[svn r16327] Fix SQL error in course access check

16 years ago · 7a004a3316
parent 64d39bff5b
commit 7a004a3316
1 changed files with 31 additions and 37 deletions
--- a/main/inc/lib/main_api.lib.php
+++ b/main/inc/lib/main_api.lib.php
@ -2797,8 +2797,15 @@ function api_add_setting($val,$var,$sk=null,$type='textfield',$c=null,$title='',
 * @return  bool
 */
 function api_is_course_visible_for_user( $userid = null, $cid = null ) {
-    if ($userid == NULL)
+    if ( $userid == null ) {
        $userid = $_SESSION['_user']['user_id'];
+    }
+    if( empty ($userid) or strval(intval($userid)) != $userid )
+    {
+        return false;
+    }
+    $cid = Database::escape_string($cid);
+    global $is_platformAdmin;

    $course_table = Database::get_main_table(TABLE_MAIN_COURSE);
    $course_cat_table = Database::get_main_table(TABLE_MAIN_CATEGORY);
@ -2825,18 +2832,15 @@ function api_is_course_visible_for_user( $userid = null, $cid = null ) {
    if (api_get_setting('use_session_mode') != 'true') {
        $course_user_table = Database::get_main_table(TABLE_MAIN_COURSE_USER);
        
-        $sql = "SELECT
-                    tutor_id, status 
+        $sql = "SELECT tutor_id, status 
                FROM $course_user_table
-                WHERE 
-                    user_id  = '$userid'
-                AND 
-                    course_code = '$cid'
+                WHERE user_id  = '$userid'
+                AND   course_code = '$cid'
                LIMIT 1";

        $result = api_sql_query($sql, __FILE__, __LINE__);

-        if (Database::num_rows($result) > 0) {
+        if ( Database::num_rows($result) > 0 ) {
            // this  user have a recorded state for this course
            $cuData = Database::fetch_array($result);

@ -2866,7 +2870,7 @@ function api_is_course_visible_for_user( $userid = null, $cid = null ) {

        $result = api_sql_query($sql, __FILE__, __LINE__);

-        if (Database::num_rows($result) > 0) {
+        if ( Database::num_rows($result) > 0 ) {
            // this  user have a recorded state for this course
            $cuData = Database::fetch_array($result);

@ -2875,7 +2879,7 @@ function api_is_course_visible_for_user( $userid = null, $cid = null ) {
            $is_courseTutor      = ($cuData['tutor_id' ] == 1);
            $is_courseAdmin      = ($cuData['status'] == 1);
        }
-        if (!$is_courseAdmin) {
+        if ( !$is_courseAdmin ) {
            // this user has no status related to this course
            // is it the session coach or the session admin ?
            $tbl_session = 
@ -2891,13 +2895,13 @@ function api_is_course_visible_for_user( $userid = null, $cid = null ) {
                        $tbl_session as session
                    INNER JOIN $tbl_session_course
                        ON session_rel_course.id_session = session.id
-                        AND session_rel_course.course_code = $cid
+                        AND session_rel_course.course_code = '$cid'
                    LIMIT 1";

            $result = api_sql_query($sql, __FILE__, __LINE__);
            $row = api_store_result($result);
            
-            if($row[0]['id_coach']==$userid) {
+            if ( $row[0]['id_coach'] == $userid ) {
                $_courseUser['role'] = 'Professor';
                $is_courseMember = true;
                $is_courseTutor = true;
@ -2906,7 +2910,7 @@ function api_is_course_visible_for_user( $userid = null, $cid = null ) {
                $is_sessionAdmin = false;

                api_session_register('_courseUser');
-            } else if($row[0]['session_admin_id']==$userid) {
+            } elseif ( $row[0]['session_admin_id'] == $userid ) {
                $_courseUser['role'] = 'Professor';
                $is_courseMember = false;
                $is_courseTutor = false;
@ -2915,13 +2919,10 @@ function api_is_course_visible_for_user( $userid = null, $cid = null ) {
                $is_sessionAdmin = true;
            } else {
                // Check if the current user is the course coach
-                $sql = "SELECT 
-                            1
+                $sql = "SELECT 1
                        FROM $tbl_session_course
-                        WHERE 
-                            session_rel_course.course_code = $cid
-                        AND 
-                            session_rel_course.id_coach = '$userid'
+                        WHERE session_rel_course.course_code = '$cid'
+                        AND session_rel_course.id_coach = '$userid'
                        LIMIT 1";

                $result = api_sql_query($sql,__FILE__,__LINE__);
@ -2935,34 +2936,27 @@ function api_is_course_visible_for_user( $userid = null, $cid = null ) {
                    
                    $tbl_user = Database :: get_main_table(TABLE_MAIN_USER);
                    
-                    $sql = "SELECT 
-                                status 
-                            FROM $tbl_user 
-                            WHERE 
-                                user_id = $userid
-                            LIMIT 1";
+                    $sql = "SELECT status FROM $tbl_user 
+                            WHERE  user_id = $userid  LIMIT 1";

                    $result = api_sql_query($sql);

-                    if (Database::result($result, 0, 0) == 1){
+                    if ( Database::result($result, 0, 0) == 1 ){
                        $is_courseAdmin = true;
                    } else {
                        $is_courseAdmin = false;
-                    }	           
+                    }              
                } else {
                    // Check if the user is a student is this session
-                    $sql = "SELECT 
-                                 id
-                            FROM $tbl_session_course_user
-                            WHERE 
-                                `id_user`  = '$userid'
-                            AND 
-                                `course_code` = '$cid'
+                    $sql = "SELECT  id
+                            FROM    $tbl_session_course_user
+                            WHERE   id_user  = '$userid'
+                            AND     course_code = '$cid'
                            LIMIT 1";

-                    if (Database::num_rows($result) > 0) {
+                    if ( Database::num_rows($result) > 0 ) {
                        // this  user have a recorded state for this course
-                        while ($row = Database::fetch_array($result)) {
+                        while ( $row = Database::fetch_array($result) ) {
                            $is_courseMember     = true;
                            $is_courseTutor      = false;
                            $is_courseAdmin      = false;
@ -2976,7 +2970,7 @@ function api_is_course_visible_for_user( $userid = null, $cid = null ) {

    $is_allowed_in_course = false;

-    switch ($visibility) {
+    switch ( $visibility ) {
        case COURSE_VISIBILITY_OPEN_WORLD:
            $is_allowed_in_course = true;
        break;