Avoid show link to survey when access is not allowed - refs BT#12554

remotes/angel/1.11.x
Angel Fernando Quiroz Campos 8 years ago
parent d4dc9751cf
commit 9d0e3b74ce
  1. 11
      main/survey/reporting.php
  2. 25
      main/survey/surveyUtil.class.php
  3. 8
      main/survey/survey_list.php

@ -88,13 +88,14 @@ $isDrhOfCourse = CourseManager::isUserSubscribedInCourseAsDrh(
/** @todo this has to be moved to a more appropriate place (after the display_header of the code)*/ /** @todo this has to be moved to a more appropriate place (after the display_header of the code)*/
if (!api_is_allowed_to_edit(false, true) || $isDrhOfCourse) { if (!api_is_allowed_to_edit(false, true) || $isDrhOfCourse) {
Display :: display_header(get_lang('ToolSurvey'));
// Show error message if the survey can be seen only by tutors // Show error message if the survey can be seen only by tutors
if ($survey_data['visible_results'] != SURVEY_VISIBLE_TUTOR) { if ($survey_data['visible_results'] == SURVEY_VISIBLE_TUTOR) {
SurveyUtil::handle_reporting_actions($survey_data, $people_filled); api_not_allowed(true);
} else { exit;
Display :: display_error_message(get_lang('NotAllowed'), false);
} }
Display :: display_header(get_lang('ToolSurvey'));
SurveyUtil::handle_reporting_actions($survey_data, $people_filled);
Display :: display_footer(); Display :: display_footer();
exit; exit;
} }

@ -2956,10 +2956,13 @@ class SurveyUtil
} }
echo '<table id="list-survey" class="table ">'; echo '<table id="list-survey" class="table ">';
echo '<thead>';
echo '<tr>'; echo '<tr>';
echo ' <th>'.get_lang('SurveyName').'</th>'; echo ' <th>'.get_lang('SurveyName').'</th>';
echo ' <th>'.get_lang('Anonymous').'</th>'; echo ' <th class="text-center">'.get_lang('Anonymous').'</th>';
echo '</tr>'; echo '</tr>';
echo '</thead>';
echo '<tbody>';
$now = api_get_utc_datetime(); $now = api_get_utc_datetime();
@ -2987,15 +2990,29 @@ class SurveyUtil
echo Display::return_icon('statistics.png', get_lang('CreateNewSurvey'), array(),ICON_SIZE_TINY); echo Display::return_icon('statistics.png', get_lang('CreateNewSurvey'), array(),ICON_SIZE_TINY);
echo '<a href="'.api_get_path(WEB_CODE_PATH).'survey/fillsurvey.php?course='.$_course['sysCode'].'&invitationcode='.$row['invitation_code'].'&cidReq='.$_course['sysCode'].'">'.$row['title'].'</a></td>'; echo '<a href="'.api_get_path(WEB_CODE_PATH).'survey/fillsurvey.php?course='.$_course['sysCode'].'&invitationcode='.$row['invitation_code'].'&cidReq='.$_course['sysCode'].'">'.$row['title'].'</a></td>';
} else { } else {
$isDrhOfCourse = CourseManager::isUserSubscribedInCourseAsDrh($user_id, $_course);
$icon = Display::return_icon('statistics_na.png', get_lang('Survey'), array(), ICON_SIZE_TINY);
$showLink = (!api_is_allowed_to_edit(false, true) || $isDrhOfCourse)
&& $row['visible_results'] != SURVEY_VISIBLE_TUTOR;
echo '<td>'; echo '<td>';
echo Display::return_icon('statistics_na.png', get_lang('CreateNewSurvey'), array(),ICON_SIZE_TINY); echo $showLink
echo '<a href="'.api_get_path(WEB_CODE_PATH).'survey/reporting.php?action=questionreport&cidReq='.$_course['sysCode'].'&id_session='.$row['session_id'].'&gidReq=0&origin=&survey_id='.$row['survey_id'].'">'.$row['title'].'</a></td>'; ? Display::url(
$icon.PHP_EOL.$row['title'],
api_get_path(WEB_CODE_PATH).'survey/reporting.php?'.api_get_cidreq().'&'.http_build_query([
'action' => 'questionreport',
'survey_id' => $row['survey_id']
])
)
: $icon.PHP_EOL.$row['title'];
echo '</td>';
} }
echo '<td class="center">'; echo '<td class="text-center">';
echo ($row['anonymous'] == 1) ? get_lang('Yes') : get_lang('No'); echo ($row['anonymous'] == 1) ? get_lang('Yes') : get_lang('No');
echo '</td>'; echo '</td>';
echo '</tr>'; echo '</tr>';
} }
echo '</tbody>';
echo '</table>'; echo '</table>';
} }

@ -19,6 +19,7 @@ if (!isset($_GET['cidReq'])) {
require_once __DIR__.'/../inc/global.inc.php'; require_once __DIR__.'/../inc/global.inc.php';
$this_section = SECTION_COURSES; $this_section = SECTION_COURSES;
$current_course_tool = TOOL_SURVEY; $current_course_tool = TOOL_SURVEY;
$currentUserId = api_get_user_id();
api_protect_course_script(true); api_protect_course_script(true);
$action = isset($_GET['action']) ? Security::remove_XSS($_GET['action']) : null; $action = isset($_GET['action']) ? Security::remove_XSS($_GET['action']) : null;
@ -32,10 +33,7 @@ Event::event_access_tool(TOOL_SURVEY);
*/ */
$courseInfo = api_get_course_info(); $courseInfo = api_get_course_info();
$isDrhOfCourse = CourseManager::isUserSubscribedInCourseAsDrh( $isDrhOfCourse = CourseManager::isUserSubscribedInCourseAsDrh($currentUserId, $courseInfo);
api_get_user_id(),
$courseInfo
);
if ($isDrhOfCourse) { if ($isDrhOfCourse) {
Display::display_header(get_lang('SurveyList')); Display::display_header(get_lang('SurveyList'));
@ -47,7 +45,7 @@ if ($isDrhOfCourse) {
if (!api_is_allowed_to_edit(false, true)) { if (!api_is_allowed_to_edit(false, true)) {
// Coach can see this // Coach can see this
Display::display_header(get_lang('SurveyList')); Display::display_header(get_lang('SurveyList'));
SurveyUtil::getSurveyList(api_get_user_id()); SurveyUtil::getSurveyList($currentUserId);
Display::display_footer(); Display::display_footer();
exit; exit;
} }

Loading…
Cancel
Save