chamilo
/
chamilo-lms
mirror of https://github.com/chamilo/chamilo-lms/tree/1.11.x
2
0
Fork 0
Code Issues Projects Releases Wiki Activity

[svn r16327] Fix SQL error in course access check

Browse Source
skala
Yannick Warnier 16 years ago
parent 64d39bff5b
commit 7a004a3316
1 changed files with 31 additions and 37 deletions
Show all changes Ignore whitespace when comparing lines Ignore changes in amount of whitespace Ignore changes in whitespace at EOL
Show Stats Download Patch File Download Diff File
  1. 46
      main/inc/lib/main_api.lib.php

46
main/inc/lib/main_api.lib.php
Unescape View File

@ -2797,8 +2797,15 @@ function api_add_setting($val,$var,$sk=null,$type='textfield',$c=null,$title='',
* @return bool * @return bool
*/ */
function api_is_course_visible_for_user( $userid = null, $cid = null ) { function api_is_course_visible_for_user( $userid = null, $cid = null ) {
if ($userid == NULL) if ( $userid == null ) {
$userid = $_SESSION['_user']['user_id']; $userid = $_SESSION['_user']['user_id'];
}
if( empty ($userid) or strval(intval($userid)) != $userid )
{
return false;
}
$cid = Database::escape_string($cid);
global $is_platformAdmin;
$course_table = Database::get_main_table(TABLE_MAIN_COURSE); $course_table = Database::get_main_table(TABLE_MAIN_COURSE);
$course_cat_table = Database::get_main_table(TABLE_MAIN_CATEGORY); $course_cat_table = Database::get_main_table(TABLE_MAIN_CATEGORY);
@ -2825,13 +2832,10 @@ function api_is_course_visible_for_user( $userid = null, $cid = null ) {
if (api_get_setting('use_session_mode') != 'true') { if (api_get_setting('use_session_mode') != 'true') {
$course_user_table = Database::get_main_table(TABLE_MAIN_COURSE_USER); $course_user_table = Database::get_main_table(TABLE_MAIN_COURSE_USER);
$sql = "SELECT $sql = "SELECT tutor_id, status
tutor_id, status
FROM $course_user_table FROM $course_user_table
WHERE WHERE user_id = '$userid'
user_id = '$userid' AND course_code = '$cid'
AND
course_code = '$cid'
LIMIT 1"; LIMIT 1";
$result = api_sql_query($sql, __FILE__, __LINE__); $result = api_sql_query($sql, __FILE__, __LINE__);
@ -2891,7 +2895,7 @@ function api_is_course_visible_for_user( $userid = null, $cid = null ) {
$tbl_session as session $tbl_session as session
INNER JOIN $tbl_session_course INNER JOIN $tbl_session_course
ON session_rel_course.id_session = session.id ON session_rel_course.id_session = session.id
AND session_rel_course.course_code = $cid AND session_rel_course.course_code = '$cid'
LIMIT 1"; LIMIT 1";
$result = api_sql_query($sql, __FILE__, __LINE__); $result = api_sql_query($sql, __FILE__, __LINE__);
@ -2915,13 +2919,10 @@ function api_is_course_visible_for_user( $userid = null, $cid = null ) {
$is_sessionAdmin = true; $is_sessionAdmin = true;
} else { } else {
// Check if the current user is the course coach // Check if the current user is the course coach
$sql = "SELECT $sql = "SELECT 1
1
FROM $tbl_session_course FROM $tbl_session_course
WHERE WHERE session_rel_course.course_code = '$cid'
session_rel_course.course_code = $cid AND session_rel_course.id_coach = '$userid'
AND
session_rel_course.id_coach = '$userid'
LIMIT 1"; LIMIT 1";
$result = api_sql_query($sql,__FILE__,__LINE__); $result = api_sql_query($sql,__FILE__,__LINE__);
@ -2935,12 +2936,8 @@ function api_is_course_visible_for_user( $userid = null, $cid = null ) {
$tbl_user = Database :: get_main_table(TABLE_MAIN_USER); $tbl_user = Database :: get_main_table(TABLE_MAIN_USER);
$sql = "SELECT $sql = "SELECT status FROM $tbl_user
status WHERE user_id = $userid LIMIT 1";
FROM $tbl_user
WHERE
user_id = $userid
LIMIT 1";
$result = api_sql_query($sql); $result = api_sql_query($sql);
@ -2951,13 +2948,10 @@ function api_is_course_visible_for_user( $userid = null, $cid = null ) {
} }
} else { } else {
// Check if the user is a student is this session // Check if the user is a student is this session
$sql = "SELECT $sql = "SELECT id
id
FROM $tbl_session_course_user FROM $tbl_session_course_user
WHERE WHERE id_user = '$userid'
`id_user` = '$userid' AND course_code = '$cid'
AND
`course_code` = '$cid'
LIMIT 1"; LIMIT 1";
if ( Database::num_rows($result) > 0 ) { if ( Database::num_rows($result) > 0 ) {

Write Preview
Loading…
Cancel
Save