From acd19ea3615c20a00b9bbd6a421b54e48ecfae38 Mon Sep 17 00:00:00 2001 From: Julio Montoya Date: Fri, 3 Apr 2015 09:10:31 +0200 Subject: [PATCH] Fix permissions for DRH see BT#9609 --- main/announcements/announcements.inc.php | 7 +++---- main/announcements/announcements.php | 24 ++++++++---------------- 2 files changed, 11 insertions(+), 20 deletions(-) diff --git a/main/announcements/announcements.inc.php b/main/announcements/announcements.inc.php index d20f58851e..bdd0ab91f8 100755 --- a/main/announcements/announcements.inc.php +++ b/main/announcements/announcements.inc.php @@ -152,7 +152,7 @@ class AnnouncementManager * Displays one specific announcement * @param int $announcement_id, the id of the announcement you want to display */ - public static function display_announcement($announcement_id) + public static function display_announcement($announcement_id, $allowToEdit) { if ($announcement_id != strval(intval($announcement_id))) { return false; @@ -164,7 +164,7 @@ class AnnouncementManager $course_id = api_get_course_int_id(); - if (api_is_allowed_to_edit(false, true) || (api_get_course_setting('allow_user_edit_announcement') && !api_is_anonymous())) { + if ($allowToEdit) { $sql_query = " SELECT announcement.*, toolitemproperties.* FROM $tbl_announcement announcement, $tbl_item_property toolitemproperties WHERE announcement.id = toolitemproperties.ref @@ -174,7 +174,6 @@ class AnnouncementManager toolitemproperties.c_id = $course_id ORDER BY display_order DESC"; } else { - $group_list = GroupManager::get_group_ids($course_id, api_get_user_id()); if (empty($group_list)) { $group_list[] = 0; @@ -212,7 +211,7 @@ class AnnouncementManager echo ""; echo ""; - if (api_is_allowed_to_edit(false, true) || (api_get_course_setting('allow_user_edit_announcement') && !api_is_anonymous())) { + if ($allowToEdit) { $modify_icons = "" . Display::return_icon('edit.png', get_lang('Edit'), '', ICON_SIZE_SMALL) . ""; if ($result['visibility'] == 1) { $image_visibility = "visible"; diff --git a/main/announcements/announcements.php b/main/announcements/announcements.php index 7d9598feda..b1ef9fefa3 100755 --- a/main/announcements/announcements.php +++ b/main/announcements/announcements.php @@ -40,6 +40,11 @@ $allowToEdit = ( $sessionId = api_get_session_id(); $drhHasAccessToSessionContent = api_get_configuration_value('drh_can_access_all_session_content'); + +if (!empty($sessionId)) { + $allowToEdit = $allowToEdit && api_is_allowed_to_session_edit(false, true); +} + if (!empty($sessionId) && $drhHasAccessToSessionContent) { $allowToEdit = $allowToEdit || api_is_drh(); } @@ -87,9 +92,7 @@ $safe_newContent = isset($_POST['newContent']) ? $_POST['newContent'] : null; $content_to_modify = $title_to_modify = ''; if (!empty($_POST['To'])) { - if (api_get_session_id() != 0 && - api_is_allowed_to_session_edit(false, true) == false - ) { + if (!$allowToEdit) { api_not_allowed(true); } $display_form = true; @@ -132,7 +135,7 @@ $origin = isset($_GET['origin']) ? Security::remove_XSS($_GET['origin']) : null; if (((!empty($_GET['action']) && $_GET['action'] == 'add') && $_GET['origin'] == "") || (!empty($_GET['action']) && $_GET['action'] == 'edit') || !empty($_POST['To']) ) { - if (api_get_session_id()!=0 && api_is_allowed_to_session_edit(false,true) == false) { + if (api_get_session_id() != 0 && !$allowToEdit) { api_not_allowed(true); } $display_form = true; @@ -206,9 +209,6 @@ if ($allowToEdit) { // change visibility -> studentview -> course manager view if (!isset($_GET['isStudentView']) || $_GET['isStudentView']!='false') { if (isset($_GET['id']) AND $_GET['id'] AND isset($_GET['action']) AND $_GET['action']=="showhide") { - if (api_get_session_id()!=0 && api_is_allowed_to_session_edit(false,true)==false) { - api_not_allowed(); - } if (!api_is_course_coach() || api_is_element_in_the_session(TOOL_ANNOUNCEMENT, $_GET['id'])) { if ($ctok == $_GET['sec_token']) { AnnouncementManager::change_visibility_announcement($_course, $_GET['id']); @@ -221,9 +221,6 @@ if ($allowToEdit) { /* Delete announcement */ if (!empty($_GET['action']) && $_GET['action']=='delete' && isset($_GET['id'])) { $id = intval($_GET['id']); - if (api_get_session_id()!=0 && api_is_allowed_to_session_edit(false, true) == false) { - api_not_allowed(); - } if (!api_is_course_coach() || api_is_element_in_the_session(TOOL_ANNOUNCEMENT, $id)) { // tooledit : visibility = 2 : only visible for platform administrator @@ -262,10 +259,6 @@ if ($allowToEdit) { /* Modify announcement */ if (!empty($_GET['action']) and $_GET['action']=='modify' AND isset($_GET['id'])) { - if (api_get_session_id()!=0 && api_is_allowed_to_session_edit(false,true)==false) { - api_not_allowed(); - } - $display_form = true; // RETRIEVE THE CONTENT OF THE ANNOUNCEMENT TO MODIFY @@ -981,7 +974,6 @@ if ($display_announcement_list) { } else { Display::display_warning_message(get_lang('NoAnnouncements')); } - } else { $iterator = 1; $bottomAnnouncement = $announcement_number; @@ -1087,7 +1079,7 @@ if ($display_announcement_list) { } // end: if ($displayAnnoucementList) if (isset($_GET['action']) && $_GET['action'] == 'view') { - AnnouncementManager::display_announcement($announcement_id); + AnnouncementManager::display_announcement($announcement_id, $allowToEdit); } /* FOOTER */

" . $title . "