Avoid show link to survey when access is not allowed - refs BT#12554

8 years ago · 9d0e3b74ce
parent d4dc9751cf
commit 9d0e3b74ce
3 changed files with 30 additions and 14 deletions
--- a/main/survey/reporting.php
+++ b/main/survey/reporting.php
@ -88,13 +88,14 @@ $isDrhOfCourse = CourseManager::isUserSubscribedInCourseAsDrh(

 /** @todo this has to be moved to a more appropriate place (after the display_header of the code)*/
 if (!api_is_allowed_to_edit(false, true) || $isDrhOfCourse) {
-    Display :: display_header(get_lang('ToolSurvey'));
    // Show error message if the survey can be seen only by tutors
-    if ($survey_data['visible_results'] != SURVEY_VISIBLE_TUTOR) {
-        SurveyUtil::handle_reporting_actions($survey_data, $people_filled);
-    } else {
-        Display :: display_error_message(get_lang('NotAllowed'), false);
+    if ($survey_data['visible_results'] == SURVEY_VISIBLE_TUTOR) {
+        api_not_allowed(true);
+        exit;
    }
+
+    Display :: display_header(get_lang('ToolSurvey'));
+    SurveyUtil::handle_reporting_actions($survey_data, $people_filled);
    Display :: display_footer();
    exit;
 }
--- a/main/survey/surveyUtil.class.php
+++ b/main/survey/surveyUtil.class.php
@ -2956,10 +2956,13 @@ class SurveyUtil
        }

        echo '<table id="list-survey" class="table ">';
+        echo '<thead>';
        echo '<tr>';
        echo '	<th>'.get_lang('SurveyName').'</th>';
-        echo '	<th>'.get_lang('Anonymous').'</th>';
+        echo '	<th class="text-center">'.get_lang('Anonymous').'</th>';
        echo '</tr>';
+        echo '</thead>';
+        echo '<tbody>';

        $now = api_get_utc_datetime();

@ -2987,15 +2990,29 @@ class SurveyUtil
                echo Display::return_icon('statistics.png', get_lang('CreateNewSurvey'), array(),ICON_SIZE_TINY);
                echo '<a href="'.api_get_path(WEB_CODE_PATH).'survey/fillsurvey.php?course='.$_course['sysCode'].'&invitationcode='.$row['invitation_code'].'&cidReq='.$_course['sysCode'].'">'.$row['title'].'</a></td>';
            } else {
+                $isDrhOfCourse = CourseManager::isUserSubscribedInCourseAsDrh($user_id, $_course);
+                $icon = Display::return_icon('statistics_na.png', get_lang('Survey'), array(), ICON_SIZE_TINY);
+                $showLink = (!api_is_allowed_to_edit(false, true) || $isDrhOfCourse)
+                    && $row['visible_results'] != SURVEY_VISIBLE_TUTOR;
+
                echo '<td>';
-                echo Display::return_icon('statistics_na.png', get_lang('CreateNewSurvey'), array(),ICON_SIZE_TINY);
-                echo '<a href="'.api_get_path(WEB_CODE_PATH).'survey/reporting.php?action=questionreport&cidReq='.$_course['sysCode'].'&id_session='.$row['session_id'].'&gidReq=0&origin=&survey_id='.$row['survey_id'].'">'.$row['title'].'</a></td>';
+                echo $showLink
+                    ? Display::url(
+                        $icon.PHP_EOL.$row['title'],
+                        api_get_path(WEB_CODE_PATH).'survey/reporting.php?'.api_get_cidreq().'&'.http_build_query([
+                            'action' => 'questionreport',
+                            'survey_id' => $row['survey_id']
+                        ])
+                    )
+                    : $icon.PHP_EOL.$row['title'];
+                echo '</td>';
            }
-            echo '<td class="center">';
+            echo '<td class="text-center">';
            echo ($row['anonymous'] == 1) ? get_lang('Yes') : get_lang('No');
            echo '</td>';
            echo '</tr>';
        }
+        echo '</tbody>';
        echo '</table>';
    }

--- a/main/survey/survey_list.php
+++ b/main/survey/survey_list.php
@ -19,6 +19,7 @@ if (!isset($_GET['cidReq'])) {
 require_once __DIR__.'/../inc/global.inc.php';
 $this_section = SECTION_COURSES;
 $current_course_tool = TOOL_SURVEY;
+$currentUserId = api_get_user_id();

 api_protect_course_script(true);
 $action = isset($_GET['action']) ? Security::remove_XSS($_GET['action']) : null;
@ -32,10 +33,7 @@ Event::event_access_tool(TOOL_SURVEY);
 */

 $courseInfo = api_get_course_info();
-$isDrhOfCourse = CourseManager::isUserSubscribedInCourseAsDrh(
-    api_get_user_id(),
-    $courseInfo
-);
+$isDrhOfCourse = CourseManager::isUserSubscribedInCourseAsDrh($currentUserId, $courseInfo);

 if ($isDrhOfCourse) {
    Display::display_header(get_lang('SurveyList'));
@ -47,7 +45,7 @@ if ($isDrhOfCourse) {
 if (!api_is_allowed_to_edit(false, true)) {
    // Coach can see this
    Display::display_header(get_lang('SurveyList'));
-    SurveyUtil::getSurveyList(api_get_user_id());
+    SurveyUtil::getSurveyList($currentUserId);
    Display::display_footer();
    exit;
 }