Fixes #1721 Don't show "switch to teacher view"

You cannot edit base LP from a session.
9 years ago · 65783465aa
parent 2252c440de
commit 65783465aa
2 changed files with 36 additions and 15 deletions
--- a/main/inc/lib/banner.lib.php
+++ b/main/inc/lib/banner.lib.php
@ -2,6 +2,7 @@
 /* For licensing terms, see /license.txt */

 use Chamilo\CoreBundle\Component\Utils\ChamiloApi;
+use ChamiloSession as Session;

 /**
 * Code
@ -675,6 +676,15 @@ function return_breadcrumb($interbreadcrumb, $language_file, $nameTools)
            api_get_setting('student_view_enabled') === 'true' && api_get_course_info()
        ) {
            $view_as_student_link = api_display_tool_view_option();
+
+            // Only show link if LP can be editable
+            /** @var learnpath $learnPath */
+            $learnPath = Session::read('oLP');
+            if (!empty($learnPath) && !empty($view_as_student_link)) {
+                if ((int)$learnPath->get_lp_session_id() != (int)api_get_session_id()) {
+                    $view_as_student_link = '';
+                }
+            }
        }
    }

--- a/main/lp/lp_add_item.php
+++ b/main/lp/lp_add_item.php
@ -19,9 +19,35 @@ $this_section = SECTION_COURSES;

 api_protect_course_script();

+$isStudentView = isset($_REQUEST['isStudentView']) ? $_REQUEST['isStudentView'] : null;
+$learnpath_id = isset($_REQUEST['lp_id']) ? intval($_REQUEST['lp_id']) : null;
+$submit = isset($_POST['submit_button']) ? $_POST['submit_button'] : null;
+$type = isset($_GET['type']) ? $_GET['type'] : null;
+$action = isset($_GET['action']) ? $_GET['action'] : null;
+
+$is_allowed_to_edit = api_is_allowed_to_edit(null, false);
+
+$listUrl = api_get_path(WEB_CODE_PATH).'lp/lp_controller.php?action=view&lp_id='.$learnpath_id.'&'.api_get_cidreq().'&isStudentView=true';
+if (!$is_allowed_to_edit) {
+    error_log('New LP - User not authorized in lp_add_item.php');
+    header("Location: $listUrl");
+    exit;
+}
+
 /** @var learnpath $learnPath */
 $learnPath = Session::read('oLP');

+if (empty($learnPath)) {
+    api_not_allowed();
+}
+
+if ((int)$learnPath->get_lp_session_id() != (int)api_get_session_id()) {
+    // You cannot edit an LP from a base course.
+    header("Location: $listUrl");
+
+    exit;
+}
+
 $htmlHeadXtra[] = '<script>'.
 $learnPath->get_js_dropdown_array()."
 function load_cbo(id) {
@ -62,22 +88,7 @@ $(function() {
 });
 </script>";

-/* Constants and variables */
-
-$isStudentView = isset($_REQUEST['isStudentView']) ? $_REQUEST['isStudentView'] : null;
-$learnpath_id = isset($_REQUEST['lp_id']) ? intval($_REQUEST['lp_id']) : null;
-$submit = isset($_POST['submit_button']) ? $_POST['submit_button'] : null;
-
-$type = isset($_GET['type']) ? $_GET['type'] : null;
-$action = isset($_GET['action']) ? $_GET['action'] : null;
-
-if (!$is_allowed_to_edit) {
-    error_log('New LP - User not authorized in lp_add_item.php');
-    header('location:lp_controller.php?action=view&lp_id='.$learnpath_id);
-    exit;
-}
 /* SHOWING THE ADMIN TOOLS */
-
 if (isset($_SESSION['gradebook'])) {
    $gradebook = $_SESSION['gradebook'];
 }