From bcc567bb260d0d3d78aec7868b8bbae7ba5b521d Mon Sep 17 00:00:00 2001
From: Julio Montoya <gugli100@gmail.com>
Date: Fri, 28 May 2021 10:43:16 +0200
Subject: [PATCH] Minor - update from 1.11.x

---
 public/main/admin/career_dashboard.php |  4 +---
 public/main/admin/career_diagram.php   | 20 ++++++++++++++------
 public/main/inc/lib/database.lib.php   |  4 ++--
 public/main/user/career_diagram.php    | 19 ++++++++++++-------
 public/main/user/class.php             | 16 ++--------------
 5 files changed, 31 insertions(+), 32 deletions(-)

diff --git a/public/main/admin/career_dashboard.php b/public/main/admin/career_dashboard.php
index 2cecefa27e..1e6cbc0125 100644
--- a/public/main/admin/career_dashboard.php
+++ b/public/main/admin/career_dashboard.php
@@ -120,9 +120,7 @@ if (!empty($careers)) {
                 );
                 $session_list = [];
                 foreach ($sessions as $session_item) {
-                    $course_list = SessionManager::get_course_list_by_session_id(
-                        $session_item['id']
-                    );
+                    $course_list = SessionManager::get_course_list_by_session_id($session_item['id']);
                     $session_list[] = [
                         'data' => $session_item,
                         'courses' => $course_list,
diff --git a/public/main/admin/career_diagram.php b/public/main/admin/career_diagram.php
index 50368af65a..91a2db6f67 100644
--- a/public/main/admin/career_diagram.php
+++ b/public/main/admin/career_diagram.php
@@ -14,10 +14,23 @@ ALTER TABLE extra_field_values modify column value longtext null;
 $cidReset = true;
 require_once __DIR__.'/../inc/global.inc.php';
 
-if (false == api_get_configuration_value('allow_career_diagram')) {
+if (false === api_get_configuration_value('allow_career_diagram')) {
     api_not_allowed(true);
 }
 
+$careerId = isset($_GET['id']) ? (int) $_GET['id'] : 0;
+//$userId = isset($_GET['user_id']) ? $_GET['user_id'] : api_get_user_id();
+
+if (empty($careerId)) {
+    api_not_allowed(true);
+}
+
+// Redirect to user/career_diagram.php if not admin/drh BT#18720
+if (!(api_is_platform_admin() || api_is_drh())) {
+    $url = api_get_path(WEB_CODE_PATH).'user/career_diagram.php?career_id='.$careerId;
+    api_location($url);
+}
+
 $this_section = SECTION_PLATFORM_ADMIN;
 
 $allowCareer = api_get_configuration_value('allow_session_admin_read_careers');
@@ -25,11 +38,6 @@ api_protect_admin_script($allowCareer);
 
 $htmlHeadXtra[] = api_get_js('jsplumb2.js');
 
-$careerId = isset($_GET['id']) ? $_GET['id'] : 0;
-if (empty($careerId)) {
-    api_not_allowed(true);
-}
-
 $career = new Career();
 $careerInfo = $career->get($careerId);
 if (empty($careerInfo)) {
diff --git a/public/main/inc/lib/database.lib.php b/public/main/inc/lib/database.lib.php
index 06a377bb8b..4c9984f6a3 100644
--- a/public/main/inc/lib/database.lib.php
+++ b/public/main/inc/lib/database.lib.php
@@ -752,8 +752,8 @@ class Database
         return self::getManager()->getConnection()->getSchemaManager()->listTableColumns($table);
     }
 
-    public static function escapeField($field)
+    public static function escapeField($field): string
     {
-        return self::escape_string(preg_replace("/[^a-zA-Z0-9_]/", '', $field));
+        return self::escape_string(preg_replace("/[^a-zA-Z0-9_.]/", '', $field));
     }
 }
diff --git a/public/main/user/career_diagram.php b/public/main/user/career_diagram.php
index a68ec3fb22..8c0c6ecf39 100644
--- a/public/main/user/career_diagram.php
+++ b/public/main/user/career_diagram.php
@@ -13,13 +13,15 @@ ALTER TABLE extra_field_values modify column value longtext null;
 
 require_once __DIR__.'/../inc/global.inc.php';
 
-if (false == api_get_configuration_value('allow_career_diagram')) {
+if (false === api_get_configuration_value('allow_career_diagram')) {
     api_not_allowed(true);
 }
+api_block_anonymous_users();
 
 $this_section = SECTION_COURSES;
 
 $careerId = isset($_GET['career_id']) ? $_GET['career_id'] : 0;
+$userId = isset($_GET['user_id']) ? $_GET['user_id'] : api_get_user_id();
 
 if (empty($careerId)) {
     api_not_allowed(true);
@@ -30,11 +32,9 @@ $careerInfo = $career->get($careerId);
 if (empty($careerInfo)) {
     api_not_allowed(true);
 }
+$allow = UserManager::userHasCareer($userId, $careerId) || api_is_platform_admin() || api_is_drh();
 
-$userId = api_get_user_id();
-$allow = UserManager::userHasCareer($userId, $careerId) || api_is_platform_admin();
-
-if (false === $allow) {
+if ($allow === false) {
     api_not_allowed(true);
 }
 
@@ -80,7 +80,8 @@ if (!empty($itemUrls) && !empty($itemUrls['value'])) {
     }
 }
 
-$tpl = new Template(get_lang('Diagram'));
+$showFullPage = isset($_REQUEST['iframe']) && 1 === (int) $_REQUEST['iframe'] ? false : true;
+$tpl = new Template(get_lang('Diagram'), $showFullPage, $showFullPage, !$showFullPage);
 $html = Display::page_subheader2($careerInfo['name'].$urlToString);
 $diagram = Career::renderDiagramByColumn($careerInfo, $tpl, $userId);
 
@@ -96,5 +97,9 @@ if (!empty($diagram)) {
 }
 
 $tpl->assign('content', $html);
-$layout = $tpl->get_template('career/diagram.tpl');
+if ($showFullPage) {
+    $layout = $tpl->get_template('career/diagram_full.tpl');
+} else {
+    $layout = $tpl->get_template('career/diagram_iframe.tpl');
+}
 $tpl->display($layout);
diff --git a/public/main/user/class.php b/public/main/user/class.php
index 11b01feee2..a00d2d5f13 100644
--- a/public/main/user/class.php
+++ b/public/main/user/class.php
@@ -7,7 +7,7 @@ $this_section = SECTION_COURSES;
 
 api_protect_course_script(true, false, 'user');
 
-if ('false' == api_get_setting('allow_user_course_subscription_by_course_admin')) {
+if ('false' === api_get_setting('allow_user_course_subscription_by_course_admin')) {
     if (!api_is_platform_admin()) {
         api_not_allowed(true);
     }
@@ -17,7 +17,6 @@ $tool_name = get_lang('Classes');
 
 $htmlHeadXtra[] = api_get_jqgrid_js();
 
-// Extra entries in breadcrumb
 $interbreadcrumb[] = [
     'url' => 'user.php?'.api_get_cidreq(),
     'name' => get_lang('Users'),
@@ -105,20 +104,9 @@ if (api_is_allowed_to_edit()) {
             if (!empty($id)) {
                 $usergroup->unsubscribe_courses_from_usergroup(
                     $id,
-                    [api_get_course_int_id()],
-                    $sessionId
+                    [api_get_course_int_id()]
                 );
                 Display::addFlash(Display::return_message(get_lang('Deleted')));
-                $user_list = $usergroup->get_users_by_usergroup($id);
-                if (!empty($user_list)) {
-                    foreach ($user_list as $user_id) {
-                        SessionManager::unsubscribe_user_from_session($id, $user_id);
-                    }
-                }
-                Database::delete(
-                    $usergroup->usergroup_rel_session_table,
-                    ['usergroup_id = ? AND session_id = ?' => [$id, $sessionId]]
-                );
             }
             break;
     }