Adding setting to allow session admins to control of all sessions see #3823

main/admin/add_courses_to_session.php

@@ -19,6 +19,8 @@ require_once api_get_path(LIBRARY_PATH).'add_courses_to_session_functions.lib.ph
 
 $id_session = intval($_GET['id_session']);
 
+SessionManager::protect_session_edit($id_session);
+
 $xajax = new xajax();
 //$xajax->debugOn();
 $xajax -> registerFunction (array('search_courses', 'AddCourseToSession', 'search_courses'));
@@ -26,9 +28,6 @@ $xajax -> registerFunction (array('search_courses', 'AddCourseToSession', 'searc
 // Setting the section (for the tabs)
 $this_section = SECTION_PLATFORM_ADMIN;
 
-// Access restrictions
-api_protect_admin_script(true);
-
 // setting breadcrumbs
 $interbreadcrumb[] = array('url' => 'index.php', 'name' => get_lang('PlatformAdmin'));
 $interbreadcrumb[] = array('url' => 'session_list.php','name' => get_lang('SessionList'));

main/admin/add_users_to_session.php

@@ -15,17 +15,15 @@ require_once '../inc/global.inc.php';
 require_once '../inc/lib/xajax/xajax.inc.php';
 $xajax = new xajax();
 
-//$xajax->debugOn();
 $xajax -> registerFunction ('search_users');
 
 // setting the section (for the tabs)
 $this_section = SECTION_PLATFORM_ADMIN;
 
-// Access restrictions
-api_protect_admin_script(true);
-
 $id_session = intval($_GET['id_session']);
 
+SessionManager::protect_session_edit($id_session);
+
 // setting breadcrumbs
 $interbreadcrumb[] = array('url' => 'index.php','name' => get_lang('PlatformAdmin'));
 $interbreadcrumb[] = array('url' => 'session_list.php','name' => get_lang('SessionList'));

main/admin/resume_session.php

@@ -14,7 +14,9 @@ require_once '../inc/global.inc.php';
 // setting the section (for the tabs)
 $this_section = SECTION_PLATFORM_ADMIN;
 
-api_protect_admin_script(true);
+$id_session = (int)$_GET['id_session'];
+
+SessionManager::protect_session_edit($id_session);
 
 $tool_name = get_lang('SessionOverview');
 
@@ -33,7 +35,7 @@ $tbl_session_category				= Database::get_main_table(TABLE_MAIN_SESSION_CATEGORY)
 
 $table_access_url_user              = Database::get_main_table(TABLE_MAIN_ACCESS_URL_REL_USER);
 
-$id_session = (int)$_GET['id_session'];
+
 
 $sql = 'SELECT name, nbr_courses, nbr_users, nbr_classes, DATE_FORMAT(date_start,"%d-%m-%Y") as date_start, DATE_FORMAT(date_end,"%d-%m-%Y") as date_end, lastname, firstname, username, session_admin_id, nb_days_access_before_beginning, nb_days_access_after_end, session_category_id, visibility
 		FROM '.$tbl_session.' LEFT JOIN '.$tbl_user.' ON id_coach = user_id

main/admin/session_course_edit.php

@@ -9,13 +9,10 @@ $language_file='admin';
 $cidReset=true;
 
 require_once '../inc/global.inc.php';
-require_once '../inc/lib/sessionmanager.lib.php';
-// setting the section (for the tabs)
-/*$this_section=SECTION_PLATFORM_ADMIN;
-
-api_protect_admin_script();*/
 
 $id_session = intval($_GET['id_session']);
+SessionManager::protect_session_edit($id_session);
+
 $course_code=trim(stripslashes($_GET['course_code']));
 
 $formSent=0;

main/admin/session_course_list.php

@@ -14,7 +14,8 @@ require_once '../inc/global.inc.php';
 // setting the section (for the tabs)
 $this_section=SECTION_PLATFORM_ADMIN;
 
-api_protect_admin_script(true);
+$id_session = intval($_GET['id_session']);
+SessionManager::protect_session_edit($id_session);
 
 // Database Table Definitions
 $tbl_course							= Database::get_main_table(TABLE_MAIN_COURSE);
@@ -22,8 +23,6 @@ $tbl_session						= Database::get_main_table(TABLE_MAIN_SESSION);
 $tbl_session_rel_course				= Database::get_main_table(TABLE_MAIN_SESSION_COURSE);
 $tbl_session_rel_course_rel_user	= Database::get_main_table(TABLE_MAIN_SESSION_COURSE_USER);
 
-$id_session = intval($_GET['id_session']);
-
 if (empty($id_session)) {
     api_not_allowed();
 }

main/admin/session_course_user.php

@@ -16,8 +16,8 @@ require_once '../inc/global.inc.php';
 // setting the section (for the tabs)
 $this_section = SECTION_PLATFORM_ADMIN;
 
-// Access restrictions
-api_protect_admin_script(true);
+$id_session = intval($_GET['id_session']);
+SessionManager::protect_session_edit($id_session);
 
 // setting breadcrumbs
 $interbreadcrumb[] = array('url' => 'index.php', 'name' => get_lang('PlatformAdmin'));
@@ -33,7 +33,7 @@ $tbl_course							= Database::get_main_table(TABLE_MAIN_COURSE);
 
 // setting the name of the tool
 $tool_name = get_lang('EditSessionCoursesByUser');
-$id_session=intval($_GET['id_session']);
+
 $id_user = intval($_GET['id_user']);
 
 if (empty($id_user) || empty($id_session)) {
@@ -125,9 +125,9 @@ echo '<legend>'.$tool_name.': '.$session_info['name'].' - '.$user_info['complete
 
 $nosessionCourses = $sessionCourses = array();
 // actual user
-$sql="SELECT code, title, visual_code, srcru.id_session " .
-			"FROM $tbl_course course inner JOIN $tbl_session_rel_course_rel_user   as srcru  " .
-			"ON course.code = srcru.course_code  WHERE srcru.id_user = $id_user AND id_session = $id_session";
+$sql = "SELECT code, title, visual_code, srcru.id_session
+        FROM $tbl_course course inner JOIN $tbl_session_rel_course_rel_user   as srcru
+        ON course.code = srcru.course_code  WHERE srcru.id_user = $id_user AND id_session = $id_session";
 
 //all
 $sql_all="SELECT code, title, visual_code, src.id_session " .

main/admin/session_course_user_list.php

@@ -8,9 +8,8 @@
  */
 $language_file = array('admin', 'registration');
 $cidReset = true;
-require_once '../inc/global.inc.php';
 
-api_protect_admin_script(true);
+require_once '../inc/global.inc.php';
 
 $tbl_user                           = Database::get_main_table(TABLE_MAIN_USER);
 $tbl_course                         = Database::get_main_table(TABLE_MAIN_COURSE);
@@ -20,6 +19,8 @@ $tbl_session_rel_user               = Database::get_main_table(TABLE_MAIN_SESSIO
 $tbl_session_rel_course_rel_user    = Database::get_main_table(TABLE_MAIN_SESSION_COURSE_USER);
 
 $id_session = intval($_GET['id_session']);
+SessionManager::protect_session_edit($id_session);
+
 if (empty($id_session )) {
     api_not_allowed();
 }

main/admin/session_edit.php

@@ -9,16 +9,18 @@ require_once '../inc/global.inc.php';
 // setting the section (for the tabs)
 $this_section = SECTION_PLATFORM_ADMIN;
 
-api_protect_admin_script(true);
 
-$id = intval($_GET['id']);
 
 $formSent = 0;
 
 // Database Table Definitions
 $tbl_user		= Database::get_main_table(TABLE_MAIN_USER);
 $tbl_session	= Database::get_main_table(TABLE_MAIN_SESSION);
-$tbl_session_rel_course = Database::get_main_table(TABLE_MAIN_SESSION_COURSE);
+
+$id = intval($_GET['id']);
+
+SessionManager::protect_session_edit($id);
+
 $sql = "SELECT name,date_start,date_end,id_coach, session_admin_id, nb_days_access_before_beginning, nb_days_access_after_end, session_category_id, visibility
         FROM $tbl_session WHERE id = $id";
 $result = Database::query($sql);
@@ -30,9 +32,7 @@ if (!$infos = Database::fetch_array($result)) {
 
 $id_coach   = $infos['id_coach'];
 
-if (!api_is_platform_admin() && $infos['session_admin_id'] != api_get_user_id()) {
-    api_not_allowed(true);
-}
+
 
 $tool_name = get_lang('EditSession');
 

main/inc/lib/sessionmanager.lib.php

@@ -184,15 +184,13 @@ class SessionManager {
         $where = 'WHERE 1=1 ';
         $user_id = api_get_user_id();
 
-        if (api_is_session_admin() && api_get_setting('allow_session_admins_to_see_all_sessions') == 'false') {
-            $where.=" WHERE s.session_admin_id = $user_id ";
+        if (api_is_session_admin() && api_get_setting('allow_session_admins_to_manage_all_sessions') == 'false') {
+            $where.=" AND s.session_admin_id = $user_id ";
         }
 
-        $query_rows = "SELECT count(*) as total_rows
-         FROM $tbl_session s
+        $query_rows = "SELECT count(*) as total_rows FROM $tbl_session s
                         LEFT JOIN  $tbl_session_category sc ON s.session_category_id = sc.id
-            INNER JOIN $tbl_user u ON s.id_coach = u.user_id
-        $where ";
+                        INNER JOIN $tbl_user u ON s.id_coach = u.user_id $where ";
         $result_rows = Database::query($query_rows);
         $recorset = Database::fetch_array($result_rows);
         $num = $recorset['total_rows'];
@@ -211,7 +209,7 @@ class SessionManager {
 		$where = 'WHERE 1=1 ';
 		$user_id = api_get_user_id();
 
-		if (api_is_session_admin() && api_get_setting('allow_session_admins_to_see_all_sessions') == 'false') {
+		if (api_is_session_admin() && api_get_setting('allow_session_admins_to_manage_all_sessions') == 'false') {
 			$where.=" AND s.session_admin_id = $user_id ";
 		}
 
@@ -1728,6 +1726,7 @@ class SessionManager {
     	}
     	return false;
     }
+
     /**
      * Get the number of sessions
      * @param  int ID of the URL we want to filter on (optional)
@@ -1740,4 +1739,16 @@ class SessionManager {
         $row = Database::fetch_row($res);
         return $row[0];
     }
+
+    function protect_session_edit($id) {
+        api_protect_admin_script(true);
+
+        $session_info = self::fetch($id);
+
+        if (api_get_setting('allow_session_admins_to_manage_all_sessions') != 'true') {
+            if ($session_info['session_admin_id'] != api_get_user_id()) {
+                api_not_allowed(true);
+            }
+        }
+    }
 }

main/install/db_main.sql

@@ -862,7 +862,7 @@ VALUES
 ('facebook_description', NULL, 'radio', 'Facebook', 'false', 'FacebookMainActivateTitle', 'FacebookMainActivateComment', NULL, NULL, 0),
 ('gradebook_locking_enabled', NULL, 'radio', 'Gradebook', 'false', 'GradebookEnableLockingTitle', 'GradebookEnableLockingComment', NULL, NULL, 0),
 ('gradebook_default_grade_model_id', NULL, 'select', 'Gradebook', '', 'GradebookDefaultGradeModelTitle', 'GradebookDefaultGradeModelComment', NULL, NULL, 1),
-('allow_session_admins_to_see_all_sessions', NULL, 'radio', 'Session', 'false', 'AllowSessionAdminsToSeeAllSessionsTitle', 'AllowSessionAdminsToSeeAllSessionsComment', NULL, NULL, 1),
+('allow_session_admins_to_manage_all_sessions', NULL, 'radio', 'Session', 'false', 'AllowSessionAdminsToSeeAllSessionsTitle', 'AllowSessionAdminsToSeeAllSessionsComment', NULL, NULL, 1),
 ('allow_skills_tool', NULL, 'radio', 'Platform', 'false', 'AllowSkillsToolTitle', 'AllowSkillsToolComment', NULL, NULL, 1),
 ('allow_public_certificates', NULL, 'radio', 'Course', 'false', 'AllowPublicCertificatesTitle', 'AllowPublicCertificatesComment', NULL, NULL, 1),
 ('platform_unsubscribe_allowed', NULL, 'radio', 'Platform', 'false', 'PlatformUnsubscribeTitle', 'PlatformUnsubscribeComment', NULL, NULL, 1),
@@ -870,7 +870,7 @@ VALUES
 ('enable_iframe_inclusion', NULL, 'radio', 'Editor', 'false', 'EnableIframeInclusionTitle', 'EnableIframeInclusionComment', NULL, NULL, 1),
 ('show_hot_courses', NULL, 'radio', 'Platform', 'true', 'ShowHotCoursesTitle', 'ShowHotCoursesComment', NULL, NULL, 1),
 ('enable_webcam_clip',NULL,'radio','Tools','false','EnableWebCamClipTitle','EnableWebCamClipComment',NULL,NULL, 0),
-('chamilo_database_version', NULL, 'textfield',NULL, '1.9.0.18190','DatabaseVersion','', NULL, NULL, 0);
+('chamilo_database_version', NULL, 'textfield',NULL, '1.9.0.18219','DatabaseVersion','', NULL, NULL, 0);
 UNLOCK TABLES;
 /*!40000 ALTER TABLE settings_current ENABLE KEYS */;
 
@@ -1198,8 +1198,8 @@ VALUES
 ('gradebook_locking_enabled', 'false', 'No'),
 ('gradebook_enable_grade_model', 'true', 'Yes'),
 ('gradebook_enable_grade_model', 'false', 'No'),
-('allow_session_admins_to_see_all_sessions', 'true', 'Yes'),
-('allow_session_admins_to_see_all_sessions', 'false', 'No'),
+('allow_session_admins_to_manage_all_sessions', 'true', 'Yes'),
+('allow_session_admins_to_manage_all_sessions', 'false', 'No'),
 ('allow_skills_tool', 'true', 'Yes'),
 ('allow_skills_tool', 'false', 'No'),
 ('allow_public_certificates', 'true', 'Yes'),

main/install/migrate-db-1.8.8-1.9.0-pre.sql

@@ -106,9 +106,9 @@ INSERT INTO settings_current (variable, subkey, type, category, selected_value,
 INSERT INTO settings_options (variable, value, display_text) VALUES ('allow_users_to_change_email_with_no_password', 'true', 'Yes');
 INSERT INTO settings_options (variable, value, display_text) VALUES ('allow_users_to_change_email_with_no_password', 'false', 'No');
 
-INSERT INTO settings_current (variable, subkey, type, category, selected_value, title, comment, scope, subkeytext, access_url_changeable) VALUES ('allow_session_admins_to_see_all_sessions', NULL, 'radio', 'Session', 'false', 'AllowSessionAdminsToSeeAllSessionsTitle', 'AllowSessionAdminsToSeeAllSessionsComment', NULL, NULL, 1);
-INSERT INTO settings_options (variable, value, display_text) VALUES ('allow_session_admins_to_see_all_sessions', 'true', 'Yes');
-INSERT INTO settings_options (variable, value, display_text) VALUES ('allow_session_admins_to_see_all_sessions', 'false', 'No');
+INSERT INTO settings_current (variable, subkey, type, category, selected_value, title, comment, scope, subkeytext, access_url_changeable) VALUES ('allow_session_admins_to_manage_all_sessions', NULL, 'radio', 'Session', 'false', 'AllowSessionAdminsToSeeAllSessionsTitle', 'AllowSessionAdminsToSeeAllSessionsComment', NULL, NULL, 1);
+INSERT INTO settings_options (variable, value, display_text) VALUES ('allow_session_admins_to_manage_all_sessions', 'true', 'Yes');
+INSERT INTO settings_options (variable, value, display_text) VALUES ('allow_session_admins_to_manage_all_sessions', 'false', 'No');
 
 -- Shibboleth and Facebook auth and ldap
 INSERT INTO settings_current (variable, subkey, type, category, selected_value, title, comment, scope, subkeytext, access_url_changeable) VALUES ('shibboleth_description', NULL, 'radio', 'Shibboleth', 'false', 'ShibbolethMainActivateTitle', 'ShibbolethMainActivateComment', NULL, NULL, 0);
@@ -273,7 +273,7 @@ DELETE FROM settings_current WHERE variable = "user_order_by";
 DELETE FROM settings_options WHERE variable = "user_order_by";
 
 -- Do not move this query
-UPDATE settings_current SET selected_value = '1.9.0.18189' WHERE variable = 'chamilo_database_version';
+UPDATE settings_current SET selected_value = '1.9.0.18219' WHERE variable = 'chamilo_database_version';
 
 -- xxSTATSxx
 ALTER TABLE track_e_exercices ADD COLUMN questions_to_check TEXT NOT NULL DEFAULT '';