Merge branch '1.11.x' of https://github.com/chamilo/chamilo-lms into 1.11.x

8 years ago · 8beaf3f235
parent 759dfcf866 76fbb2b879
commit 8beaf3f235
7 changed files with 52 additions and 26 deletions
--- a/main/inc/ajax/myspace.ajax.php
+++ b/main/inc/ajax/myspace.ajax.php
@ -7,6 +7,14 @@
 require_once __DIR__.'/../global.inc.php';
 $action = $_GET['a'];

+// Access restrictions.
+$is_allowedToTrack = api_is_platform_admin(true, true) ||
+    api_is_allowed_to_create_course() || api_is_course_tutor();
+
+if (!$is_allowedToTrack) {
+    exit;
+}
+
 switch ($action) {
    // At this date : 23/02/2017, a minor review can't determine where is used this case 'access_detail'
    case 'access_detail':
--- a/main/mySpace/access_details.php
+++ b/main/mySpace/access_details.php
@ -18,6 +18,17 @@ require_once __DIR__.'/../inc/global.inc.php';

 api_block_anonymous_users();

+
+// Access restrictions.
+$is_allowedToTrack = api_is_platform_admin(true, true) ||
+    api_is_allowed_to_create_course() || api_is_course_tutor();
+
+if (!$is_allowedToTrack) {
+    api_not_allowed(true);
+    exit;
+}
+
+
 // the section (for the tabs)
 $this_section = SECTION_TRACKING;

--- a/main/mySpace/myStudents.php
+++ b/main/mySpace/myStudents.php
@ -74,6 +74,10 @@ if (!$allowedToTrackUser) {
    api_not_allowed(true);
 }

+if (api_is_student()) {
+    api_not_allowed(true);
+}
+
 $htmlHeadXtra[] = '<script>
 function show_image(image,width,height) {
 	width = parseInt(width) + 20;
@ -236,23 +240,29 @@ switch ($action) {
        exit;
        break;
    case 'send_legal':
-        $subject = get_lang('SendLegalSubject');
-        $content = sprintf(
-            get_lang('SendTermsDescriptionToUrlX'),
-            api_get_path(WEB_PATH)
-        );
-        MessageManager::send_message_simple($student_id, $subject, $content);
-        Display::addFlash(Display::return_message(get_lang('Sent')));
+        $isBoss = UserManager::userIsBossOfStudent(api_get_user_id(), $student_id);
+        if ($isBoss || api_is_platform_admin()) {
+            $subject = get_lang('SendLegalSubject');
+            $content = sprintf(
+                get_lang('SendTermsDescriptionToUrlX'),
+                api_get_path(WEB_PATH)
+            );
+            MessageManager::send_message_simple($student_id, $subject, $content);
+            Display::addFlash(Display::return_message(get_lang('Sent')));
+        }
        break;
    case 'delete_legal':
-        $extraFieldValue = new ExtraFieldValue('user');
-        $value = $extraFieldValue->get_values_by_handler_and_field_variable(
-            $student_id,
-            'legal_accept'
-        );
-        $result = $extraFieldValue->delete($value['id']);
-        if ($result) {
-            Display::addFlash(Display::return_message(get_lang('Deleted')));
+        $isBoss = UserManager::userIsBossOfStudent(api_get_user_id(), $student_id);
+        if ($isBoss || api_is_platform_admin()) {
+            $extraFieldValue = new ExtraFieldValue('user');
+            $value = $extraFieldValue->get_values_by_handler_and_field_variable(
+                $student_id,
+                'legal_accept'
+            );
+            $result = $extraFieldValue->delete($value['id']);
+            if ($result) {
+                Display::addFlash(Display::return_message(get_lang('Deleted')));
+            }
        }
        break;
    case 'reset_lp':
--- a/main/mySpace/user_edit.php
+++ b/main/mySpace/user_edit.php
@ -17,11 +17,6 @@ if (!api_is_platform_admin()) {
    api_protect_admin_script();
 }

-// Database table definitions
-$table_admin = Database::get_main_table(TABLE_MAIN_ADMIN);
-$table_user = Database::get_main_table(TABLE_MAIN_USER);
-$database = Database::get_main_database();
-
 $userId = isset($_REQUEST['user_id']) ? intval($_REQUEST['user_id']) : '';

 $userInfo = api_get_user_info($userId);
@ -60,7 +55,7 @@ if (api_drh_can_access_all_session_content()) {
        api_not_allowed(true);
    }
 } else {
-    if (!$userIsFollowed) {
+    if (!api_is_platform_admin() && !$userIsFollowed) {
        api_not_allowed(true);
    }
 }
--- a/main/social/vcard_export.php
+++ b/main/social/vcard_export.php
@ -14,6 +14,8 @@ require_once __DIR__.'/../inc/global.inc.php';

 api_block_anonymous_users();

+api_protect_admin_script();
+
 if (isset($_REQUEST['userId'])) {
    $userId = intval($_REQUEST['userId']);
 } else {
--- a/main/tracking/courseLog.php
+++ b/main/tracking/courseLog.php
@ -380,7 +380,6 @@ if (count($a_students) > 0) {

    $all_datas = [];
    $course_code = $_course['id'];
-
    $user_ids = array_keys($a_students);

    $table = new SortableTable(
@ -390,7 +389,7 @@ if (count($a_students) > 0) {
        (api_is_western_name_order() xor api_sort_by_first_name()) ? 3 : 2
    );

-    $parameters['cidReq'] = Security::remove_XSS($_GET['cidReq']);
+    $parameters['cidReq'] = isset($_GET['cidReq']) ? Security::remove_XSS($_GET['cidReq']) : '';
    $parameters['id_session'] = $session_id;
    $parameters['from'] = isset($_GET['myspace']) ? Security::remove_XSS($_GET['myspace']) : null;

--- a/main/tracking/course_log_tools.php
+++ b/main/tracking/course_log_tools.php
@ -22,11 +22,12 @@ if ($from == 'myspace') {
 }

 // Access restrictions.
-$is_allowedToTrack = api_is_platform_admin() || api_is_allowed_to_create_course() ||
-    api_is_session_admin() || api_is_drh() || api_is_course_tutor();
+$is_allowedToTrack = api_is_platform_admin(true, true) ||
+    api_is_allowed_to_create_course() ||
+    api_is_course_tutor();

 if (!$is_allowedToTrack) {
-    api_not_allowed();
+    api_not_allowed(true);
    exit;
 }