Fixing session access permissions + fixing some typos in session_manager.lib.php

skala
Julio Montoya 13 years ago
parent 61ca6c16bf
commit cdc3e051b1
  1. 89
      main/inc/lib/main_api.lib.php
  2. 3
      main/inc/lib/sessionmanager.lib.php
  3. 29
      main/inc/lib/usermanager.lib.php
  4. 16
      main/inc/local.inc.php
  5. 36
      main/session/index.php

@ -28,8 +28,6 @@ define('ANONYMOUS', 6);
* the teacher through HTMLPurifier */
define('COURSEMANAGERLOWSECURITY', 10);
// Table of status
$_status_list[COURSEMANAGER] = 'teacher'; // 1
$_status_list[SESSIONADMIN] = 'session_admin'; // 3
@ -52,7 +50,9 @@ define('COURSE_VISIBILITY_OPEN_WORLD', 3);
// SESSION VISIBILITY CONSTANTS
define('SESSION_VISIBLE_READ_ONLY', 1);
define('SESSION_VISIBLE', 2);
define('SESSION_INVISIBLE', 3);
define('SESSION_INVISIBLE', 3); // not available
define('SESSION_AVAILABLE', 4);
define('SUBSCRIBE_ALLOWED', 1);
define('SUBSCRIBE_NOT_ALLOWED', 0);
@ -1685,13 +1685,13 @@ function api_get_session_name($session_id) {
function api_get_session_info($session_id) {
$data = array();
if (!empty($session_id)) {
$sesion_id = intval(Database::escape_string($session_id));
$session_id = intval($session_id);
$tbl_session = Database::get_main_table(TABLE_MAIN_SESSION);
$sql = "SELECT * FROM $tbl_session WHERE id = $session_id";
$result = Database::query($sql);
if (Database::num_rows($result)>0) {
$data = Database::fetch_array($result, 'ASSOC');
if (Database::num_rows($result)>0) {
$data = Database::fetch_array($result, 'ASSOC');
}
}
return $data;
@ -1705,28 +1705,60 @@ function api_get_session_info($session_id) {
function api_get_session_visibility($session_id) {
$visibility = 0; //means that the session is still available
if (!empty($session_id)) {
$sesion_id = intval(Database::escape_string($session_id));
$session_id = intval($session_id);
$tbl_session = Database::get_main_table(TABLE_MAIN_SESSION);
$is_coach = api_is_coach();
$condition_date_end = "";
if ($is_coach) {
//@todo use api_get_utc_datetime()
$condition_date_end = " AND (CURDATE() > (SELECT adddate(date_end,nb_days_access_after_end) FROM $tbl_session WHERE id = $session_id) AND date_end != '0000-00-00') ";
} else {
$condition_date_end = " AND (date_end < CURDATE() AND date_end != '0000-00-00') ";
$condition_date_end = " ";
}
$sql = "SELECT visibility FROM $tbl_session
WHERE id = $session_id $condition_date_end "; // session is old and is not unlimited
$sql = "SELECT visibility, date_start, date_end FROM $tbl_session
WHERE id = $session_id $condition_date_end ";
$result = Database::query($sql);
if (Database::num_rows($result)>0) {
if (Database::num_rows($result) > 0 ) {
$row = Database::fetch_array($result, 'ASSOC');
$visibility = $row['visibility'];
//I don't care the field visibility
if ($row['date_start'] == '0000-00-00' && $row['date_end'] == '0000-00-00') {
$visibility = SESSION_AVAILABLE;
} else {
$time = time();
//If datestart is set
if (!empty($row['date_start']) && $row['date_start'] != '0000-00-00') {
$row['date_start'] = $row['date_start'].' 00:00:00';
if ($time > api_strtotime($row['date_start'])) {
$visibility = SESSION_AVAILABLE;
} else {
$visibility = SESSION_INVISIBLE;
}
}
//if date_end is set
if (!empty($row['date_end']) && $row['date_end'] != '0000-00-00') {
$row['date_end'] = $row['date_end'].' 00:00:00';
//only if date_start said that it was ok
if ($visibility == SESSION_AVAILABLE) {
$visibility = $row['visibility'];
/*
if ($time < api_strtotime($row['date_end'])) {
$visibility = $row['visibility'];
} else {
$visibility = $row['visibility'];
}*/
}
}
}
} else {
$visibility = 0;
$visibility = SESSION_INVISIBLE;
}
}
return $visibility;
@ -1738,11 +1770,12 @@ function api_get_session_visibility($session_id) {
* @param string Chamilo course code
* @param int user id
* @return int 0= Session available (in date), SESSION_VISIBLE_READ_ONLY = 1, SESSION_VISIBLE = 2, SESSION_INVISIBLE = 3
* @deprecated
*/
function api_get_session_visibility_by_user($session_id, $course_code, $user_id) {
$visibility = 0; // Means that the session is still available.
if (!empty($session_id) && !empty($user_id)){
$sesion_id = intval(Database::escape_string($session_id));
$session_id = intval($session_id);
$user_id = intval(Database::escape_string($user_id));
$course_code = Database::escape_string($course_code);
$tbl_session = Database::get_main_table(TABLE_MAIN_SESSION_REL_COURSE_REL_USER);
@ -1795,7 +1828,6 @@ function api_get_session_condition($session_id, $and = true, $with_base_content
} else {
$condition_session = $condition_add." session_id = $session_id ";
}
return $condition_session;
}
@ -2368,23 +2400,24 @@ function api_is_allowed_to_session_edit($tutor = false, $coach = false) {
// I'm in a session and I'm a student
$session_id = api_get_session_id();
// Get the session visibility
$session_visibility = api_get_session_visibility($session_id); // if 0 the session is still available.
if ($session_visibility != 0) {
$session_visibility = api_get_session_visibility($session_id); // if 5 the session is still available.
//@todo We could load the session_rel_course_rel_user permission to increase the level of detail.
//echo api_get_user_id();
//echo api_get_course_id();
switch ($session_visibility) {
case SESSION_VISIBLE_READ_ONLY: // 1
return false;
case SESSION_VISIBLE: // 2
return true;
case SESSION_INVISIBLE: // 3
return false;
}
} else {
return true;
switch ($session_visibility) {
case SESSION_VISIBLE_READ_ONLY: // 1
return false;
case SESSION_VISIBLE: // 2
return true;
case SESSION_INVISIBLE: // 3
return false;
case SESSION_AVAILABLE: //5
return true;
}
}
}
}

@ -287,8 +287,7 @@ class SessionManager {
if ($session['date_end'] == '0000-00-00') {
$session['date_end'] = '';
}
switch ($session['visibility']) {
case SESSION_VISIBLE_READ_ONLY: //1
$session['visibility'] = get_lang('ReadOnly');

@ -1867,17 +1867,9 @@ class UserManager {
$personal_course_list_sql = '';
//Courses in which we suscribed out of any session
/*$personal_course_list_sql = "SELECT course.code k, course.directory d, course.visual_code c, course.db_name db, course.title i,
course.tutor_name t, course.course_language l, course_rel_user.status s, course_rel_user.sort sort,
course_rel_user.user_course_cat user_course_cat
FROM ".$tbl_course." course,".$main_course_user_table." course_rel_user
WHERE course.code = course_rel_user.course_code"."
AND course_rel_user.user_id = '".$user_id."'
ORDER BY course_rel_user.user_course_cat, course_rel_user.sort ASC,i";*/
$tbl_user_course_category = Database :: get_user_personal_table(TABLE_USER_COURSE_CATEGORY);
$personal_course_list_sql = "SELECT course.code k, course.directory d, course.visual_code c, course.db_name db, course.title i, course.tutor_name t,
$personal_course_list_sql = "SELECT course.code, course.code k, course.directory d, course.visual_code c, course.db_name db, course.title i, course.tutor_name t,
course.course_language l, course_rel_user.status s, course_rel_user.sort sort, course_rel_user.user_course_cat user_course_cat,
course.id as course_id
FROM ".$tbl_course_user." course_rel_user
@ -1905,9 +1897,9 @@ class UserManager {
WHERE id_session=id AND id_user=$user_id AND relation_type<>".SESSION_RELATION_TYPE_RRHH."
AND (date_start <= CURDATE() AND date_end >= CURDATE() OR date_start='0000-00-00')
ORDER BY date_start, date_end, name";
$result = Database::query($sessions_sql);
$sessions=Database::store_result($result);
$sessions = array_merge($sessions , Database::store_result($result));
$result = Database::query($sessions_sql);
$sessions = Database::store_result($result);
$sessions = array_merge($sessions , Database::store_result($result));
// get the list of sessions where the user is subscribed as student where visibility = SESSION_VISIBLE_READ_ONLY = 1 SESSION_VISIBLE = 2
@ -1918,9 +1910,10 @@ class UserManager {
relation_type<>".SESSION_RELATION_TYPE_RRHH." AND
(date_end <= CURDATE() AND date_end<>'0000-00-00') AND (visibility = ".SESSION_VISIBLE_READ_ONLY." || visibility = ".SESSION_VISIBLE.")
ORDER BY date_start, date_end, name";
$result_out_date = Database::query($sessions_out_date_sql);
$sessions_out_date=Database::store_result($result_out_date);
$sessions = array_merge($sessions , $sessions_out_date);
$result_out_date = Database::query($sessions_out_date_sql);
$sessions_out_date = Database::store_result($result_out_date);
$sessions = array_merge($sessions , $sessions_out_date);
// get the list of sessions where the user is subscribed as coach in a course
$sessions_sql = "SELECT DISTINCT id, name, date_start, date_end, DATE_SUB(date_start, INTERVAL nb_days_access_before_beginning DAY), ADDDATE(date_end, INTERVAL nb_days_access_after_end DAY)
@ -1936,9 +1929,7 @@ class UserManager {
ORDER BY date_start, date_end, name";
$result = Database::query($sessions_sql);
$session_is_coach = Database::store_result($result);
$sessions = array_merge($sessions, $session_is_coach);
// get the list of sessions where the user is subscribed as coach
@ -1956,7 +1947,7 @@ class UserManager {
if (api_is_allowed_to_create_course()) {
foreach($sessions as $enreg) {
$id_session = $enreg['id'];
$personal_course_list_sql = "SELECT DISTINCT course.code k, course.directory d, course.visual_code c, course.db_name db, course.title i,
$personal_course_list_sql = "SELECT DISTINCT course.code, course.code k, course.directory d, course.visual_code c, course.db_name db, course.title i,
".(api_is_western_name_order() ? "CONCAT(user.firstname,' ',user.lastname)" : "CONCAT(user.lastname,' ',user.firstname)")." t, email, course.course_language l, 1 sort,
category_code user_course_cat, date_start, date_end, session.id as id_session, session.name as session_name, course.id as course_id
FROM $tbl_session_course_user as session_course_user
@ -1982,7 +1973,7 @@ class UserManager {
foreach ($sessions as $enreg) {
$id_session = $enreg['id'];
// this query is very similar to the above query, but it will check the session_rel_course_user table if there are courses registered to our user or not
$personal_course_list_sql = "SELECT DISTINCT course.id as course_id, course.code k, course.directory d, course.visual_code c, course.db_name db, course.title i, CONCAT(user.lastname,' ',user.firstname) t, email,
$personal_course_list_sql = "SELECT DISTINCT course.code, course.id as course_id, course.code k, course.directory d, course.visual_code c, course.db_name db, course.title i, CONCAT(user.lastname,' ',user.firstname) t, email,
course.course_language l, 1 sort, category_code user_course_cat, date_start, date_end, session.id as id_session, session.name as session_name, " .
"IF((session_course_user.id_user = 3 AND session_course_user.status=2),'2', '5')
FROM $tbl_session_course_user as session_course_user

@ -1028,20 +1028,26 @@ if ((isset($uidReset) && $uidReset) || (isset($cidReset) && $cidReset)) { // ses
else $is_allowed_in_course = false;
}
// requires testing!!!
// check the session visibility
if (!empty($is_allowed_in_course)) {
$my_session_id = api_get_session_id();
//if I'm in a session
//var_dump($is_platformAdmin, $is_courseTutor,api_is_coach());
if ($my_session_id!=0)
if ($my_session_id != 0) {
if (!$is_platformAdmin) {
// admin and session coach are *not* affected to the invisible session mode
// the coach is not affected because he can log in some days after the end date of a session
$session_visibility = api_get_session_visibility($my_session_id);
if ($session_visibility==SESSION_INVISIBLE)
$is_allowed_in_course =false;
$session_visibility = api_get_session_visibility($my_session_id);
switch ($session_visibility) {
case SESSION_INVISIBLE:
$is_allowed_in_course =false;
break;
}
//checking date
}
}
}

@ -34,12 +34,16 @@ $session_info = SessionManager::fetch($session_id);
$session_list = SessionManager::get_sessions_by_coach(api_get_user_id());
$course_list = SessionManager::get_course_list_by_session_id($session_id);
//Getting all sessions where I'm subscribed
$new_session_list = UserManager::get_personal_session_course_list(api_get_user_id());
$user_course_list = array();
foreach($new_session_list as $session_item) {
$user_course_list[] = $session_item['k'];
}
$my_session_list = array();
$final_array = array();
$final_array = array();
if (!empty($new_session_list)) {
foreach($new_session_list as $item) {
@ -48,7 +52,7 @@ if (!empty($new_session_list)) {
$final_array[$my_session_id]['name'] = $item['session_name'];
//Get all courses by session where I'm subscribed
$my_course_list = UserManager::get_courses_list_by_session(api_get_user_id(), $my_session_id);
$my_course_list = UserManager::get_courses_list_by_session(api_get_user_id(), $my_session_id);
foreach ($my_course_list as $my_course) {
$course = array();
@ -100,7 +104,6 @@ if (!api_is_allowed_to_session_edit()) {
Display::display_header(get_lang('Session'));
$session_select = array();
foreach ($session_list as $item) {
$session_select[$item['id']] = $item['name'];
@ -116,24 +119,10 @@ if (count($session_select) > 1) {
$form->display();
}
//Listing LPs from all courses
/*
$lps = array();
if (!empty($course_list)) {
foreach ($course_list as $item) {
$list = new LearnpathList(api_get_user_id(),$item['code']);
$flat_list = $list->get_flat_list();
$lps[$item['code']] = $flat_list;
foreach ($flat_list as $item) {
//var_dump(get_week_from_day($item['publicated_on']));
}
}
}*/
if (empty($session_id)) {
$user_list = UserManager::get_user_list();
} else {
$user_list = SessionManager::get_users_by_session($session_id);
$user_list = SessionManager::get_users_by_session($session_id);
}
//Final data to be show
@ -217,7 +206,8 @@ foreach($final_array as $session_data) {
}
}
}
}
}
$my_real_array = msort($my_real_array, 'date','asc');
if (!empty($new_exercises)) {
@ -252,8 +242,10 @@ echo $dates.'<br />';
$new_course_list = array();
if (!empty($course_list)) {
foreach($course_list as $course_data) {
$course_data['title'] = Display::url($course_data['title'], api_get_course_url($course_data['code'], $session_id));
$new_course_list[] = array('title'=>$course_data['title']);
if (in_array($course_data['code'], $user_course_list)) {
$course_data['title'] = Display::url($course_data['title'], api_get_course_url($course_data['code'], $session_id));
$new_course_list[] = array('title'=> $course_data['title']);
}
}
}

Loading…
Cancel
Save