chamilo
/
chamilo-lms
mirror of https://github.com/chamilo/chamilo-lms/tree/1.11.x
2
0
Fork 0
Code Issues Projects Releases Wiki Activity

Resolving bug that let students see assignments, adding a new rule in courses/.htaccess see BT#3081

Browse Source
skala
Julio Montoya 14 years ago
parent 4a76aba5f8
commit c1414b0d53
4 changed files with 30 additions and 59 deletions
Show all changes Ignore whitespace when comparing lines Ignore changes in amount of whitespace Ignore changes in whitespace at EOL
Show Stats Download Patch File Download Diff File
  1. 1
      main/install/htaccess.dist
  2. 26
      main/work/download.php
  3. 38
      main/work/work.lib.php
  4. 24
      main/work/work.php

1
main/install/htaccess.dist
Unescape View File

@ -18,4 +18,5 @@ RewriteCond %{REQUEST_URI} !^{CHAMILO_URL_APPEND_PATH}/main/
RewriteRule ([^/]+)/document/(.*)&(.*)$ $1/document/$2///$3 [N]
#rewrite everything in the document folder of a course to the download script
RewriteRule ([^/]+)/document/(.*)$ {CHAMILO_URL_APPEND_PATH}/main/document/download.php?doc_url=/$2&cDir=$1 [QSA,L]
RewriteRule ([^/]+)/work/(.*)$ {CHAMILO_URL_APPEND_PATH}/main/work/download.php?file=work/$2&cDir=$1 [QSA,L]
</IfModule>

26
main/work/download.php
Unescape View File

@ -36,21 +36,25 @@ if (!isset($_course)) {
api_not_allowed(true);
}
$full_file_name = api_get_path(SYS_COURSE_PATH).api_get_course_path().'/'.$doc_url;
$full_file_name = api_get_path(SYS_COURSE_PATH).api_get_course_path().'/'.$doc_url;
$tbl_student_publication = Database::get_course_table(TABLE_STUDENT_PUBLICATION);
// launch event
$doc_url = Database::escape_string($doc_url);
event_download($doc_url);
$doc_url = Database::escape_string($doc_url);
$sql = 'SELECT title FROM '.$tbl_student_publication.'WHERE url LIKE BINARY "'.$doc_url.'"';
$result = Database::query($sql);
if (Database::num_rows($result) > 0) {
$row = Database::fetch_array($result);
$title = str_replace(' ', '_', $row['title']);
if (Security::check_abs_path($full_file_name, api_get_path(SYS_COURSE_PATH).api_get_course_path().'/')) {
DocumentManager::file_send_for_download($full_file_name, true, $title);
}
if (!empty($_course['real_id'])) {
$sql = 'SELECT * FROM '.$tbl_student_publication.'WHERE c_id = '.$_course['real_id'].' AND url LIKE BINARY "'.$doc_url.'"';
$result = Database::query($sql);
if ($result && Database::num_rows($result)) {
$row = Database::fetch_array($result, 'ASSOC');
$course_info = CourseManager::get_course_information(api_get_course_id());
if (($row['user_id'] == api_get_user_id() || api_is_allowed_to_edit()) || (!empty($course_info) && $course_info['show_score'] == 0) ) {
$title = str_replace(' ', '_', $row['title']);
if (Security::check_abs_path($full_file_name, api_get_path(SYS_COURSE_PATH).api_get_course_path().'/')) {
DocumentManager::file_send_for_download($full_file_name, true, $title);
}
}
}
}
exit;

38
main/work/work.lib.php
Unescape View File

@ -206,35 +206,6 @@ function display_studentsdelete_form() {
<?php
}
/**
* This function displays the firstname and lastname of the user as a link to the user tool.
*
* @see this is the same function as in the new forum, so this probably has to move to a user library.
*
* @todo move this function to the user library (remove duplicate in dropbox_functions.inc.php)
*
* @author Patrick Cool <patrick.cool@UGent.be>, Ghent University
* @version march 2006
*/
function display_user_link_work($user_id, $name = '', $gradebook='') {
global $_otherusers;
$user_id = intval($user_id);
if ($user_id != 0) {
$table_user = Database::get_main_table(TABLE_MAIN_USER);
$sql = "SELECT user_id, firstname, lastname FROM $table_user WHERE user_id='".Database::escape_string($user_id)."'";
$result = Database::query($sql);
$row = Database::fetch_array($result);
if ($name == '') {
return '<a href="../user/userInfo.php?cidReq='.api_get_course_id().'&amp;gradebook='.$gradebook.'&amp;origin=&amp;uInfo='.$row['user_id'].'">'.api_get_person_name($row['firstname'], $row['lastname']).'</a>';
} else {
return '<a href="../user/userInfo.php?cidReq='.api_get_course_id().'&amp;gradebook='.$gradebook.'&amp;origin=&amp;uInfo='.$user_id.'">'.$name.'</a>';
}
} else {
return $name.' ('.get_lang('Anonymous').')';
}
}
/**
* converts 2008-10-06 12:45:00 to timestamp
* @deprecated any calls found
@ -880,8 +851,7 @@ function display_student_publications_list($id, $link_target_parameter, $dateFor
if (!$is_allowed_to_edit && $item_property_data['insert_user_id'] == api_get_user_id()) {
$is_author = true;
}
}
$user_info = api_get_user_info($item_property_data['insert_user_id']);
//display info depending on the permissions
@ -919,6 +889,7 @@ function display_student_publications_list($id, $link_target_parameter, $dateFor
if ($qualification_exists) {
$row[] = $qualification_string;
}
$work_sent_date_local = api_get_local_time($work->sent_date);
$row[] = date_to_str_ago($work_sent_date_local).$add_string.'<br /><span class="dropbox_date">'.api_format_date($work_sent_date_local).'</span>';
@ -937,12 +908,11 @@ function display_student_publications_list($id, $link_target_parameter, $dateFor
$action .= '<a href="'.api_get_self().'?'.api_get_cidreq().'&id='.$my_folder_data['id'].'&curdirpath='.urlencode($my_sub_dir).'&amp;origin='.$origin.'&gradebook='.$gradebook.'&amp;delete='.$work->id.'" onclick="javascript:if(!confirm('."'".addslashes(api_htmlentities(get_lang('ConfirmYourChoice'),ENT_QUOTES))."'".')) return false;" title="'.get_lang('WorkDelete').'" >'.Display::return_icon('delete.png', get_lang('WorkDelete'),'',22).'</a>';
$row[] = $action;
// the user that is not course admin can only edit/delete own document
} elseif ($is_author && empty($work->qualification)) {
} elseif ($is_author && empty($work->qualificator_id)) {
if (!$table_has_actions_column) {
$table_header[] = array(get_lang('Actions'), false, 'style="width:90px"');
$table_has_actions_column = true;
}
}
$action = '';
$action .= '<a href="'.api_get_self().'?'.api_get_cidreq().'&id='.$my_folder_data['id'].'&curdirpath='.urlencode($my_sub_dir).'&gradebook='.Security::remove_XSS($_GET['gradebook']).'&amp;origin='.$origin.'&gradebook='.$gradebook.'&amp;edit='.$work->id.'" title="'.get_lang('Modify').'" >'.Display::return_icon('edit.png', get_lang('Modify'),array(), 22).'</a>';
if (api_get_course_setting('student_delete_own_publication') == 1) {

24
main/work/work.php
Unescape View File

@ -318,9 +318,9 @@ $is_allowed_to_edit = api_is_allowed_to_edit(); //has to come after display_tool
/* MAIN CODE */
if (!empty ($_POST['changeProperties'])) {
if (!empty($_POST['changeProperties'])) {
// changing the tool setting: default visibility of an uploaded document
$query = "UPDATE " . $main_course_table . " SET show_score='" . $uploadvisibledisabled . "' WHERE code='" . $_course['sysCode'] . "'";
$query = "UPDATE " . $main_course_table . " SET show_score='" . $uploadvisibledisabled . "' WHERE code='" . api_get_course_id() . "'";
Database::query($query);
// changing the tool setting: is a student allowed to delete his/her own document
@ -328,19 +328,19 @@ if (!empty ($_POST['changeProperties'])) {
$table_course_setting = Database :: get_course_table(TOOL_COURSE_SETTING);
// counting the number of occurrences of this setting (if 0 => add, if 1 => update)
$query = "SELECT * FROM " . $table_course_setting . " WHERE variable = 'student_delete_own_publication'";
$query = "SELECT * FROM " . $table_course_setting . " WHERE c_id = $course_id AND variable = 'student_delete_own_publication'";
$result = Database::query($query);
$number_of_setting = Database::num_rows($result);
if ($number_of_setting == 1) {
$query = "UPDATE " . $table_course_setting . " SET value='" . Database::escape_string($_POST['student_delete_own_publication']) . "' WHERE variable='student_delete_own_publication' and c_id = $course_id";
$query = "UPDATE " . $table_course_setting . " SET value='" . Database::escape_string($_POST['student_delete_own_publication']) . "'
WHERE variable='student_delete_own_publication' AND c_id = $course_id";
Database::query($query);
} else {
$query = "INSERT INTO " . $table_course_setting . " (c_id, variable, value, category) VALUES
($course_id, 'student_delete_own_publication','" . Database::escape_string($_POST['student_delete_own_publication']) . "','work')";
Database::query($query);
}
$_course['show_score'] = $uploadvisibledisabled;
} else {
$query = "SELECT * FROM " . $main_course_table . " WHERE code=\"" . $_course['sysCode'] . "\"";
@ -740,8 +740,7 @@ else {
$file_deleted = false;
//Get the author ID for that document from the item_property table
$author_sql = "SELECT * FROM $iprop_table WHERE c_id = $course_id AND tool = 'work' AND insert_user_id='$user_id' AND ref=" .Database::escape_string($delete);
$author_qry = Database::query($author_sql);
$author_qry = Database::query($author_sql);
if ((Database :: num_rows($author_qry) == 1 AND api_get_course_setting('student_delete_own_publication') == 1) || api_is_allowed_to_edit(null,true)) {
//we found the current user is the author
@ -1150,7 +1149,6 @@ if ($is_course_member) {
//require_once api_get_path(LIBRARY_PATH).'formvalidator/FormValidator.class.php';
require_once api_get_path(LIBRARY_PATH).'fileDisplay.lib.php';
$form = new FormValidator('form', 'POST', api_get_self() . "?id=".$work_id."curdirpath=" . rtrim(Security :: remove_XSS($curdirpath),'/') . "&gradebook=".Security::remove_XSS($_GET['gradebook'])."&origin=$origin", '', 'enctype="multipart/form-data"');
// form title
@ -1194,12 +1192,7 @@ if ($is_course_member) {
$titleWork = $form->addElement('text', 'title', get_lang('TitleWork'), 'id="file_upload" style="width: 350px;"');
$defaults['title'] = $edit ? stripslashes($workTitle) : stripslashes($title);
//Removed to avoid incoherences
//$titleAuthors = $form->addElement('text', 'authors', get_lang("Authors"), 'style="width: 350px;"');
//if (empty ($authors)) {
$authors = api_get_person_name($_user['firstName'], $_user['lastName']);
//}
//$defaults["authors"] = ($edit ? stripslashes($workAuthor) : stripslashes($authors));
$titleAuthors = $form->addElement('textarea', 'description', get_lang("Description"), 'style="width: 350px; height: 60px;"');
@ -1247,7 +1240,10 @@ if ($is_course_member) {
$form->add_real_progress_bar('uploadWork', 'file');
}
$form->setDefaults($defaults);
$form->display();
//fixes bug when showing modification form
if (empty($edit) || (!empty($edit) && ($is_allowed_to_edit or $is_author))) {
$form->display();
}
}

Write Preview
Loading…
Cancel
Save