From cdaf3abee94ca5f78c45640fbbbfd0371192a7d2 Mon Sep 17 00:00:00 2001
From: jmontoyaa <gugli100@gmail.com>
Date: Wed, 18 Apr 2018 08:43:46 +0200
Subject: [PATCH] Block access for unauthorised users

---
 main/gradebook/certificate_report.php | 11 +++++++++--
 main/mySpace/course.php               |  9 ++++++++-
 main/mySpace/index.php                | 12 ++++++++----
 main/mySpace/session.php              | 17 +++++++++++------
 main/mySpace/teachers.php             | 14 ++++++++++----
 main/tracking/exams.php               |  4 ++--
 6 files changed, 48 insertions(+), 19 deletions(-)

diff --git a/main/gradebook/certificate_report.php b/main/gradebook/certificate_report.php
index 9ab239adfc..0c961bc6a3 100644
--- a/main/gradebook/certificate_report.php
+++ b/main/gradebook/certificate_report.php
@@ -14,10 +14,17 @@ $cidReset = true;
 
 require_once __DIR__.'/../inc/global.inc.php';
 
-$this_section = SECTION_TRACKING;
-
 api_block_anonymous_users();
 
+$is_allowedToTrack = api_is_platform_admin(true) || api_is_student_boss();
+
+if (!$is_allowedToTrack) {
+    api_not_allowed(true);
+}
+
+
+$this_section = SECTION_TRACKING;
+
 $interbreadcrumb[] = [
     "url" => api_is_student_boss() ? "#" : api_get_path(WEB_CODE_PATH)."mySpace/index.php?".api_get_cidreq(),
     "name" => get_lang("MySpace"),
diff --git a/main/mySpace/course.php b/main/mySpace/course.php
index a53a2bb256..b545f2bec5 100755
--- a/main/mySpace/course.php
+++ b/main/mySpace/course.php
@@ -15,6 +15,13 @@ $this_section = SECTION_TRACKING;
 $sessionId = isset($_GET['session_id']) ? intval($_GET['session_id']) : null;
 
 api_block_anonymous_users();
+
+$allowToTrack = api_is_platform_admin(true, true) || api_is_teacher();
+
+if (!$allowToTrack) {
+    api_not_allowed(true);
+}
+
 $interbreadcrumb[] = ["url" => "index.php", "name" => get_lang('MySpace')];
 
 if (isset($_GET["id_session"]) && $_GET["id_session"] != "") {
@@ -58,7 +65,7 @@ Display :: display_header(get_lang('Courses'));
 $user_id = 0;
 $a_courses = [];
 $menu_items = [];
-if (api_is_drh() || api_is_session_admin() || api_is_platform_admin()) {
+if (api_is_platform_admin(true, true)) {
     $title = '';
     if (empty($sessionId)) {
         if (isset($_GET['user_id'])) {
diff --git a/main/mySpace/index.php b/main/mySpace/index.php
index ebb147e8f3..6e88e7a331 100755
--- a/main/mySpace/index.php
+++ b/main/mySpace/index.php
@@ -36,12 +36,16 @@ $is_session_admin = api_is_session_admin();
 $title = '';
 $skipData = api_get_configuration_value('tracking_skip_generic_data');
 
+
 // Access control
 api_block_anonymous_users();
-/*
-if (!$export_csv) {
-     Display :: display_header($nameTools);
-} */
+
+$allowToTrack = api_is_platform_admin(true, true) ||
+    api_is_allowed_to_create_course();
+
+if (!$allowToTrack) {
+    api_not_allowed(true);
+}
 
 if ($is_session_admin) {
     header('location:session.php');
diff --git a/main/mySpace/session.php b/main/mySpace/session.php
index cf25b42ffe..65021523bd 100755
--- a/main/mySpace/session.php
+++ b/main/mySpace/session.php
@@ -15,9 +15,6 @@ api_block_anonymous_users();
 $this_section = SECTION_TRACKING;
 
 api_block_anonymous_users();
-$htmlHeadXtra[] = api_get_jqgrid_js();
-$interbreadcrumb[] = ["url" => "index.php", "name" => get_lang('MySpace')];
-Display::display_header(get_lang('Sessions'));
 
 $export_csv = false;
 
@@ -25,15 +22,23 @@ if (isset($_GET['export']) && $_GET['export'] == 'csv') {
     $export_csv = true;
 }
 
-/*	MAIN CODE */
-
 if (isset($_GET['id_coach']) && $_GET['id_coach'] != '') {
     $id_coach = intval($_GET['id_coach']);
 } else {
     $id_coach = api_get_user_id();
 }
 
-if (api_is_drh() || api_is_session_admin() || api_is_platform_admin()) {
+$allowToTrack = api_is_platform_admin(true, true) || api_is_teacher();
+
+if (!$allowToTrack) {
+    api_not_allowed(true);
+}
+
+$htmlHeadXtra[] = api_get_jqgrid_js();
+$interbreadcrumb[] = ["url" => "index.php", "name" => get_lang('MySpace')];
+Display::display_header(get_lang('Sessions'));
+
+if (api_is_platform_admin(true, true)) {
     $a_sessions = SessionManager::get_sessions_followed_by_drh(api_get_user_id());
 
     if (!api_is_session_admin()) {
diff --git a/main/mySpace/teachers.php b/main/mySpace/teachers.php
index 6506fa6228..044e721da4 100755
--- a/main/mySpace/teachers.php
+++ b/main/mySpace/teachers.php
@@ -9,15 +9,21 @@ $cidReset = true;
 
 require_once __DIR__.'/../inc/global.inc.php';
 
+api_block_anonymous_users();
+
+$allowToTrack = api_is_platform_admin(true, true) ||
+    api_is_allowed_to_create_course();
+
+if (!$allowToTrack) {
+    api_not_allowed(true);
+}
+
+
 $export_csv = isset($_GET['export']) && $_GET['export'] == 'csv' ? true : false;
 $keyword = isset($_GET['keyword']) ? Security::remove_XSS($_GET['keyword']) : null;
 $active = isset($_GET['active']) ? intval($_GET['active']) : 1;
 $sleepingDays = isset($_GET['sleeping_days']) ? intval($_GET['sleeping_days']) : null;
-
 $nameTools = get_lang('Teachers');
-
-api_block_anonymous_users();
-
 $this_section = SECTION_TRACKING;
 
 $interbreadcrumb[] = ["url" => "index.php", "name" => get_lang('MySpace')];
diff --git a/main/tracking/exams.php b/main/tracking/exams.php
index 2aca96026f..614a289117 100755
--- a/main/tracking/exams.php
+++ b/main/tracking/exams.php
@@ -12,10 +12,10 @@ $toolTable = Database::get_course_table(TABLE_TOOL_LIST);
 $quizTable = Database::get_course_table(TABLE_QUIZ_TEST);
 
 $this_section = SECTION_TRACKING;
-$is_allowedToTrack = $is_courseAdmin || $is_platformAdmin || $is_session_general_coach || $is_sessionAdmin;
+$is_allowedToTrack = $is_courseAdmin || api_is_platform_admin(true) || $is_session_general_coach;
 
 if (!$is_allowedToTrack) {
-    api_not_allowed();
+    api_not_allowed(true);
 }
 
 $exportToXLS = false;