chamilo
/
chamilo-lms
mirror of https://github.com/chamilo/chamilo-lms/tree/1.11.x
2
0
Fork 0
Code Issues Projects Releases Wiki Activity

[svn r17491] logic changes - Fixed Validation of Qualification, Added get_token to prevent cross-site request forgeries by checking that the user is really

Browse Source 
the one that sent this form in knowingly, added message about icons, and ordered date when you edit a work see FS#3370
skala
Cristian Fasanando 17 years ago
parent 87c6fe3f3d
commit 7fb85ff909
2 changed files with 295 additions and 279 deletions
Show all changes Ignore whitespace when comparing lines Ignore changes in amount of whitespace Ignore changes in whitespace at EOL
Show Stats Download Patch File Download Diff File
  1. 34
      main/work/work.lib.php
  2. 540
      main/work/work.php

34
main/work/work.lib.php
Unescape View File

@ -57,7 +57,7 @@ function display_action_links($cur_dir_path, $always_show_tool_options, $always_
if (! $always_show_tool_options && api_is_allowed_to_edit()) {
// Create dir
$display_output .= '<a href="'.api_get_self().'?'.api_get_cidreq().'&amp;curdirpath='.$cur_dir_path.'&amp;createdir=1&origin='.$origin.'"><img src="../img/folder_new.gif" border="0"alt ="'.get_lang('CreateDir').'" /> '.get_lang('CreateDir').' </a>&nbsp&nbsp';
$display_output .= '<a href="'.api_get_self().'?'.api_get_cidreq().'&amp;curdirpath='.$cur_dir_path.'&amp;createdir=1&origin='.$origin.'"><img src="../img/folder_new.gif" border="0" title ="'.get_lang('CreateDir').'" /> '.get_lang('CreateDir').' </a>&nbsp&nbsp';
// Options
$display_output .= "<a href=\"".api_get_self()."?".api_get_cidreq()."&curdirpath=".$cur_dir_path."&amp;origin=".$origin."&amp;display_tool_options=true&amp;origin=".$origin."\">".Display::return_icon('acces_tool.gif').' ' . get_lang("EditToolOptions") . "</a>&nbsp&nbsp";
}
@ -95,7 +95,7 @@ function display_tool_options($uploadvisibledisabled, $origin,$base_work_dir,$cu
get_lang('AllFiles')." : </td>",
"<td ><a href=\"".api_get_self()."?".api_get_cidreq()."&amp;curdirpath=".$cur_dir_path."&amp;origin=$origin&amp;delete=all&amp;display_tool_options=true\" ",
"onclick=\"javascript:if(!confirm('".addslashes(htmlentities(get_lang('ConfirmYourChoice'),ENT_QUOTES,$charset))."')) return false;\">",
"<img src=\"../img/delete.gif\" border=\"0\" alt=\"".get_lang('Delete')."\" />",
"<img src=\"../img/delete.gif\" border=\"0\" title=\"".get_lang('Delete')."\" />",
"</a>",
"&nbsp;";
@ -107,11 +107,11 @@ function display_tool_options($uploadvisibledisabled, $origin,$base_work_dir,$cu
if ($columnStatus['Default'] == 1) {
echo "<a href=\"".api_get_self()."?".api_get_cidreq()."&curdirpath=".$cur_dir_path."&amp;origin=$origin&make_invisible=all&display_tool_options=true\">",
"<img src=\"../img/visible.gif\" border=\"0\" alt=\"".get_lang('Invisible')."\" />",
"<img src=\"../img/visible.gif\" border=\"0\" title=\"".get_lang('Invisible')."\" />",
"</a>\n";
} else {
echo "<a href=\"".api_get_self()."?".api_get_cidreq()."&amp;curdirpath=".$cur_dir_path."&amp;origin=$origin&amp;make_visible=all&amp;display_tool_options=true\">",
"<img src=\"../img/invisible.gif\" border=\"0\" alt=\"".get_lang('Visible')."\">",
"<img src=\"../img/invisible.gif\" border=\"0\" title=\"".get_lang('Visible')."\">",
"</a>\n";
}
}
@ -221,9 +221,9 @@ function create_group_date_select($prefix='')
$minute = range(10,59);
$d_year=date('Y');
array_unshift($minute,'00','01','02','03','04','05','06','07','08','09');
$group_name[] = FormValidator :: createElement('select',$prefix.'year','',array($d_year=>$d_year,$d_year+1=>$d_year+1));
$group_name[] = FormValidator :: createElement('select',$prefix.'month','',array_combine(range(1,12),array('Enero','Febrero','Marzo','Abril','Mayo','Junio','Julio','Agosto','Septiembre','Octubre','Noviembre','Diciembre')));
$group_name[] = FormValidator :: createElement('select',$prefix.'day','',array_combine(range(1,31),range(1,31)));
$group_name[] = FormValidator :: createElement('select',$prefix.'month','',array_combine(range(1,12),array('Enero','Febrero','Marzo','Abril','Mayo','Junio','Julio','Agosto','Septiembre','Octubre','Noviembre','Diciembre')));
$group_name[] = FormValidator :: createElement('select',$prefix.'year','',array($d_year=>$d_year,$d_year+1=>$d_year+1));
$group_name[] = FormValidator :: createElement('select',$prefix.'hour','',array_combine(range(1,24),range(1,24)));
$group_name[] = FormValidator :: createElement('select',$prefix.'minute','',$minute);
return $group_name;
@ -524,7 +524,7 @@ function display_student_publications_list($work_dir,$sub_course_dir,$currentCou
$action = '';
$row = array();
$class = '';
$row[] = '<img src="../img/folder_document.gif" border="0" hspace="5" align="middle" alt="'.get_lang('Folder').'" />'; //image
$row[] = '<img src="../img/folder_document.gif" border="0" hspace="5" align="middle" title="'.get_lang('Folder').'" />'; //image
$a_count_directory=count_dir($work_dir.'/'.$dir,false);
$cant_files=$a_count_directory[0];
$cant_dir=$a_count_directory[1];
@ -562,7 +562,7 @@ function display_student_publications_list($work_dir,$sub_course_dir,$currentCou
$show_as_icon = get_work_id($mydir); //true or false
if ($show_as_icon && api_is_allowed_to_edit()) {
$row[] = '<a href="'.api_get_self().'?cidReq='.api_get_course_id().'&action=downloadfolder&path=/'.$mydir.'"><img src="../img/zip_save.gif" style="float:right;" alt="'.get_lang('Save').'" width="17" height="17"/></a><a href="'.api_get_self().'?'.api_get_cidreq().'&origin='.$origin.'&curdirpath='.$mydir.'"'.$class.'>'.$dir.'</a>'.$add_to_name.'<br>'.$cant_files.' '.$text_file.$dirtext;
$row[] = '<a href="'.api_get_self().'?cidReq='.api_get_course_id().'&action=downloadfolder&path=/'.$mydir.'"><img src="../img/zip_save.gif" style="float:right;" title="'.get_lang('Save').'" width="17" height="17"/></a><a href="'.api_get_self().'?'.api_get_cidreq().'&origin='.$origin.'&curdirpath='.$mydir.'"'.$class.'>'.$dir.'</a>'.$add_to_name.'<br>'.$cant_files.' '.$text_file.$dirtext;
} else {
$row[] = '<a href="'.api_get_self().'?'.api_get_cidreq().'&origin='.$origin.'&curdirpath='.$mydir.'"'.$class.'>'.$dir.'</a>'.$add_to_name.'<br>'.$cant_files.' '.$text_file.$dirtext;
}
@ -580,8 +580,8 @@ function display_student_publications_list($work_dir,$sub_course_dir,$currentCou
if( $is_allowed_to_edit) {
$action .= '<a href="'.api_get_self().'?cidReq='.api_get_course_id().
'&curdirpath='.$my_sub_dir.'&origin='.$origin.'&edit_dir='.$mydir.'"><img src="../img/edit.gif" alt="'.get_lang('Modify').'"></a>';
$action .= '<a href="'.api_get_self().'?'.api_get_cidreq().'&origin='.$origin.'&delete_dir='.$mydir.'&delete2='.$id2.'" onclick="javascript:if(!confirm('."'".addslashes(htmlentities(get_lang('ConfirmYourChoice'),ENT_QUOTES,$charset))."'".')) return false;" title="'.get_lang('DirDelete').'" ><img src="'.api_get_path(WEB_IMG_PATH).'delete.gif" alt="'.get_lang('DirDelete').'"></a>';
'&curdirpath='.$my_sub_dir.'&origin='.$origin.'&edit_dir='.$mydir.'"><img src="../img/edit.gif" title="'.get_lang('Modify').'"></a>';
$action .= '<a href="'.api_get_self().'?'.api_get_cidreq().'&origin='.$origin.'&delete_dir='.$mydir.'&delete2='.$id2.'" onclick="javascript:if(!confirm('."'".addslashes(htmlentities(get_lang('ConfirmYourChoice'),ENT_QUOTES,$charset))."'".')) return false;" title="'.get_lang('DirDelete').'" ><img src="'.api_get_path(WEB_IMG_PATH).'delete.gif" title="'.get_lang('DirDelete').'"></a>';
$row[] = $action;
} else {
$row[] = "";
@ -628,27 +628,27 @@ function display_student_publications_list($work_dir,$sub_course_dir,$currentCou
//$full_file_name = 'download.php?file='.$realname;
$row[]= build_document_icon_tag('file',$work->url);
$row[]= '<a href="download.php?file='.$url.'"'.$class.'><img src="../img/filesave.gif" style="float:right;" alt="'.get_lang('Save').'" />'.$work->title.'</a><br />'.$work->description;
$row[]= '<a href="download.php?file='.$url.'"'.$class.'><img src="../img/filesave.gif" style="float:right;" title="'.get_lang('Save').'" />'.$work->title.'</a><br />'.$work->description;
$row[]= display_user_link($row2['insert_user_id'],$work->author).$qualification_string;// $work->author;
$row[]= date_to_str_ago($work->sent_date).$add_string.'<br><span class="dropbox_date">'.$work->sent_date.'</span>';
if( $is_allowed_to_edit) {
$action = '';
$action .= '<a href="'.api_get_self().'?'.api_get_cidreq().'&curdirpath='.urlencode($my_sub_dir).'&amp;origin='.$origin.'&amp;edit='.$work->id.'" title="'.get_lang('Modify').'" ><img src="../img/edit.gif" alt="'.get_lang('Modify').'"></a>';
$action .= '<a href="'.api_get_self().'?'.api_get_cidreq().'&curdirpath='.urlencode($my_sub_dir).'&amp;origin='.$origin.'&amp;delete='.$work->id.'" onclick="javascript:if(!confirm('."'".addslashes(htmlentities(get_lang('ConfirmYourChoice'),ENT_QUOTES,$charset))."'".')) return false;" title="'.get_lang('WorkDelete').'" ><img src="../img/delete.gif" alt="'.get_lang('WorkDelete').'"></a>';
$action .= '<a href="'.api_get_self().'?'.api_get_cidreq().'&curdirpath='.urlencode($my_sub_dir).'&amp;origin='.$origin.'&amp;edit='.$work->id.'&amp;parent_id='.$work->parent_id.'" title="'.get_lang('Modify').'" ><img src="../img/edit.gif" title="'.get_lang('Modify').'"></a>';
$action .= '<a href="'.api_get_self().'?'.api_get_cidreq().'&curdirpath='.urlencode($my_sub_dir).'&amp;origin='.$origin.'&amp;delete='.$work->id.'" onclick="javascript:if(!confirm('."'".addslashes(htmlentities(get_lang('ConfirmYourChoice'),ENT_QUOTES,$charset))."'".')) return false;" title="'.get_lang('WorkDelete').'" ><img src="../img/delete.gif" title="'.get_lang('WorkDelete').'"></a>';
$action .= '<a href="'.api_get_self().'?'.api_get_cidreq().'&curdirpath='.urlencode($my_sub_dir).'&amp;origin='.$origin.'&amp;move='.$work->id.'" title="'.get_lang('Move').'"><img src="../img/deplacer_fichier.gif" border="0" title="'.get_lang('Move').'" alt="" /></a>';
if($work->accepted == '1') {
$action .= '<a href="'.api_get_self().'?'.api_get_cidreq().'&curdirpath='.urlencode($my_sub_dir).'&amp;origin='.$origin.'&amp;make_invisible='.$work->id.'&amp;'.$sort_params.'" title="'.get_lang('Invisible').'" ><img src="../img/visible.gif" alt="'.get_lang('Invisible').'"></a>';
$action .= '<a href="'.api_get_self().'?'.api_get_cidreq().'&curdirpath='.urlencode($my_sub_dir).'&amp;origin='.$origin.'&amp;make_invisible='.$work->id.'&amp;'.$sort_params.'" title="'.get_lang('Invisible').'" ><img src="../img/visible.gif" title="'.get_lang('Invisible').'"></a>';
} else {
$action .= '<a href="'.api_get_self().'?'.api_get_cidreq().'&curdirpath='.urlencode($my_sub_dir).'&amp;origin='.$origin.'&amp;make_visible='.$work->id.'&amp;'.$sort_params.'" title="'.get_lang('Visible').'" ><img src="../img/invisible.gif" alt="'.get_lang('Visible').'"></a>';
$action .= '<a href="'.api_get_self().'?'.api_get_cidreq().'&curdirpath='.urlencode($my_sub_dir).'&amp;origin='.$origin.'&amp;make_visible='.$work->id.'&amp;'.$sort_params.'" title="'.get_lang('Visible').'" ><img src="../img/invisible.gif" title="'.get_lang('Visible').'"></a>';
}
$row[] = $action;
} elseif($is_author) {
$action = '';
$action .= '<a href="'.api_get_self().'?'.api_get_cidreq().'&curdirpath='.urlencode($my_sub_dir).'&amp;origin='.$origin.'&amp;edit='.$work->id.'" title="'.get_lang('Modify').'" ><img src="../img/edit.gif" alt="'.get_lang('Modify').'"></a>';
$action .= '<a href="'.api_get_self().'?'.api_get_cidreq().'&curdirpath='.urlencode($my_sub_dir).'&amp;origin='.$origin.'&amp;delete='.$work->id.'" onclick="javascript:if(!confirm('."'".addslashes(htmlentities(get_lang('ConfirmYourChoice'),ENT_QUOTES,$charset))."'".')) return false;" title="'.get_lang('WorkDelete').'" ><img src="../img/delete.gif" alt="'.get_lang('WorkDelete').'"></a>';
$action .= '<a href="'.api_get_self().'?'.api_get_cidreq().'&curdirpath='.urlencode($my_sub_dir).'&amp;origin='.$origin.'&amp;edit='.$work->id.'" title="'.get_lang('Modify').'" ><img src="../img/edit.gif" title="'.get_lang('Modify').'"></a>';
$action .= '<a href="'.api_get_self().'?'.api_get_cidreq().'&curdirpath='.urlencode($my_sub_dir).'&amp;origin='.$origin.'&amp;delete='.$work->id.'" onclick="javascript:if(!confirm('."'".addslashes(htmlentities(get_lang('ConfirmYourChoice'),ENT_QUOTES,$charset))."'".')) return false;" title="'.get_lang('WorkDelete').'" ><img src="../img/delete.gif" title="'.get_lang('WorkDelete').'"></a>';
$row[] = $action;
} else {

540
main/work/work.php
Unescape View File

@ -27,7 +27,7 @@
* @author Patrick Cool <patrick.cool@UGent.be>, Ghent University - ability for course admins to specify wether uploaded documents are visible or invisible by default.
* @author Roan Embrechts, code refactoring and virtual course support
* @author Frederic Vauthier, directories management
* @version $Id: work.php 17438 2008-12-23 19:12:48Z iflorespaz $
* @version $Id: work.php 17491 2008-12-31 17:45:51Z cfasanando $
*
* @todo refactor more code into functions, use quickforms, coding standards, ...
*/
@ -110,7 +110,8 @@ require_once (api_get_path(LIBRARY_PATH) . 'formvalidator/FormValidator.class.ph
require_once(api_get_path(LIBRARY_PATH) . 'document.lib.php');
// Section (for the tabs)
$this_section = SECTION_COURSES;
$ctok = $_SESSION['sec_token'];
$stok = Security::get_token();
$htmlHeadXtra[] = to_javascript_work();
/*
@ -142,6 +143,7 @@ isset($_REQUEST['description'])?$description = Database :: escape_string($_REQUE
isset($_REQUEST['display_tool_options'])?$display_tool_options = $_REQUEST['display_tool_options']:$display_tool_options='';
isset($_REQUEST['display_upload_form'])?$display_upload_form = $_REQUEST['display_upload_form']:$display_upload_form='';
isset($_REQUEST['edit'])?$edit = Database :: escape_string($_REQUEST['edit']):$edit='';
isset($_REQUEST['parent_id'])?$parent_id = Database :: escape_string($_REQUEST['parent_id']):$parent_id='';
isset($_REQUEST['make_invisible'])?$make_invisible = Database :: escape_string($_REQUEST['make_invisible']):$make_invisible='';
isset($_REQUEST['make_visible'])?$make_visible = Database :: escape_string($_REQUEST['make_visible']):$make_visible='';
isset($_REQUEST['origin'])?$origin = Security :: remove_XSS($_REQUEST['origin']):$origin='';
@ -446,116 +448,119 @@ if (api_is_allowed_to_edit(false,true)) {
// we insert here the directory in the table $work_table
$dir_name_sql='';
if (!empty($created_dir)) {
if ($cur_dir_path=='/') {
$dir_name_sql = $created_dir;
} else {
$dir_name_sql = '/'.$created_dir;
}
$sql_add_publication = "INSERT INTO " . $work_table . " SET " .
"url = '" . $dir_name_sql . "',
title = '',
description = '".Database::escape_string($_POST['description'])."',
author = '',
active = '0',
accepted = '1',
filetype = 'folder',
post_group_id = '0',
sent_date = NOW(),
qualification = '".(($_POST['qualification_value']!='') ? Database::escape_string($_POST['qualification_value']) : '') ."',
parent_id = '',
qualificator_id = '',
date_of_qualification = '0000-00-00 00:00:00',
session_id = ".intval($id_session);
api_sql_query($sql_add_publication, __FILE__, __LINE__);
// add the directory
$id = mysql_insert_id();
//Folder created
api_item_property_update($_course, 'work', $id, 'DirectoryCreated', $user_id);
Display :: display_normal_message('<span title="' . $created_dir . '">' . get_lang('DirectoryCreated') . '</span>', false);
//Database :: escape_string($_REQUEST['make_visible']);
//if($_POST['type1']==1)
//$insert_limite
//----------------inser into student_publication_assignment-------------------//
//return something like this: 2008-02-45 00:00:00
if(!empty($_POST['type1']) || !empty($_POST['type2'])) {
$TSTDPUBASG=Database :: get_course_table(TABLE_STUDENT_PUBLICATION_ASSIGNMENT);
isset($_POST['enable_calification'])?$enable_calification = (int)$_POST['enable_calification']:$enable_calification=null;
$sql_add_homework = "INSERT INTO ".$TSTDPUBASG." SET " .
"expires_on = '".((isset($_POST['type1']) && $_POST['type1']==1) ? get_date_from_select('expires') : '0000-00-00 00:00:00'). "',
ends_on = '".((isset($_POST['type2']) && $_POST['type2']==1) ? get_date_from_select('ends') : '0000-00-00 00:00:00')."',
add_to_calendar = '".(isset($_POST['add_to_calendar'])?(int)$_POST['add_to_calendar']:'')."',
enable_qualification = '".$enable_calification."',
publication_id = '".$id."'";
api_sql_query($sql_add_homework, __FILE__, __LINE__);
//api_sql_query($sql_add_publication, __FILE__, __LINE__);
if ($ctok==$_POST['sec_token']) {
if (!empty($created_dir)) {
if ($cur_dir_path=='/') {
$dir_name_sql = $created_dir;
} else {
$dir_name_sql = '/'.$created_dir;
}
$sql_add_publication = "INSERT INTO " . $work_table . " SET " .
"url = '" . $dir_name_sql . "',
title = '',
description = '".Database::escape_string($_POST['description'])."',
author = '',
active = '0',
accepted = '1',
filetype = 'folder',
post_group_id = '0',
sent_date = NOW(),
qualification = '".(($_POST['qualification_value']!='') ? Database::escape_string($_POST['qualification_value']) : '') ."',
parent_id = '',
qualificator_id = '',
date_of_qualification = '0000-00-00 00:00:00',
session_id = ".intval($id_session);
api_sql_query($sql_add_publication, __FILE__, __LINE__);
// add the directory
$id = mysql_insert_id();
//Folder created
api_item_property_update($_course, 'work', $id, 'DirectoryCreated', $user_id);
Display :: display_normal_message('<span title="' . $created_dir . '">' . get_lang('DirectoryCreated') . '</span>', false);
//Database :: escape_string($_REQUEST['make_visible']);
//if($_POST['type1']==1)
//$insert_limite
//----------------inser into student_publication_assignment-------------------//
//return something like this: 2008-02-45 00:00:00
if(!empty($_POST['type1']) || !empty($_POST['type2'])) {
$sql_add_publication = "UPDATE ".$work_table." SET "."has_properties = ".mysql_insert_id().", view_properties = 1 ".' where id = '.$id;
api_sql_query($sql_add_publication, __FILE__, __LINE__);
} else {
$TSTDPUBASG=Database :: get_course_table(TABLE_STUDENT_PUBLICATION_ASSIGNMENT);
$TSTDPUBASG=Database :: get_course_table(TABLE_STUDENT_PUBLICATION_ASSIGNMENT);
$sql_add_homework = "INSERT INTO ".$TSTDPUBASG." SET " .
"expires_on = '0000-00-00 00:00:00',
ends_on = '0000-00-00 00:00:00',
add_to_calendar = '".(isset($_POST['add_to_calendar'])?(int)$_POST['add_to_calendar']:'')."',
enable_qualification = '".(isset($_POST['enable_calification'])?(int)$_POST['enable_calification']:'')."',
publication_id = '".$id."'";
api_sql_query($sql_add_homework, __FILE__, __LINE__);
//api_sql_query($sql_add_publication, __FILE__, __LINE__);
isset($_POST['enable_calification'])?$enable_calification = (int)$_POST['enable_calification']:$enable_calification=null;
$sql_add_homework = "INSERT INTO ".$TSTDPUBASG." SET " .
"expires_on = '".((isset($_POST['type1']) && $_POST['type1']==1) ? get_date_from_select('expires') : '0000-00-00 00:00:00'). "',
ends_on = '".((isset($_POST['type2']) && $_POST['type2']==1) ? get_date_from_select('ends') : '0000-00-00 00:00:00')."',
add_to_calendar = '".(isset($_POST['add_to_calendar'])?(int)$_POST['add_to_calendar']:'')."',
enable_qualification = '".$enable_calification."',
publication_id = '".$id."'";
api_sql_query($sql_add_homework, __FILE__, __LINE__);
//api_sql_query($sql_add_publication, __FILE__, __LINE__);
$sql_add_publication = "UPDATE ".$work_table." SET "."has_properties = ".mysql_insert_id().", view_properties = 1 ".' where id = '.$id;
api_sql_query($sql_add_publication, __FILE__, __LINE__);
} else {
$TSTDPUBASG=Database :: get_course_table(TABLE_STUDENT_PUBLICATION_ASSIGNMENT);
$sql_add_publication = "UPDATE ".$work_table." SET "."has_properties = ".mysql_insert_id().", view_properties = 0 ".' where id = '.$id;
api_sql_query($sql_add_publication, __FILE__, __LINE__);
}
if(isset($_POST['make_calification']) && $_POST['make_calification']==1) {
require_once('../gradebook/lib/be/gradebookitem.class.php');
require_once('../gradebook/lib/be/evaluation.class.php');
require_once('../gradebook/lib/be/abstractlink.class.php');
require_once('../gradebook/lib/gradebook_functions.inc.php');
$resource_name = (empty($_POST['qualification_name'])) ? $_POST['new_dir'] : $_POST['qualification_name'];
add_resource_to_course_gradebook(api_get_course_id(), 3, $id, Database::escape_string($resource_name),$_POST['weight'], $_POST['qualification_value'], Database::escape_string($_POST['description']),time(), 1,api_get_session_id());
}
//----------------inser into agenda----------------------//
if(!empty($_POST['type1']) && isset($_POST['add_to_calendar']) && $_POST['add_to_calendar']==1):
include_once('../calendar/agenda.inc.php');
include_once('../resourcelinker/resourcelinker.inc.php');
isset($course_info)?$course=$course_info:$course=null;
agenda_add_item($course,$_POST['new_dir'],$_POST['new_dir'],date('Y-m-d H:i:s'),get_date_from_select('expires'),0,$user_id);
endif;
//-----------------end features---------------------------//
// update all the parents in the table item propery
$list_id=get_parent_directories($my_cur_dir_path);
for ($i = 0; $i < count($list_id); $i++) {
api_item_property_update($_course, 'work', $list_id[$i], 'FolderUpdated', $user_id);
}
//-------------------------------------------------------------------------------
$sql_add_homework = "INSERT INTO ".$TSTDPUBASG." SET " .
"expires_on = '0000-00-00 00:00:00',
ends_on = '0000-00-00 00:00:00',
add_to_calendar = '".(isset($_POST['add_to_calendar'])?(int)$_POST['add_to_calendar']:'')."',
enable_qualification = '".(isset($_POST['enable_calification'])?(int)$_POST['enable_calification']:'')."',
publication_id = '".$id."'";
api_sql_query($sql_add_homework, __FILE__, __LINE__);
//api_sql_query($sql_add_publication, __FILE__, __LINE__);
$sql_add_publication = "UPDATE ".$work_table." SET "."has_properties = ".mysql_insert_id().", view_properties = 0 ".' where id = '.$id;
api_sql_query($sql_add_publication, __FILE__, __LINE__);
}
if(isset($_POST['make_calification']) && $_POST['make_calification']==1) {
//uncomment if you want to enter the created dir
//$curdirpath = $created_dir;
//$curdirpathurl = urlencode($curdirpath);
} else {
Display :: display_error_message(get_lang('CannotCreateDir'));
}
require_once('../gradebook/lib/be/gradebookitem.class.php');
require_once('../gradebook/lib/be/evaluation.class.php');
require_once('../gradebook/lib/be/abstractlink.class.php');
require_once('../gradebook/lib/gradebook_functions.inc.php');
$resource_name = (empty($_POST['qualification_name'])) ? $_POST['new_dir'] : $_POST['qualification_name'];
add_resource_to_course_gradebook(api_get_course_id(), 3, $id, Database::escape_string($resource_name),$_POST['weight'], $_POST['qualification_value'], Database::escape_string($_POST['description']),time(), 1,api_get_session_id());
}
//----------------inser into agenda----------------------//
if(!empty($_POST['type1']) && isset($_POST['add_to_calendar']) && $_POST['add_to_calendar']==1):
include_once('../calendar/agenda.inc.php');
include_once('../resourcelinker/resourcelinker.inc.php');
isset($course_info)?$course=$course_info:$course=null;
agenda_add_item($course,$_POST['new_dir'],$_POST['new_dir'],date('Y-m-d H:i:s'),get_date_from_select('expires'),0,$user_id);
endif;
//-----------------end features---------------------------//
// update all the parents in the table item propery
$list_id=get_parent_directories($my_cur_dir_path);
for ($i = 0; $i < count($list_id); $i++) {
api_item_property_update($_course, 'work', $list_id[$i], 'FolderUpdated', $user_id);
}
//-------------------------------------------------------------------------------
//uncomment if you want to enter the created dir
//$curdirpath = $created_dir;
//$curdirpathurl = urlencode($curdirpath);
} else {
Display :: display_error_message(get_lang('CannotCreateDir'));
}
}
}
/* -------------------
@ -693,79 +698,116 @@ else {
$error_message = "";
$check = Security :: check_token('post'); //check the token inserted into the form
if (!empty($_POST['submitWork']) && !empty($is_course_member) && !empty($check)) {
if (!empty($_FILES['file']['size'])) {
$updir = $currentCourseRepositorySys . 'work/'; //directory path to upload
// Try to add an extension to the file if it has'nt one
$new_file_name = add_ext_on_mime(stripslashes($_FILES['file']['name']), $_FILES['file']['type']);
// Replace dangerous characters
$new_file_name = replace_dangerous_char($new_file_name, 'strict');
// Transform any .php file in .phps fo security
$new_file_name = php2phps($new_file_name);
//filter extension
if (!filter_extension($new_file_name)) {
Display :: display_error_message(get_lang('UplUnableToSaveFileFilteredExtension'));
$succeed = false;
} else {
if (!$title) {
$title = $_FILES['file']['name'];
}
//if (!$authors) {
$authors = $currentUserFirstName . " " . $currentUserLastName;
//}
// compose a unique file name to avoid any conflict
$new_file_name = uniqid('') . $new_file_name;
if (isset ($_SESSION['toolgroup'])) {
$post_group_id = $_SESSION['toolgroup'];
if ($ctok==$_POST['sec_token']) { //check the token inserted into the form
if (!empty($_POST['submitWork']) && !empty($is_course_member)) {
if (!empty($_FILES['file']['size'])) {
$updir = $currentCourseRepositorySys . 'work/'; //directory path to upload
// Try to add an extension to the file if it has'nt one
$new_file_name = add_ext_on_mime(stripslashes($_FILES['file']['name']), $_FILES['file']['type']);
// Replace dangerous characters
$new_file_name = replace_dangerous_char($new_file_name, 'strict');
// Transform any .php file in .phps fo security
$new_file_name = php2phps($new_file_name);
//filter extension
if (!filter_extension($new_file_name)) {
Display :: display_error_message(get_lang('UplUnableToSaveFileFilteredExtension'));
$succeed = false;
} else {
$post_group_id = '0';
if (!$title) {
$title = $_FILES['file']['name'];
}
//if (!$authors) {
$authors = $currentUserFirstName . " " . $currentUserLastName;
//}
// compose a unique file name to avoid any conflict
$new_file_name = uniqid('') . $new_file_name;
if (isset ($_SESSION['toolgroup'])) {
$post_group_id = $_SESSION['toolgroup'];
} else {
$post_group_id = '0';
}
//if we come from the group tools the groupid will be saved in $work_table
@move_uploaded_file($_FILES['file']['tmp_name'], $updir . $my_cur_dir_path . $new_file_name);
$url = "work/" . $my_cur_dir_path . $new_file_name;
$result = api_sql_query("SHOW FIELDS FROM " . $work_table . " LIKE 'sent_date'", __FILE__, __LINE__);
if (!Database::num_rows($result)) {
api_sql_query("ALTER TABLE " . $work_table . " ADD sent_date DATETIME NOT NULL");
}
$current_date = date('Y-m-d H:i:s');
$parent_id = '';
$active = '';
$sql = api_sql_query('SELECT id FROM '.Database::get_course_table(TABLE_STUDENT_PUBLICATION).' WHERE url = '."'/".Database::escape_string($_GET['curdirpath'])."' AND filetype='folder' LIMIT 1");
if(Database::num_rows($sql) > 0 ) {
$dir_row = Database::fetch_array($sql);
$parent_id = $dir_row['id'];
}
$sql_add_publication = "INSERT INTO " . $work_table . " SET " .
"url = '" . $url . "',
title = '" . $title . "',
description = '" . $description . "',
author = '" . $authors . "',
active = '" . $active . "',
accepted = '" . (!$uploadvisibledisabled) . "',
post_group_id = '" . $post_group_id . "',
sent_date = '".$current_date ."',
parent_id = '".$parent_id ."' ,
session_id = ".intval($id_session);
api_sql_query($sql_add_publication, __FILE__, __LINE__);
$Id = mysql_insert_id();
api_item_property_update($_course, 'work', $Id, 'DocumentAdded', $user_id);
$succeed = true;
// update all the parents in the table item propery
$list_id=get_parent_directories($my_cur_dir_path);
for ($i = 0; $i < count($list_id); $i++) {
api_item_property_update($_course, 'work', $list_id[$i], 'FolderUpdated', $user_id);
}
}
//if we come from the group tools the groupid will be saved in $work_table
@move_uploaded_file($_FILES['file']['tmp_name'], $updir . $my_cur_dir_path . $new_file_name);
$url = "work/" . $my_cur_dir_path . $new_file_name;
} elseif ($newWorkUrl) {
/*
* SPECIAL CASE ! For a work coming from another area (i.e. groups)
*/
$url = str_replace('../../' . $_course['path'] . '/', '', $newWorkUrl);
if (!$title) {
$title = basename($workUrl);
}
$result = api_sql_query("SHOW FIELDS FROM " . $work_table . " LIKE 'sent_date'", __FILE__, __LINE__);
if (!Database::num_rows($result)) {
api_sql_query("ALTER TABLE " . $work_table . " ADD sent_date DATETIME NOT NULL");
}
$current_date = date('Y-m-d H:i:s');
$parent_id = '';
$active = '';
$sql = api_sql_query('SELECT id FROM '.Database::get_course_table(TABLE_STUDENT_PUBLICATION).' WHERE url = '."'/".Database::escape_string($_GET['curdirpath'])."' AND filetype='folder' LIMIT 1");
if(Database::num_rows($sql) > 0 ) {
$dir_row = Database::fetch_array($sql);
$parent_id = $dir_row['id'];
}
$sql_add_publication = "INSERT INTO " . $work_table . " SET " .
"url = '" . $url . "',
title = '" . $title . "',
description = '" . $description . "',
author = '" . $authors . "',
active = '" . $active . "',
accepted = '" . (!$uploadvisibledisabled) . "',
post_group_id = '" . $post_group_id . "',
sent_date = '".$current_date ."',
parent_id = '".$parent_id ."' ,
session_id = ".intval($id_session);
api_sql_query($sql_add_publication, __FILE__, __LINE__);
$Id = mysql_insert_id();
api_item_property_update($_course, 'work', $Id, 'DocumentAdded', $user_id);
$sql = "INSERT INTO " . $work_table . "
SET url = '" . $url . "',
title = '" . $title . "',
description = '" . $description . "',
author = '" . $authors . "',
sent_date = NOW(),
session_id = ".intval($id_session);
api_sql_query($sql, __FILE__, __LINE__);
$insertId = Database::insert_id();
api_item_property_update($_course, 'work', $insertId, 'DocumentAdded', $user_id);
$succeed = true;
// update all the parents in the table item propery
@ -775,90 +817,58 @@ if (!empty($_POST['submitWork']) && !empty($is_course_member) && !empty($check))
}
}
} elseif ($newWorkUrl) {
/*
* SPECIAL CASE ! For a work coming from another area (i.e. groups)
*/
$url = str_replace('../../' . $_course['path'] . '/', '', $newWorkUrl);
if (!$title) {
$title = basename($workUrl);
}
$result = api_sql_query("SHOW FIELDS FROM " . $work_table . " LIKE 'sent_date'", __FILE__, __LINE__);
if (!Database::num_rows($result)) {
api_sql_query("ALTER TABLE " . $work_table . " ADD sent_date DATETIME NOT NULL");
}
$sql = "INSERT INTO " . $work_table . "
SET url = '" . $url . "',
title = '" . $title . "',
description = '" . $description . "',
author = '" . $authors . "',
sent_date = NOW(),
session_id = ".intval($id_session);
api_sql_query($sql, __FILE__, __LINE__);
$insertId = Database::insert_id();
api_item_property_update($_course, 'work', $insertId, 'DocumentAdded', $user_id);
$succeed = true;
* SPECIAL CASE ! For a work edited
*/
else {
//Get the author ID for that document from the item_property table
$is_author = false;
if ($id<>'') {
$author_sql = "SELECT * FROM $iprop_table WHERE tool = 'work' AND insert_user_id='$user_id' AND ref=" . mysql_real_escape_string($id);
// update all the parents in the table item propery
$list_id=get_parent_directories($my_cur_dir_path);
for ($i = 0; $i < count($list_id); $i++) {
api_item_property_update($_course, 'work', $list_id[$i], 'FolderUpdated', $user_id);
}
}
/*
* SPECIAL CASE ! For a work edited
*/
else {
//Get the author ID for that document from the item_property table
$is_author = false;
if ($id<>'') {
$author_sql = "SELECT * FROM $iprop_table WHERE tool = 'work' AND insert_user_id='$user_id' AND ref=" . mysql_real_escape_string($id);
$author_qry = api_sql_query($author_sql, __FILE__, __LINE__);
if (Database :: num_rows($author_qry) == 1) {
$is_author = true;
$author_qry = api_sql_query($author_sql, __FILE__, __LINE__);
if (Database :: num_rows($author_qry) == 1) {
$is_author = true;
}
} else {
Display::display_error_message(get_lang('IsNotPosibleSaveTheDocument'));
}
} else {
Display::display_error_message(get_lang('IsNotPosibleSaveTheDocument'));
}
if ($id && ($is_allowed_to_edit or $is_author)) {
if (!$title) {
$title = basename($newWorkUrl);
if ($id && ($is_allowed_to_edit or $is_author)) {
if (!$title) {
$title = basename($newWorkUrl);
}
if($is_allowed_to_edit && ($_POST['qualification']!='')) {
$add_to_update = ',qualificator_id ='."'".api_get_user_id()."',";
$add_to_update .= 'qualification ='."'".Database::escape_string($_POST['qualification'])."',";
$add_to_update .= 'date_of_qualification ='."'".date('Y-m-d H:i:s')."'";
}
if ((int)$_POST['qualification'] > (int)$_POST['qualification_over']) {
Display::display_error_message(get_lang('QualificationMustNotBeMoreThanQualificationOver'));
} else {
$sql = "UPDATE " . $work_table . "
SET title = '" . $title . "',
description = '" . $description . "'
".$add_to_update."
WHERE id = '$id'";
api_sql_query($sql, __FILE__, __LINE__);
}
$t_gradebook_link = Database::get_main_table(TABLE_MAIN_GRADEBOOK_LINK);
//api_sql_query($sql2, __FILE__, __LINE__);
$insertId = $id;
api_item_property_update($_course, 'work', $insertId, 'DocumentUpdated', $user_id);
$succeed = true;
} else {
$error_message = get_lang('TooBig');
}
if($is_allowed_to_edit && ($_POST['qualification']!='')) {
$add_to_update = ',qualificator_id ='."'".api_get_user_id()."',";
$add_to_update .= 'qualification ='."'".Database::escape_string($_POST['qualification'])."',";
$add_to_update .= 'date_of_qualification ='."'".date('Y-m-d H:i:s')."'";
}
$sql = "UPDATE " . $work_table . "
SET title = '" . $title . "',
description = '" . $description . "'
".$add_to_update."
WHERE id = '$id'";
api_sql_query($sql, __FILE__, __LINE__);
$t_gradebook_link = Database::get_main_table(TABLE_MAIN_GRADEBOOK_LINK);
//api_sql_query($sql2, __FILE__, __LINE__);
$insertId = $id;
api_item_property_update($_course, 'work', $insertId, 'DocumentUpdated', $user_id);
$succeed = true;
} else {
$error_message = get_lang('TooBig');
}
}
Security :: clear_token(); //clear the token to prevent re-executing the request with back button
}
}
if (!empty($_POST['submitWork']) && !empty($succeed) && !$id) {
@ -998,7 +1008,6 @@ endif;
if ($is_course_member) {
if (($display_upload_form || $edit)&&!$has_ended) {
$token = Security :: get_token(); //generate token to be used to check validity of request
if ($edit) {
//Get the author ID for that document from the item_property table
$is_author = false;
@ -1009,7 +1018,7 @@ if ($is_course_member) {
}
}
require_once (api_get_path(LIBRARY_PATH) . 'formvalidator/FormValidator.class.php');
//require_once (api_get_path(LIBRARY_PATH) . 'formvalidator/FormValidator.class.php');
require_once (api_get_path(LIBRARY_PATH) . 'fileDisplay.lib.php');
$form = new FormValidator('form', 'POST', api_get_self() . "?curdirpath=" . rtrim(Security :: remove_XSS($cur_dir_path),'/') . "&origin=$origin", '', 'enctype="multipart/form-data"');
@ -1054,16 +1063,22 @@ if ($is_course_member) {
//$defaults["authors"] = ($edit ? stripslashes($workAuthor) : stripslashes($authors));
$titleAuthors = $form->addElement('textarea', 'description', get_lang("Description"), 'style="width: 350px; height: 60px;"');
$defaults["description"] = ($edit ? stripslashes($workDescription) : stripslashes($description));
if($is_allowed_to_edit && $edit ) {
if($is_allowed_to_edit && !empty($edit) && !empty($parent_id)) {
// Get qualification from parent_id that'll allow the validation qualification over
$sql = "SELECT qualification FROM $work_table WHERE id='$parent_id'";
$result = api_sql_query($sql,__FILE__,__LINE__);
$row = Database::fetch_array($result);
$qualification_over = $row['qualification'];
$form->addElement('text', 'qualification', get_lang('Qualification'),'size="10"');
}
$form->addElement('html','<div style="margin-left:20%">'.get_lang('QualificationOver').'&nbsp;:&nbsp;'.$qualification_over.'</div>');
$form->addElement('hidden', 'qualification_over', $qualification_over);
}
$defaults['qualification'] = $qualification_number;//($edit ? stripslashes($qualification_number) : stripslashes($qualification_number));
$defaults['qualification'] = $qualification_number;//($edit ? stripslashes($qualification_number) : stripslashes($qualification_number));
$form->addElement('hidden', 'active', 1);
$form->addElement('hidden', 'accepted', 1);
$form->addElement('hidden', 'sec_token', $token);
$form->addElement('hidden', 'sec_token', $stok);
// fix the Ok button when we see the tool in the learn path
if ($origin== 'learnpath') {
@ -1140,6 +1155,7 @@ function draw_date_picker($prefix,$default='') {
//create the form that asks for the directory name
$new_folder_text = '<br /><br /><form name="form1" method="POST">';
$new_folder_text .= '<input type="hidden" name="curdirpath" value="' . Security :: remove_XSS($cur_dir_path) . '"/>';
$new_folder_text .= '<input type="hidden" name="sec_token" value="'.$stok.'" />';
$new_folder_text .= '<div id="msg_error1" style="display:none;color:red"></div>';
$new_folder_text .= get_lang('NewDir') . ' ';
$new_folder_text .= '<input type="text" name="new_dir"/>';
@ -1221,7 +1237,7 @@ if (!$display_upload_form && !$display_tool_options) {
}
if($is_allowed_to_edit && $is_special==true) {
if (isset($_REQUEST['filter'])) {
if (!empty($_REQUEST['filter'])) {
switch($_REQUEST['filter']) {
case 1:
$add_query = ' AND qualification = '."''";

Write Preview
Loading…
Cancel
Save