Block access for unauthorised users

8 years ago · cdaf3abee9
parent 0dfbbb90d2
commit cdaf3abee9
6 changed files with 48 additions and 19 deletions
--- a/main/gradebook/certificate_report.php
+++ b/main/gradebook/certificate_report.php
@ -14,10 +14,17 @@ $cidReset = true;

 require_once __DIR__.'/../inc/global.inc.php';

-$this_section = SECTION_TRACKING;
-
 api_block_anonymous_users();

+$is_allowedToTrack = api_is_platform_admin(true) || api_is_student_boss();
+
+if (!$is_allowedToTrack) {
+    api_not_allowed(true);
+}
+
+
+$this_section = SECTION_TRACKING;
+
 $interbreadcrumb[] = [
    "url" => api_is_student_boss() ? "#" : api_get_path(WEB_CODE_PATH)."mySpace/index.php?".api_get_cidreq(),
    "name" => get_lang("MySpace"),
--- a/main/mySpace/course.php
+++ b/main/mySpace/course.php
@ -15,6 +15,13 @@ $this_section = SECTION_TRACKING;
 $sessionId = isset($_GET['session_id']) ? intval($_GET['session_id']) : null;

 api_block_anonymous_users();
+
+$allowToTrack = api_is_platform_admin(true, true) || api_is_teacher();
+
+if (!$allowToTrack) {
+    api_not_allowed(true);
+}
+
 $interbreadcrumb[] = ["url" => "index.php", "name" => get_lang('MySpace')];

 if (isset($_GET["id_session"]) && $_GET["id_session"] != "") {
@ -58,7 +65,7 @@ Display :: display_header(get_lang('Courses'));
 $user_id = 0;
 $a_courses = [];
 $menu_items = [];
-if (api_is_drh() || api_is_session_admin() || api_is_platform_admin()) {
+if (api_is_platform_admin(true, true)) {
    $title = '';
    if (empty($sessionId)) {
        if (isset($_GET['user_id'])) {
--- a/main/mySpace/index.php
+++ b/main/mySpace/index.php
@ -36,12 +36,16 @@ $is_session_admin = api_is_session_admin();
 $title = '';
 $skipData = api_get_configuration_value('tracking_skip_generic_data');

+
 // Access control
 api_block_anonymous_users();
-/*
-if (!$export_csv) {
-     Display :: display_header($nameTools);
-} */
+
+$allowToTrack = api_is_platform_admin(true, true) ||
+    api_is_allowed_to_create_course();
+
+if (!$allowToTrack) {
+    api_not_allowed(true);
+}

 if ($is_session_admin) {
    header('location:session.php');
--- a/main/mySpace/session.php
+++ b/main/mySpace/session.php
@ -15,9 +15,6 @@ api_block_anonymous_users();
 $this_section = SECTION_TRACKING;

 api_block_anonymous_users();
-$htmlHeadXtra[] = api_get_jqgrid_js();
-$interbreadcrumb[] = ["url" => "index.php", "name" => get_lang('MySpace')];
-Display::display_header(get_lang('Sessions'));

 $export_csv = false;

@ -25,15 +22,23 @@ if (isset($_GET['export']) && $_GET['export'] == 'csv') {
    $export_csv = true;
 }

-/*	MAIN CODE */
-
 if (isset($_GET['id_coach']) && $_GET['id_coach'] != '') {
    $id_coach = intval($_GET['id_coach']);
 } else {
    $id_coach = api_get_user_id();
 }

-if (api_is_drh() || api_is_session_admin() || api_is_platform_admin()) {
+$allowToTrack = api_is_platform_admin(true, true) || api_is_teacher();
+
+if (!$allowToTrack) {
+    api_not_allowed(true);
+}
+
+$htmlHeadXtra[] = api_get_jqgrid_js();
+$interbreadcrumb[] = ["url" => "index.php", "name" => get_lang('MySpace')];
+Display::display_header(get_lang('Sessions'));
+
+if (api_is_platform_admin(true, true)) {
    $a_sessions = SessionManager::get_sessions_followed_by_drh(api_get_user_id());

    if (!api_is_session_admin()) {
--- a/main/mySpace/teachers.php
+++ b/main/mySpace/teachers.php
@ -9,15 +9,21 @@ $cidReset = true;

 require_once __DIR__.'/../inc/global.inc.php';

+api_block_anonymous_users();
+
+$allowToTrack = api_is_platform_admin(true, true) ||
+    api_is_allowed_to_create_course();
+
+if (!$allowToTrack) {
+    api_not_allowed(true);
+}
+
+
 $export_csv = isset($_GET['export']) && $_GET['export'] == 'csv' ? true : false;
 $keyword = isset($_GET['keyword']) ? Security::remove_XSS($_GET['keyword']) : null;
 $active = isset($_GET['active']) ? intval($_GET['active']) : 1;
 $sleepingDays = isset($_GET['sleeping_days']) ? intval($_GET['sleeping_days']) : null;
-
 $nameTools = get_lang('Teachers');
-
-api_block_anonymous_users();
-
 $this_section = SECTION_TRACKING;

 $interbreadcrumb[] = ["url" => "index.php", "name" => get_lang('MySpace')];
--- a/main/tracking/exams.php
+++ b/main/tracking/exams.php
@ -12,10 +12,10 @@ $toolTable = Database::get_course_table(TABLE_TOOL_LIST);
 $quizTable = Database::get_course_table(TABLE_QUIZ_TEST);

 $this_section = SECTION_TRACKING;
-$is_allowedToTrack = $is_courseAdmin || $is_platformAdmin || $is_session_general_coach || $is_sessionAdmin;
+$is_allowedToTrack = $is_courseAdmin || api_is_platform_admin(true) || $is_session_general_coach;

 if (!$is_allowedToTrack) {
-    api_not_allowed();
+    api_not_allowed(true);
 }

 $exportToXLS = false;