[svn r16327] Fix SQL error in course access check

skala
Yannick Warnier 16 years ago
parent 64d39bff5b
commit 7a004a3316
  1. 68
      main/inc/lib/main_api.lib.php

@ -2797,8 +2797,15 @@ function api_add_setting($val,$var,$sk=null,$type='textfield',$c=null,$title='',
* @return bool * @return bool
*/ */
function api_is_course_visible_for_user( $userid = null, $cid = null ) { function api_is_course_visible_for_user( $userid = null, $cid = null ) {
if ($userid == NULL) if ( $userid == null ) {
$userid = $_SESSION['_user']['user_id']; $userid = $_SESSION['_user']['user_id'];
}
if( empty ($userid) or strval(intval($userid)) != $userid )
{
return false;
}
$cid = Database::escape_string($cid);
global $is_platformAdmin;
$course_table = Database::get_main_table(TABLE_MAIN_COURSE); $course_table = Database::get_main_table(TABLE_MAIN_COURSE);
$course_cat_table = Database::get_main_table(TABLE_MAIN_CATEGORY); $course_cat_table = Database::get_main_table(TABLE_MAIN_CATEGORY);
@ -2825,18 +2832,15 @@ function api_is_course_visible_for_user( $userid = null, $cid = null ) {
if (api_get_setting('use_session_mode') != 'true') { if (api_get_setting('use_session_mode') != 'true') {
$course_user_table = Database::get_main_table(TABLE_MAIN_COURSE_USER); $course_user_table = Database::get_main_table(TABLE_MAIN_COURSE_USER);
$sql = "SELECT $sql = "SELECT tutor_id, status
tutor_id, status
FROM $course_user_table FROM $course_user_table
WHERE WHERE user_id = '$userid'
user_id = '$userid' AND course_code = '$cid'
AND
course_code = '$cid'
LIMIT 1"; LIMIT 1";
$result = api_sql_query($sql, __FILE__, __LINE__); $result = api_sql_query($sql, __FILE__, __LINE__);
if (Database::num_rows($result) > 0) { if ( Database::num_rows($result) > 0 ) {
// this user have a recorded state for this course // this user have a recorded state for this course
$cuData = Database::fetch_array($result); $cuData = Database::fetch_array($result);
@ -2866,7 +2870,7 @@ function api_is_course_visible_for_user( $userid = null, $cid = null ) {
$result = api_sql_query($sql, __FILE__, __LINE__); $result = api_sql_query($sql, __FILE__, __LINE__);
if (Database::num_rows($result) > 0) { if ( Database::num_rows($result) > 0 ) {
// this user have a recorded state for this course // this user have a recorded state for this course
$cuData = Database::fetch_array($result); $cuData = Database::fetch_array($result);
@ -2875,7 +2879,7 @@ function api_is_course_visible_for_user( $userid = null, $cid = null ) {
$is_courseTutor = ($cuData['tutor_id' ] == 1); $is_courseTutor = ($cuData['tutor_id' ] == 1);
$is_courseAdmin = ($cuData['status'] == 1); $is_courseAdmin = ($cuData['status'] == 1);
} }
if (!$is_courseAdmin) { if ( !$is_courseAdmin ) {
// this user has no status related to this course // this user has no status related to this course
// is it the session coach or the session admin ? // is it the session coach or the session admin ?
$tbl_session = $tbl_session =
@ -2891,13 +2895,13 @@ function api_is_course_visible_for_user( $userid = null, $cid = null ) {
$tbl_session as session $tbl_session as session
INNER JOIN $tbl_session_course INNER JOIN $tbl_session_course
ON session_rel_course.id_session = session.id ON session_rel_course.id_session = session.id
AND session_rel_course.course_code = $cid AND session_rel_course.course_code = '$cid'
LIMIT 1"; LIMIT 1";
$result = api_sql_query($sql, __FILE__, __LINE__); $result = api_sql_query($sql, __FILE__, __LINE__);
$row = api_store_result($result); $row = api_store_result($result);
if($row[0]['id_coach']==$userid) { if ( $row[0]['id_coach'] == $userid ) {
$_courseUser['role'] = 'Professor'; $_courseUser['role'] = 'Professor';
$is_courseMember = true; $is_courseMember = true;
$is_courseTutor = true; $is_courseTutor = true;
@ -2906,7 +2910,7 @@ function api_is_course_visible_for_user( $userid = null, $cid = null ) {
$is_sessionAdmin = false; $is_sessionAdmin = false;
api_session_register('_courseUser'); api_session_register('_courseUser');
} else if($row[0]['session_admin_id']==$userid) { } elseif ( $row[0]['session_admin_id'] == $userid ) {
$_courseUser['role'] = 'Professor'; $_courseUser['role'] = 'Professor';
$is_courseMember = false; $is_courseMember = false;
$is_courseTutor = false; $is_courseTutor = false;
@ -2915,13 +2919,10 @@ function api_is_course_visible_for_user( $userid = null, $cid = null ) {
$is_sessionAdmin = true; $is_sessionAdmin = true;
} else { } else {
// Check if the current user is the course coach // Check if the current user is the course coach
$sql = "SELECT $sql = "SELECT 1
1
FROM $tbl_session_course FROM $tbl_session_course
WHERE WHERE session_rel_course.course_code = '$cid'
session_rel_course.course_code = $cid AND session_rel_course.id_coach = '$userid'
AND
session_rel_course.id_coach = '$userid'
LIMIT 1"; LIMIT 1";
$result = api_sql_query($sql,__FILE__,__LINE__); $result = api_sql_query($sql,__FILE__,__LINE__);
@ -2935,34 +2936,27 @@ function api_is_course_visible_for_user( $userid = null, $cid = null ) {
$tbl_user = Database :: get_main_table(TABLE_MAIN_USER); $tbl_user = Database :: get_main_table(TABLE_MAIN_USER);
$sql = "SELECT $sql = "SELECT status FROM $tbl_user
status WHERE user_id = $userid LIMIT 1";
FROM $tbl_user
WHERE
user_id = $userid
LIMIT 1";
$result = api_sql_query($sql); $result = api_sql_query($sql);
if (Database::result($result, 0, 0) == 1){ if ( Database::result($result, 0, 0) == 1 ){
$is_courseAdmin = true; $is_courseAdmin = true;
} else { } else {
$is_courseAdmin = false; $is_courseAdmin = false;
} }
} else { } else {
// Check if the user is a student is this session // Check if the user is a student is this session
$sql = "SELECT $sql = "SELECT id
id FROM $tbl_session_course_user
FROM $tbl_session_course_user WHERE id_user = '$userid'
WHERE AND course_code = '$cid'
`id_user` = '$userid'
AND
`course_code` = '$cid'
LIMIT 1"; LIMIT 1";
if (Database::num_rows($result) > 0) { if ( Database::num_rows($result) > 0 ) {
// this user have a recorded state for this course // this user have a recorded state for this course
while ($row = Database::fetch_array($result)) { while ( $row = Database::fetch_array($result) ) {
$is_courseMember = true; $is_courseMember = true;
$is_courseTutor = false; $is_courseTutor = false;
$is_courseAdmin = false; $is_courseAdmin = false;
@ -2976,7 +2970,7 @@ function api_is_course_visible_for_user( $userid = null, $cid = null ) {
$is_allowed_in_course = false; $is_allowed_in_course = false;
switch ($visibility) { switch ( $visibility ) {
case COURSE_VISIBILITY_OPEN_WORLD: case COURSE_VISIBILITY_OPEN_WORLD:
$is_allowed_in_course = true; $is_allowed_in_course = true;
break; break;

Loading…
Cancel
Save