool $sendToDrhUsers send a copy of the message to the DRH users - * @param int $senderId - * related to the main user + * @param bool $sendToDrhUsers send a copy of the message to the DRH users + * @param int $senderId related to the main user */ public function send($sendToUsersInSession = false, $sendToDrhUsers = false, $senderId = 0) { diff --git a/main/inc/lib/AnnouncementManager.php b/main/inc/lib/AnnouncementManager.php index 0431255ecf..b5eebeb09f 100755 --- a/main/inc/lib/AnnouncementManager.php +++ b/main/inc/lib/AnnouncementManager.php @@ -45,8 +45,8 @@ class AnnouncementManager $tags[] = "((extra_".$extra['variable']."))"; } } - - if (!empty(api_get_session_id())) { + $sessionId = api_get_session_id(); + if (!empty($sessionId)) { $tags[] = '((coaches))'; $tags[] = '((general_coach))'; $tags[] = '((general_coach_email))'; @@ -798,7 +798,7 @@ class AnnouncementManager $courseInfo = api_get_course_info(); $courseId = api_get_course_int_id(); $tbl_item_property = Database::get_course_table(TABLE_ITEM_PROPERTY); - $tbl_announcement = Database::get_course_table(TABLE_ANNOUNCEMENT); + $table = Database::get_course_table(TABLE_ANNOUNCEMENT); $id = intval($id); $params = [ @@ -807,7 +807,7 @@ class AnnouncementManager ]; Database::update( - $tbl_announcement, + $table, $params, ['c_id = ? AND id = ?' => [$courseId, $id]] ); @@ -846,7 +846,7 @@ class AnnouncementManager } // store in item_property (first the groups, then the users - if (!is_null($to)) { + if (!empty($to)) { // !is_null($to): when no user is selected we send it to everyone $send_to = CourseManager::separateUsersGroups($to); @@ -954,14 +954,14 @@ class AnnouncementManager */ public static function update_mail_sent($insert_id) { - $tbl_announcement = Database::get_course_table(TABLE_ANNOUNCEMENT); + $table = Database::get_course_table(TABLE_ANNOUNCEMENT); if ($insert_id != strval(intval($insert_id))) { return false; } $insert_id = intval($insert_id); $courseId = api_get_course_int_id(); // store the modifications in the table tbl_annoucement - $sql = "UPDATE $tbl_announcement SET email_sent='1' + $sql = "UPDATE $table SET email_sent='1' WHERE c_id = $courseId AND id = $insert_id"; Database::query($sql); } @@ -1445,22 +1445,22 @@ class AnnouncementManager /** * @param array $courseInfo * @param int $sessionId - * @param int $id + * @param int $announcementId * @param bool $sendToUsersInSession * @param bool $sendToDrhUsers * @param Monolog\Handler\HandlerInterface logger - * @param int $senderId + * @param int $senderId */ public static function sendEmail( $courseInfo, $sessionId, - $id, + $announcementId, $sendToUsersInSession = false, $sendToDrhUsers = false, $logger = null, $senderId = 0 ) { - $email = new AnnouncementEmail($courseInfo, $sessionId, $id, $logger); + $email = new AnnouncementEmail($courseInfo, $sessionId, $announcementId, $logger); $email->send($sendToUsersInSession, $sendToDrhUsers, $senderId); }