From 6ab526dcf1045cba88875da08ca41cb60ab2ae91 Mon Sep 17 00:00:00 2001
From: jmontoyaa <gugli100@gmail.com>
Date: Wed, 18 Apr 2018 10:20:35 +0200
Subject: [PATCH] Block page for unauthorized users.

---
 main/admin/user_import.php        |  2 +-
 main/admin/user_update_import.php |  2 +-
 main/course_info/maintenance.php  |  9 +++++++--
 main/exercise/exercise_report.php | 10 ++++++++--
 main/exercise/question_create.php |  6 ++++++
 main/work/work.php                |  5 +++++
 6 files changed, 28 insertions(+), 6 deletions(-)

diff --git a/main/admin/user_import.php b/main/admin/user_import.php
index 971b7a2fbe..6a73897eb1 100644
--- a/main/admin/user_import.php
+++ b/main/admin/user_import.php
@@ -387,7 +387,7 @@ function parse_xml_data($file)
 }
 
 $this_section = SECTION_PLATFORM_ADMIN;
-api_protect_admin_script(true, null, 'login');
+api_protect_admin_script(true, null);
 api_protect_limit_for_session_admin();
 
 $defined_auth_sources[] = PLATFORM_AUTH_SOURCE;
diff --git a/main/admin/user_update_import.php b/main/admin/user_update_import.php
index eb11a8f94f..ae0728ddc9 100644
--- a/main/admin/user_update_import.php
+++ b/main/admin/user_update_import.php
@@ -337,7 +337,7 @@ function parse_xml_data($file)
 }
 
 $this_section = SECTION_PLATFORM_ADMIN;
-api_protect_admin_script(true, null, 'login');
+api_protect_admin_script(true, null);
 
 $defined_auth_sources[] = PLATFORM_AUTH_SOURCE;
 
diff --git a/main/course_info/maintenance.php b/main/course_info/maintenance.php
index aa31f1fbf0..359754a71d 100755
--- a/main/course_info/maintenance.php
+++ b/main/course_info/maintenance.php
@@ -13,7 +13,12 @@ $nameTools = get_lang('Maintenance');
 api_protect_course_script(true);
 api_block_anonymous_users();
 
-Display :: display_header($nameTools);
+// Check access rights (only teachers are allowed here)
+if (!api_is_allowed_to_edit()) {
+    api_not_allowed(true);
+}
+
+Display::display_header($nameTools);
 echo Display::page_header($nameTools);
 
 ?>
@@ -46,5 +51,5 @@ echo Display::page_header($nameTools);
 <div class="sectioncomment"><?php echo get_lang('DescriptionDeleteCourse'); ?></div>
 
 <?php
-// Footer
+
 Display::display_footer();
diff --git a/main/exercise/exercise_report.php b/main/exercise/exercise_report.php
index 4f16228894..8d2a040b34 100755
--- a/main/exercise/exercise_report.php
+++ b/main/exercise/exercise_report.php
@@ -60,8 +60,14 @@ if (empty($exercise_id)) {
     api_not_allowed(true);
 }
 
-if (!$is_allowedToEdit && !$allowCoachFeedbackExercises) {
-    api_not_allowed(true);
+if ($is_tutor) {
+    if (!$allowCoachFeedbackExercises) {
+        api_not_allowed(true);
+    }
+} else {
+    if (!$is_allowedToEdit) {
+        api_not_allowed(true);
+    }
 }
 
 if (!empty($exercise_id)) {
diff --git a/main/exercise/question_create.php b/main/exercise/question_create.php
index a7041c7e92..ac89e67c81 100755
--- a/main/exercise/question_create.php
+++ b/main/exercise/question_create.php
@@ -14,6 +14,12 @@ $this_section = SECTION_COURSES;
 // notice for unauthorized people.
 api_protect_course_script(true);
 
+$allow = api_is_allowed_to_edit();
+
+if (!$allow) {
+    api_not_allowed(true);
+}
+
 // breadcrumbs
 $interbreadcrumb[] = ["url" => "exercise.php", "name" => get_lang('Exercises')];
 
diff --git a/main/work/work.php b/main/work/work.php
index fba382fe22..09dde751db 100755
--- a/main/work/work.php
+++ b/main/work/work.php
@@ -157,6 +157,11 @@ switch ($action) {
             header('Location: '.$currentUrl);
             exit;
         }
+
+        if (!$is_allowed_to_edit) {
+            api_not_allowed(true);
+        }
+
         $studentDeleteOwnPublication = api_get_course_setting('student_delete_own_publication') == 1 ? 1 : 0;
         /*	Display of tool options */
         $content = settingsForm(