Block access if group was set to invisible see BT#9425

main/announcements/announcements.php

@@ -55,6 +55,8 @@ $tbl_item_property = Database::get_course_table(TABLE_ITEM_PROPERTY);
 $course_id = api_get_course_int_id();
 $_course = api_get_course_info();
 
+api_protect_course_group(GroupManager::GROUP_TOOL_ANNOUNCEMENT);
+
 /*	Tracking	*/
 Event::event_access_tool(TOOL_ANNOUNCEMENT);
 

main/calendar/agenda_js.php

@@ -48,6 +48,8 @@ if (isset($_REQUEST['cidReq']) && !empty($_REQUEST['cidReq'])) {
     }
 }
 
+api_protect_course_group(GroupManager::GROUP_TOOL_CALENDAR);
+
 $agenda = new Agenda();
 $agenda->type = $type;
 

main/chat/chat.php

@@ -23,8 +23,9 @@ if ($origin != 'whoisonline') {
     $_SESSION['target']= $target;
 }
 
-/*  TRACKING */
+api_protect_course_group(GroupManager::GROUP_TOOL_CHAT, false);
 
+/*  TRACKING */
 Event::event_access_tool(TOOL_CHAT);
 header('Content-Type: text/html; charset='.api_get_system_encoding());
 

main/document/document.php

@@ -40,6 +40,7 @@ $message = null;
 $lib_path = api_get_path(LIBRARY_PATH);
 
 api_protect_course_script(true);
+api_protect_course_group(GroupManager::GROUP_TOOL_DOCUMENTS);
 
 DocumentManager::removeGeneratedAudioTempFile();
 

main/forum/viewforum.php

@@ -79,7 +79,7 @@ if (!empty($groupId)) {
         (($current_forum_category && $current_forum_category['visibility'] == 0) OR
             $current_forum['visibility'] == 0 OR !$user_has_access_in_group)
     ) {
-        api_not_allowed();
+        api_not_allowed(true);
     }
 } else {
     //Course

main/group/group.php

@@ -74,12 +74,16 @@ $my_get_id  = isset($_GET['id']) ? Security::remove_XSS($_GET['id']) : null;
 if (isset($_GET['action']) && $is_allowed_in_course) {
     switch ($_GET['action']) {
         case 'set_visible':
-            GroupManager::setVisible($my_get_id);
-            Display :: display_confirmation_message(get_lang('ItemUpdated'));
+            if (api_is_allowed_to_edit()) {
+                GroupManager::setVisible($my_get_id);
+                Display:: display_confirmation_message(get_lang('ItemUpdated'));
+            }
             break;
         case 'set_invisible':
-            GroupManager::setInvisible($my_get_id);
-            Display :: display_confirmation_message(get_lang('ItemUpdated'));
+            if (api_is_allowed_to_edit()) {
+                GroupManager::setInvisible($my_get_id);
+                Display:: display_confirmation_message(get_lang('ItemUpdated'));
+            }
             break;
         case 'self_reg':
             if (GroupManager::is_self_registration_allowed($userId, $my_group_id)) {

main/group/group_space.php

@@ -26,7 +26,7 @@ require_once api_get_path(SYS_CODE_PATH).'forum/forumconfig.inc.php';
 
 $group_id = api_get_group_id();
 $user_id = api_get_user_id();
-$current_group = GroupManager :: get_group_properties($group_id);
+$current_group = GroupManager::get_group_properties($group_id);
 
 if (empty($current_group)) {
     api_not_allowed(true);
@@ -40,7 +40,7 @@ $interbreadcrumb[] = array('url' => 'group.php', 'name' => get_lang('Groups'));
 
 $forums_of_groups = get_forums_of_group($current_group['id']);
 
-$forum_state_public = 0;
+/*$forum_state_public = 0;
 if (is_array($forums_of_groups)) {
     foreach ($forums_of_groups as $key => $value) {
         if ($value['forum_group_public_private'] == 'public') {
@@ -57,18 +57,21 @@ if ($current_group['doc_state'] != 1 &&
     $current_group['chat_state'] != 1 &&
     $forum_state_public != 1
 ) {
-    if (!api_is_allowed_to_edit(null, true) &&
-        !GroupManager::is_user_in_group($user_id, $group_id)) {
-        api_not_allowed($print_headers);
-    }
+
+}*/
+
+if (!api_is_allowed_to_edit(null, true) &&
+    (!GroupManager::is_user_in_group($user_id, $group_id) ||
+        $current_group['status']  == 0
+    )
+) {
+    api_not_allowed(true);
 }
 
 /*	Header */
-
 Display::display_header($nameTools.' '.Security::remove_XSS($current_group['name']), 'Group');
 
 /*	Introduction section (editable by course admin) */
-
 Display::display_introduction_section(TOOL_GROUP);
 
 /*	Actions and Action links */
@@ -226,8 +229,11 @@ if (api_is_allowed_to_edit(false, true) OR
         // Link to the chat area of this group
         if (api_get_course_setting('allow_open_chat_window')) {
             $actions_array[] = array(
-                'url' => "javascript: void(0);\" onclick=\"window.open('../chat/chat.php?".api_get_cidreq()."&toolgroup=".$current_group['id']."','window_chat_group_".$_SESSION['_cid']."_".$_SESSION['_gid']."','height=380, width=625, left=2, top=2, toolbar=no, menubar=no, scrollbars=yes, resizable=yes, location=no, directories=no, status=no') \"",
-                'content' => Display::return_icon('chat.png', get_lang('Chat'), array(), 32)
+                'url' => "javascript: void(0);",
+                'content' => Display::return_icon('chat.png', get_lang('Chat'), array(), 32),
+                'url_attributes' => array(
+                    'onclick' => " window.open('../chat/chat.php?".api_get_cidreq()."&toolgroup=".$current_group['id']."','window_chat_group_".api_get_course_id()."_".api_get_group_id()."','height=380, width=625, left=2, top=2, toolbar=no, menubar=no, scrollbars=yes, resizable=yes, location=no, directories=no, status=no')"
+                )
             );
         } else {
             $actions_array[] = array(

main/inc/lib/api.lib.php

@@ -1230,7 +1230,6 @@ function api_block_anonymous_users($print_headers = true) {
 function api_get_navigator() {
     $navigator = 'Unknown';
     $version = 0;
-
     if (strpos($_SERVER['HTTP_USER_AGENT'], 'Opera') !== false) {
         $navigator = 'Opera';
         list (, $version) = explode('Opera', $_SERVER['HTTP_USER_AGENT']);
@@ -1240,7 +1239,6 @@ function api_get_navigator() {
     } elseif (strpos($_SERVER['HTTP_USER_AGENT'], 'Chrome') !== false) {
         $navigator = 'Chrome';
         list (, $version) = explode('Chrome', $_SERVER['HTTP_USER_AGENT']);
-
     } elseif (strpos($_SERVER['HTTP_USER_AGENT'], 'Gecko') !== false) {
         $navigator = 'Mozilla';
         list (, $version) = explode('; rv:', $_SERVER['HTTP_USER_AGENT']);
@@ -7986,3 +7984,26 @@ function api_mail_html(
     $mail->ClearAddresses();
     return 1;
 }
+
+/**
+ * @param string $tool Possible values:
+ * GroupManager::GROUP_TOOL_*
+ *
+ */
+function api_protect_course_group($tool, $showHeader = true)
+{
+    $userId = api_get_user_id();
+    $groupId = api_get_group_id();
+
+    if (!empty($groupId)) {
+        $allow = GroupManager::user_has_access(
+            $userId,
+            $groupId,
+            $tool
+        );
+
+        if (!$allow) {
+            api_not_allowed($showHeader);
+        }
+    }
+}

main/inc/lib/display.lib.php

@@ -832,41 +832,46 @@ class Display
 
     /**
      * Creates a URL anchor
+     * @param string $name
+     * @param string $url
+     * @param array $attributes
+     *
+     * @return string
      */
-    public static function url($name, $url, $extra_attributes = array())
+    public static function url($name, $url, $attributes = array())
     {
         if (!empty($url)) {
             $url = htmlspecialchars($url, ENT_QUOTES, 'UTF-8');
-            $extra_attributes['href'] = $url;
+            $attributes['href'] = $url;
         }
-        return self::tag('a', $name, $extra_attributes);
+        return self::tag('a', $name, $attributes);
     }
 
     /**
      * Creates a div tag
      *
-     * @param $content
+     * @param string $content
      * @param array $extra_attributes
      * @return string
      */
-    public static function div($content, $extra_attributes = array())
+    public static function div($content, $attributes = array())
     {
-        return self::tag('div', $content, $extra_attributes);
+        return self::tag('div', $content, $attributes);
     }
 
     /**
      * Creates a span tag
      */
-    public static function span($content, $extra_attributes = array())
+    public static function span($content, $attributes = array())
     {
-        return self::tag('span', $content, $extra_attributes);
+        return self::tag('span', $content, $attributes);
     }
 
     /**
      * Displays an HTML input tag
      *
      */
-    public static function input($type, $name, $value, $extra_attributes = array())
+    public static function input($type, $name, $value, $attributes = array())
     {
          if (isset($type)) {
             $extra_attributes['type']= $type;
@@ -877,7 +882,7 @@ class Display
          if (isset($value)) {
             $extra_attributes['value']= $value;
         }
-        return self::tag('input', '', $extra_attributes);
+        return self::tag('input', '', $attributes);
     }
 
     /**
@@ -1828,7 +1833,8 @@ class Display
                     $class = 'class ="active"';
                 }
                 $html .= "<li $class >";
-                $html .= self::url($value['content'], $value['url']);
+                $attributes = isset($value['url_attributes']) ? $value['url_attributes'] : array();
+                $html .= self::url($value['content'], $value['url'], $attributes);
                 $html .= '</li>';
             }
             $html .= '</ul></div>';

main/inc/lib/groupmanager.lib.php

@@ -1964,7 +1964,11 @@ class GroupManager
             return false;
         }
 
-        if (!$user_is_in_group && $groupInfo['status'] == 0) {
+        if (!$user_is_in_group) {
+            return false;
+        }
+
+        if ($groupInfo['status'] == 0) {
             return false;
         }
 

main/wiki/index.php

@@ -67,6 +67,7 @@ $tool_name = get_lang('ToolWiki');
 /* ACCESS */
 api_protect_course_script();
 api_block_anonymous_users();
+api_protect_course_group(GroupManager::GROUP_TOOL_WIKI);
 
 /* TRACKING */
 Event::event_access_tool(TOOL_WIKI);

main/work/work.php

@@ -76,23 +76,9 @@ if (!empty($gradebook) && $gradebook == 'view') {
 }
 
 if (!empty($group_id)) {
-    $group_properties  = GroupManager::get_group_properties($group_id);
-    $show_work = false;
-
-    if (api_is_allowed_to_edit(false, true)) {
-        $show_work = true;
-    } else {
-        // you are not a teacher
-        $show_work = GroupManager::user_has_access(
-            $user_id,
-            $group_id,
-            GroupManager::GROUP_TOOL_WORK
-        );
-    }
+    api_protect_course_group(GroupManager::GROUP_TOOL_WORK);
 
-    if (!$show_work) {
-        api_not_allowed();
-    }
+    $group_properties  = GroupManager::get_group_properties($group_id);
 
     $interbreadcrumb[] = array ('url' => '../group/group.php', 'name' => get_lang('Groups'));
     $interbreadcrumb[] = array ('url' => '../group/group_space.php?gidReq='.$group_id, 'name' => get_lang('GroupSpace').' '.$group_properties['name']);