From c1414b0d53ccf6ce7ed20db17c0b75e29e6a3b88 Mon Sep 17 00:00:00 2001
From: Julio Montoya <gugli100@gmail.com>
Date: Wed, 12 Oct 2011 17:51:26 +0200
Subject: [PATCH] Resolving bug that let students see assignments, adding a new
 rule in courses/.htaccess see BT#3081

---
 main/install/htaccess.dist |  1 +
 main/work/download.php     | 26 +++++++++++++++-----------
 main/work/work.lib.php     | 38 ++++----------------------------------
 main/work/work.php         | 24 ++++++++++--------------
 4 files changed, 30 insertions(+), 59 deletions(-)
 mode change 100755 => 100644 main/install/htaccess.dist
 mode change 100755 => 100644 main/work/download.php

diff --git a/main/install/htaccess.dist b/main/install/htaccess.dist
old mode 100755
new mode 100644
index a1365a34d8..cfc23e572d
--- a/main/install/htaccess.dist
+++ b/main/install/htaccess.dist
@@ -18,4 +18,5 @@ RewriteCond %{REQUEST_URI} !^{CHAMILO_URL_APPEND_PATH}/main/
 RewriteRule ([^/]+)/document/(.*)&(.*)$ $1/document/$2///$3 [N]
 #rewrite everything in the document folder of a course to the download script
 RewriteRule ([^/]+)/document/(.*)$ {CHAMILO_URL_APPEND_PATH}/main/document/download.php?doc_url=/$2&cDir=$1 [QSA,L]
+RewriteRule ([^/]+)/work/(.*)$ {CHAMILO_URL_APPEND_PATH}/main/work/download.php?file=work/$2&cDir=$1 [QSA,L]
 </IfModule>
\ No newline at end of file
diff --git a/main/work/download.php b/main/work/download.php
old mode 100755
new mode 100644
index 68ae97012d..b0785902e4
--- a/main/work/download.php
+++ b/main/work/download.php
@@ -36,21 +36,25 @@ if (!isset($_course)) {
 	api_not_allowed(true);
 }
 
-$full_file_name = api_get_path(SYS_COURSE_PATH).api_get_course_path().'/'.$doc_url;
+$full_file_name 		 = api_get_path(SYS_COURSE_PATH).api_get_course_path().'/'.$doc_url;
 $tbl_student_publication = Database::get_course_table(TABLE_STUDENT_PUBLICATION);
 
 // launch event
+$doc_url = Database::escape_string($doc_url);
 event_download($doc_url);
 
-$doc_url = Database::escape_string($doc_url);
-$sql = 'SELECT title FROM '.$tbl_student_publication.'WHERE url LIKE BINARY "'.$doc_url.'"';
-
-$result = Database::query($sql);
-if (Database::num_rows($result) > 0) {
-    $row = Database::fetch_array($result);
-    $title = str_replace(' ', '_', $row['title']);
-    if (Security::check_abs_path($full_file_name, api_get_path(SYS_COURSE_PATH).api_get_course_path().'/')) {
-        DocumentManager::file_send_for_download($full_file_name, true, $title);
-    }
+if (!empty($_course['real_id'])) {
+	$sql = 'SELECT * FROM '.$tbl_student_publication.'WHERE c_id = '.$_course['real_id'].' AND url LIKE BINARY "'.$doc_url.'"';
+	$result = Database::query($sql);
+	if ($result && Database::num_rows($result)) {
+	    $row = Database::fetch_array($result, 'ASSOC');	    
+	    $course_info = CourseManager::get_course_information(api_get_course_id());	    
+	    if (($row['user_id'] == api_get_user_id() || api_is_allowed_to_edit()) || (!empty($course_info) && $course_info['show_score'] == 0)  ) {
+		    $title = str_replace(' ', '_', $row['title']);
+		    if (Security::check_abs_path($full_file_name, api_get_path(SYS_COURSE_PATH).api_get_course_path().'/')) {
+		        DocumentManager::file_send_for_download($full_file_name, true, $title);
+		    }
+	    }	    
+	}
 }
 exit;
\ No newline at end of file
diff --git a/main/work/work.lib.php b/main/work/work.lib.php
index b5ebe49234..44553e80f6 100644
--- a/main/work/work.lib.php
+++ b/main/work/work.lib.php
@@ -206,35 +206,6 @@ function display_studentsdelete_form() {
 <?php
 }
 
-/**
- * This function displays the firstname and lastname of the user as a link to the user tool.
- *
- * @see this is the same function as in the new forum, so this probably has to move to a user library.
- *
- * @todo move this function to the user library (remove duplicate in dropbox_functions.inc.php)
- *
- * @author Patrick Cool <patrick.cool@UGent.be>, Ghent University
- * @version march 2006
- */
-function display_user_link_work($user_id, $name = '', $gradebook='') {
-	global $_otherusers;
-	$user_id = intval($user_id);
-
-	if ($user_id != 0) {
-		$table_user = Database::get_main_table(TABLE_MAIN_USER);
-		$sql	= "SELECT user_id, firstname, lastname  FROM $table_user WHERE user_id='".Database::escape_string($user_id)."'";
-		$result	= Database::query($sql);
-		$row	= Database::fetch_array($result);
-		if ($name == '') {
-			return '<a href="../user/userInfo.php?cidReq='.api_get_course_id().'&amp;gradebook='.$gradebook.'&amp;origin=&amp;uInfo='.$row['user_id'].'">'.api_get_person_name($row['firstname'], $row['lastname']).'</a>';
-		} else {
-			return '<a href="../user/userInfo.php?cidReq='.api_get_course_id().'&amp;gradebook='.$gradebook.'&amp;origin=&amp;uInfo='.$user_id.'">'.$name.'</a>';
-		}
-	} else {
-		return $name.' ('.get_lang('Anonymous').')';
-	}
-}
-
 /**
  * converts 2008-10-06 12:45:00 to timestamp
  * @deprecated any calls found
@@ -880,8 +851,7 @@ function display_student_publications_list($id, $link_target_parameter, $dateFor
 			
 			if (!$is_allowed_to_edit && $item_property_data['insert_user_id'] == api_get_user_id()) {
 				$is_author = true;
-			}
-			
+			}			
 			$user_info = api_get_user_info($item_property_data['insert_user_id']);
 				
 			//display info depending on the permissions
@@ -919,6 +889,7 @@ function display_student_publications_list($id, $link_target_parameter, $dateFor
 				if ($qualification_exists) {
 					$row[] = $qualification_string;
 				}
+				
 				$work_sent_date_local = api_get_local_time($work->sent_date);
 				$row[] = date_to_str_ago($work_sent_date_local).$add_string.'<br /><span class="dropbox_date">'.api_format_date($work_sent_date_local).'</span>';
 
@@ -937,12 +908,11 @@ function display_student_publications_list($id, $link_target_parameter, $dateFor
 					$action .= '<a href="'.api_get_self().'?'.api_get_cidreq().'&id='.$my_folder_data['id'].'&curdirpath='.urlencode($my_sub_dir).'&amp;origin='.$origin.'&gradebook='.$gradebook.'&amp;delete='.$work->id.'" onclick="javascript:if(!confirm('."'".addslashes(api_htmlentities(get_lang('ConfirmYourChoice'),ENT_QUOTES))."'".')) return false;" title="'.get_lang('WorkDelete').'" >'.Display::return_icon('delete.png', get_lang('WorkDelete'),'',22).'</a>';
 					$row[] = $action;
 					// the user that is not course admin can only edit/delete own document
-				} elseif ($is_author && empty($work->qualification)) {
+				} elseif ($is_author && empty($work->qualificator_id)) {					
 					if (!$table_has_actions_column) {
 						$table_header[] = array(get_lang('Actions'), false, 'style="width:90px"');
 						$table_has_actions_column = true;
-					}
-					
+					}					
 					$action = '';
 					$action .= '<a href="'.api_get_self().'?'.api_get_cidreq().'&id='.$my_folder_data['id'].'&curdirpath='.urlencode($my_sub_dir).'&gradebook='.Security::remove_XSS($_GET['gradebook']).'&amp;origin='.$origin.'&gradebook='.$gradebook.'&amp;edit='.$work->id.'" title="'.get_lang('Modify').'"  >'.Display::return_icon('edit.png', get_lang('Modify'),array(), 22).'</a>';
 					if (api_get_course_setting('student_delete_own_publication') == 1) {
diff --git a/main/work/work.php b/main/work/work.php
index 422dc16588..c71cbef40d 100644
--- a/main/work/work.php
+++ b/main/work/work.php
@@ -318,9 +318,9 @@ $is_allowed_to_edit = api_is_allowed_to_edit(); //has to come after display_tool
 
 /*		MAIN CODE */
 
-if (!empty ($_POST['changeProperties'])) {
+if (!empty($_POST['changeProperties'])) {
 	// changing the tool setting: default visibility of an uploaded document
-	$query = "UPDATE " . $main_course_table . " SET show_score='" . $uploadvisibledisabled . "' WHERE code='" . $_course['sysCode'] . "'";
+	$query = "UPDATE " . $main_course_table . " SET show_score='" . $uploadvisibledisabled . "' WHERE code='" . api_get_course_id() . "'";
 	Database::query($query);
 
 	// changing the tool setting: is a student allowed to delete his/her own document
@@ -328,19 +328,19 @@ if (!empty ($_POST['changeProperties'])) {
 	$table_course_setting = Database :: get_course_table(TOOL_COURSE_SETTING);
 
 	// counting the number of occurrences of this setting (if 0 => add, if 1 => update)
-	$query = "SELECT * FROM " . $table_course_setting . " WHERE variable = 'student_delete_own_publication'";
+	$query = "SELECT * FROM " . $table_course_setting . " WHERE c_id = $course_id AND variable = 'student_delete_own_publication'";
 	$result = Database::query($query);
 	$number_of_setting = Database::num_rows($result);
 	
 	if ($number_of_setting == 1) {
-		$query = "UPDATE " . $table_course_setting . " SET value='" . Database::escape_string($_POST['student_delete_own_publication']) . "' WHERE variable='student_delete_own_publication' and c_id = $course_id";
+		$query = "UPDATE " . $table_course_setting . " SET value='" . Database::escape_string($_POST['student_delete_own_publication']) . "' 
+				WHERE variable='student_delete_own_publication' AND c_id = $course_id";
 		Database::query($query);
 	} else {
 		$query = "INSERT INTO " . $table_course_setting . " (c_id, variable, value, category) VALUES 
 		($course_id, 'student_delete_own_publication','" . Database::escape_string($_POST['student_delete_own_publication']) . "','work')";
 		Database::query($query);
 	}
-
 	$_course['show_score'] = $uploadvisibledisabled;
 } else {
 	$query = "SELECT * FROM " . $main_course_table . " WHERE code=\"" . $_course['sysCode'] . "\"";
@@ -740,8 +740,7 @@ else {
             $file_deleted = false;
 			//Get the author ID for that document from the item_property table
 			$author_sql = "SELECT * FROM $iprop_table WHERE c_id = $course_id AND tool = 'work' AND insert_user_id='$user_id' AND ref=" .Database::escape_string($delete);
-			$author_qry = Database::query($author_sql);
-            
+			$author_qry = Database::query($author_sql);            
 
 			if ((Database :: num_rows($author_qry) == 1 AND api_get_course_setting('student_delete_own_publication') == 1) || api_is_allowed_to_edit(null,true)) {
 				//we found the current user is the author
@@ -1150,7 +1149,6 @@ if ($is_course_member) {
 
 		//require_once api_get_path(LIBRARY_PATH).'formvalidator/FormValidator.class.php';
 		require_once api_get_path(LIBRARY_PATH).'fileDisplay.lib.php';
-
 		$form = new FormValidator('form', 'POST', api_get_self() . "?id=".$work_id."curdirpath=" . rtrim(Security :: remove_XSS($curdirpath),'/') . "&gradebook=".Security::remove_XSS($_GET['gradebook'])."&origin=$origin", '', 'enctype="multipart/form-data"');
 
 		// form title
@@ -1194,12 +1192,7 @@ if ($is_course_member) {
 		$titleWork = $form->addElement('text', 'title', get_lang('TitleWork'), 'id="file_upload"  style="width: 350px;"');
 		$defaults['title'] = $edit ? stripslashes($workTitle) : stripslashes($title);
 
-		//Removed to avoid incoherences
-		//$titleAuthors = $form->addElement('text', 'authors', get_lang("Authors"), 'style="width: 350px;"');
-
-		//if (empty ($authors)) {
 		$authors = api_get_person_name($_user['firstName'], $_user['lastName']);
-		//}
 
 		//$defaults["authors"] = ($edit ? stripslashes($workAuthor) : stripslashes($authors));
 		$titleAuthors = $form->addElement('textarea', 'description', get_lang("Description"), 'style="width: 350px; height: 60px;"');
@@ -1247,7 +1240,10 @@ if ($is_course_member) {
 			$form->add_real_progress_bar('uploadWork', 'file');
 		}
 		$form->setDefaults($defaults);
-		$form->display();
+		//fixes bug when showing modification form
+		if (empty($edit) || (!empty($edit) && ($is_allowed_to_edit or $is_author))) {
+			$form->display();
+		}
 	}