chamilo
/
chamilo-lms
mirror of https://github.com/chamilo/chamilo-lms/tree/1.11.x
2
0
Fork 0
Code Issues Projects Releases Wiki Activity

Fixing group category + group visibility permissions when using the forum requires validation see BT#3491

Browse Source
skala
Julio Montoya 14 years ago
parent fc6a02c010
commit e3adc4c2a1
6 changed files with 177 additions and 145 deletions
Show all changes Ignore whitespace when comparing lines Ignore changes in amount of whitespace Ignore changes in whitespace at EOL
Show Stats Download Patch File Download Diff File
  1. 20
      main/forum/forumfunction.inc.php
  2. 15
      main/forum/index.php
  3. 73
      main/forum/newthread.php
  4. 55
      main/forum/reply.php
  5. 59
      main/forum/viewforum.php
  6. 100
      main/inc/lib/groupmanager.lib.php

20
main/forum/forumfunction.inc.php
Unescape View File

@ -1103,7 +1103,7 @@ function get_forum_categories($id = '') {
$condition_session .= "AND forum_categories.c_id = $course_id ";
if ($id == '') {
$sql = "SELECT * FROM".$table_categories." forum_categories, ".$table_item_property." item_properties
$sql = "SELECT * FROM".$table_categories." forum_categories, ".$table_item_property." item_properties
WHERE forum_categories.cat_id=item_properties.ref
AND item_properties.visibility=1
AND item_properties.tool='".TOOL_FORUM_CATEGORY."' $condition_session
@ -1193,8 +1193,7 @@ function get_forums($id='', $course_code = '') {
$table_posts = Database :: get_course_table(TABLE_FORUM_POST);
$table_item_property = Database :: get_course_table(TABLE_ITEM_PROPERTY);
// GETTING ALL THE FORUMS //
// GETTING ALL THE FORUMS
// Condition for the session
$session_id = api_get_session_id();
@ -1713,11 +1712,11 @@ function get_thread_users_qualify($thread_id, $course_id = null) {
* @version octubre 2008, dokeos 1.8
*/
function get_thread_users_not_qualify($thread_id, $course_id = null) {
$t_posts = Database :: get_course_table(TABLE_FORUM_POST);
$t_qualify = Database :: get_course_table(TABLE_FORUM_THREAD_QUALIFY);
$t_users = Database :: get_main_table(TABLE_MAIN_USER);
$t_course_user = Database :: get_main_table(TABLE_MAIN_COURSE_USER);
$t_session_rel_user = Database :: get_main_table(TABLE_MAIN_SESSION_COURSE_USER);
$t_posts = Database :: get_course_table(TABLE_FORUM_POST);
$t_qualify = Database :: get_course_table(TABLE_FORUM_THREAD_QUALIFY);
$t_users = Database :: get_main_table(TABLE_MAIN_USER);
$t_course_user = Database :: get_main_table(TABLE_MAIN_COURSE_USER);
$t_session_rel_user = Database :: get_main_table(TABLE_MAIN_SESSION_COURSE_USER);
$is_western_name_order = api_is_western_name_order();
if ($is_western_name_order) {
@ -1730,9 +1729,7 @@ function get_thread_users_not_qualify($thread_id, $course_id = null) {
$course_id = api_get_course_int_id();
} else {
$course_id = intval($course_id);
}
}
$sql1 = "select user_id FROM $t_qualify WHERE thread_id = '".$thread_id."'";
$result1 = Database::query($sql1);
@ -1796,7 +1793,6 @@ function get_forum_information($forum_id) {
item_properties.ref = '".Database::escape_string($forum_id)."' AND
forums.forum_id = '".Database::escape_string($forum_id)."' AND
forums.c_id = ".api_get_course_int_id()."
";
$result = Database::query($sql);

15
main/forum/index.php
Unescape View File

@ -148,11 +148,13 @@ $forum_categories_list = get_forum_categories();
$forum_list = array();
$forum_list = get_forums();
$user_id = api_get_user_id();
/* RETRIEVING ALL GROUPS AND THOSE OF THE USER */
// The groups of the user.
$groups_of_user = array();
$groups_of_user = GroupManager::get_group_ids($_course['real_id'], $_user['user_id']);
$groups_of_user = GroupManager::get_group_ids($_course['real_id'], $user_id);
// All groups in the course (and sorting them as the id of the group = the key of the array).
if (!api_is_anonymous()) {
$all_groups = GroupManager::get_group_list();
@ -200,7 +202,7 @@ if (is_array($forum_categories_list)) {
// The forums in this category.
$forums_in_category = get_forums_in_category($forum_category['cat_id']);
echo '<table class="forum_table">';
// Validacion when belongs to a session.
@ -262,8 +264,8 @@ if (is_array($forum_categories_list)) {
}
// Note: This can be speeded up if we transform the $forum_list to an array that uses the forum_category as the key.
if ($forum['forum_category'] == $forum_category['cat_id']) {
// The forum has to be showed if
if ($forum['forum_category'] == $forum_category['cat_id']) {
// The forum has to be showed if
// 1.v it is a not a group forum (teacher and student)
// 2.v it is a group forum and it is public (teacher and student)
// 3. it is a group forum and it is private (always for teachers only if the user is member of the forum
@ -286,6 +288,9 @@ if (is_array($forum_categories_list)) {
//echo '-gewoon forum';
$show_forum = true;
} else {
$show_forum = GroupManager::user_has_access($user_id, $forum['forum_of_group'], GROUP_TOOL_FORUM);
//var_dump($forum['forum_id'].' - '.$show_forum);
/*
// it is a group forum
//echo '-groepsforum';
// it is a group forum but it is public => show
@ -305,7 +310,7 @@ if (is_array($forum_categories_list)) {
}
} else {
$show_forum = false;
}
}*/
}
}

73
main/forum/newthread.php
Unescape View File

@ -91,6 +91,39 @@ if (!empty($_GET['gidReq'])) {
api_session_register('toolgroup');
}
/* Is the user allowed here? */
// The user is not allowed here if:
// 1. the forumcategory or forum is invisible (visibility==0) and the user is not a course manager
// 2. the forumcategory or forum is locked (locked <>0) and the user is not a course manager
// 3. new threads are not allowed and the user is not a course manager
// 4. anonymous posts are not allowed and the user is not logged in
// I have split this is several pieces for clarity.
if (!api_is_allowed_to_edit(false, true) && (($current_forum_category['visibility'] == 0 || $current_forum['visibility'] == 0))) {
api_not_allowed();
}
// 2. the forumcategory or forum is locked (locked <>0) and the user is not a course manager
if (!api_is_allowed_to_edit(false, true) AND ($current_forum_category['locked'] <> 0 OR $current_forum['locked'] <> 0)) {
api_not_allowed();
}
// 3. new threads are not allowed and the user is not a course manager
if (!api_is_allowed_to_edit(false, true) AND $current_forum['allow_new_threads'] <> 1) {
api_not_allowed();
}
// 4. anonymous posts are not allowed and the user is not logged in
if (!$_user['user_id'] AND $current_forum['allow_anonymous'] <> 1) {
api_not_allowed();
}
if ($current_forum['forum_of_group'] != 0) {
$show_forum = GroupManager::user_has_access(api_get_user_id(), $current_forum['forum_of_group'], GROUP_TOOL_FORUM);
if (!$show_forum) {
api_not_allowed();
}
}
$session_toolgroup = 0;
if ($origin == 'group') {
$session_toolgroup = intval($_SESSION['toolgroup']);
@ -115,6 +148,8 @@ if (isset($_POST['add_resources']) AND $_POST['add_resources'] == get_lang('Reso
header('Location: ../resourcelinker/resourcelinker.php');
}
/* Header */
if ($origin == 'learnpath') {
@ -123,44 +158,6 @@ if ($origin == 'learnpath') {
Display :: display_header(null);
//api_display_tool_title($nameTools);
}
/* Is the user allowed here? */
// The user is not allowed here if:
// 1. the forumcategory or forum is invisible (visibility==0) and the user is not a course manager
// 2. the forumcategory or forum is locked (locked <>0) and the user is not a course manager
// 3. new threads are not allowed and the user is not a course manager
// 4. anonymous posts are not allowed and the user is not logged in
// I have split this is several pieces for clarity.
if (!api_is_allowed_to_edit(false, true) && (($current_forum_category['visibility'] == 0 || $current_forum['visibility'] == 0))) {
$forum_allow = forum_not_allowed_here();
if ($forum_allow === false) {
exit;
}
}
// 2. the forumcategory or forum is locked (locked <>0) and the user is not a course manager
if (!api_is_allowed_to_edit(false, true) AND ($current_forum_category['locked'] <> 0 OR $current_forum['locked'] <> 0)) {
$forum_allow = forum_not_allowed_here();
if ($forum_allow === false) {
exit;
}
}
// 3. new threads are not allowed and the user is not a course manager
if (!api_is_allowed_to_edit(false, true) AND $current_forum['allow_new_threads'] <> 1) {
$forum_allow = forum_not_allowed_here();
if ($forum_allow === false) {
exit;
}
}
// 4. anonymous posts are not allowed and the user is not logged in
if (!$_user['user_id'] AND $current_forum['allow_anonymous'] <> 1) {
$forum_allow = forum_not_allowed_here();
if ($forum_allow === false) {
exit;
}
}
/* Display forms / Feedback Messages */
handle_forum_and_forumcategories();

55
main/forum/reply.php
Unescape View File

@ -68,6 +68,32 @@ $current_thread = get_thread_information($_GET['thread']); // Note: This has to
$current_forum = get_forum_information($current_thread['forum_id']); // Note: This has to be validated that it is an existing forum.
$current_forum_category = get_forumcategory_information(Security::remove_XSS($current_forum['forum_category']));
/* Is the user allowed here? */
// The user is not allowed here if
// 1. the forumcategory, forum or thread is invisible (visibility==0
// 2. the forumcategory, forum or thread is locked (locked <>0)
// 3. if anonymous posts are not allowed
// The only exception is the course manager
// I have split this is several pieces for clarity.
//if (!api_is_allowed_to_edit() AND (($current_forum_category['visibility'] == 0 OR $current_forum['visibility'] == 0) OR ($current_forum_category['locked'] <> 0 OR $current_forum['locked'] <> 0 OR $current_thread['locked'] <> 0))) {
if (!api_is_allowed_to_edit(false, true) AND (($current_forum_category['visibility'] == 0 OR $current_forum['visibility'] == 0))) {
api_not_allowed();
}
if (!api_is_allowed_to_edit(false, true) AND ($current_forum_category['locked'] <> 0 OR $current_forum['locked'] <> 0 OR $current_thread['locked'] <> 0)) {
api_not_allowed();
}
if (!$_user['user_id'] AND $current_forum['allow_anonymous'] == 0) {
api_not_allowed();
}
if ($current_forum['forum_of_group'] != 0) {
$show_forum = GroupManager::user_has_access(api_get_user_id(), $current_forum['forum_of_group'], GROUP_TOOL_FORUM);
if (!$show_forum) {
api_not_allowed();
}
}
/* Breadcrumbs */
if (isset($_SESSION['gradebook'])){
@ -107,6 +133,8 @@ if (isset($_POST['add_resources']) AND $_POST['add_resources'] == get_lang('Reso
exit;
}
/* Header */
if ($origin == 'learnpath') {
@ -117,33 +145,6 @@ if ($origin == 'learnpath') {
Display :: display_header('');
}
/* Is the user allowed here? */
// The user is not allowed here if
// 1. the forumcategory, forum or thread is invisible (visibility==0
// 2. the forumcategory, forum or thread is locked (locked <>0)
// 3. if anonymous posts are not allowed
// The only exception is the course manager
// I have split this is several pieces for clarity.
//if (!api_is_allowed_to_edit() AND (($current_forum_category['visibility'] == 0 OR $current_forum['visibility'] == 0) OR ($current_forum_category['locked'] <> 0 OR $current_forum['locked'] <> 0 OR $current_thread['locked'] <> 0))) {
if (!api_is_allowed_to_edit(false, true) AND (($current_forum_category['visibility'] == 0 OR $current_forum['visibility'] == 0))) {
$forum_allow = forum_not_allowed_here();
if ($forum_allow === false) {
exit;
}
}
if (!api_is_allowed_to_edit(false, true) AND ($current_forum_category['locked'] <> 0 OR $current_forum['locked'] <> 0 OR $current_thread['locked'] <> 0)) {
$forum_allow = forum_not_allowed_here();
if ($forum_allow === false) {
exit;
}
}
if (!$_user['user_id'] AND $current_forum['allow_anonymous'] == 0) {
$forum_allow = forum_not_allowed_here();
if ($forum_allow === false) {
exit;
}
}
/* Action links */
if ($origin != 'learnpath') {

59
main/forum/viewforum.php
Unescape View File

@ -63,20 +63,49 @@ $userinf = api_get_user_info($userid);
// but the problem is that the visibility of the forum AND forum cateogory are stored in the item_property table.
//$my_forum_group = isset($_GET['gidReq']) ? $_GET['gidReq'] : '';
$group_id = api_get_group_id();
$my_forum = isset($_GET['forum']) ? $_GET['forum'] : '';
$val = GroupManager::user_has_access($userid, $group_id, GROUP_TOOL_FORUM);
if (!empty($group_id)) {
if (api_is_allowed_to_edit(false, true) || $val || GroupManager::is_tutor_of_group(api_get_user_id(), $group_id)) {
$current_forum = get_forum_information($my_forum); // Note: This has to be validated that it is an existing forum.
$current_forum_category = get_forumcategory_information($current_forum['forum_category']);
$current_forum = get_forum_information($my_forum); // Note: This has to be validated that it is an existing forum.
if (empty($current_forum)) {
api_not_allowed();
}
$current_forum_category = get_forumcategory_information($current_forum['forum_category']);
if ($group_id) {
//Group info & group category info
$group_properties = GroupManager::get_group_properties($group_id);
//$group_cat_info = GroupManager::get_category(GroupManager::get_category_from_group($group_id));
//User has access in the group?
$user_has_access_in_group = GroupManager::user_has_access($userid, $group_id, GROUP_TOOL_FORUM);
//User is a tutor in the group? the function GroupManager::user_has_access already contains the is_tutor_of_group()
//$is_tutor_group = GroupManager::is_tutor_of_group($userid, $group_id);
//
// the function GroupManager::user_has_access already contains the is_tutor_of_group()
//$is_my_forum = GroupManager::is_user_in_group($userid, $group_id);
//$group_cat_forum_visibility = $group_cat_info['forum_state'];
//$group_forum_visibility = $group_properties['forum_state'];
//Course
if (!api_is_allowed_to_edit(false, true) AND //is a student
($current_forum_category['visibility'] == 0 OR $current_forum['visibility'] == 0 OR !$user_has_access_in_group)
) {
api_not_allowed();
}
} else {
$result = get_forum_information($my_forum);
if ($result['forum_of_group'] == 0) {
$current_forum = get_forum_information($my_forum); // Note: This has to be validated that it is an existing forum.
$current_forum_category = get_forumcategory_information($current_forum['forum_category']);
//Course
if (!api_is_allowed_to_edit(false, true) AND //is a student
($current_forum_category['visibility'] == 0 OR $current_forum['visibility'] == 0) //forum category or forum visibility is false
) {
api_not_allowed();
}
}
@ -103,7 +132,7 @@ if (!empty($_GET['gidReq'])) {
if ($origin == 'group') {
$_clean['toolgroup'] = (int)$_SESSION['toolgroup'];
$group_properties = GroupManager :: get_group_properties($_clean['toolgroup']);
$interbreadcrumb[] = array('url' => '../group/group.php', 'name' => get_lang('Groups'));
$interbreadcrumb[] = array('url'=>'../group/group_space.php?gidReq='.$_SESSION['toolgroup'], 'name'=> get_lang('GroupSpace').' '.$group_properties['name']);
$interbreadcrumb[] = array('url' => '#', 'name' => get_lang('Forum').' '.Security::remove_XSS($current_forum['forum_title']));
@ -237,16 +266,6 @@ if ($my_action == 'liststd' AND isset($_GET['content']) AND isset($_GET['id']) A
}
}
/* Is the user allowed here? */
// If the user is not a course administrator and the forum is hidden
// then the user is not allowed here.
if (!api_is_allowed_to_edit(false, true) AND ($current_forum_category['visibility'] == 0 OR $current_forum['visibility'] == 0)) {
api_not_allowed();
}
if ($origin == 'learnpath') {
echo '<div style="height:15px">&nbsp;</div>';
}

100
main/inc/lib/groupmanager.lib.php
Unescape View File

@ -550,17 +550,19 @@ class GroupManager {
* @param string $course_code The course (default = current course)
*/
public static function get_category ($id, $course_code = null) {
if (empty($id)) {
return array();
}
$course_info = api_get_course_info($course_code);
$course_id = $course_info['real_id'];
$id = Database::escape_string($id);
$course_id = $course_info['real_id'];
$id = Database::escape_string($id);
$table_group_cat = Database :: get_course_table(TABLE_GROUP_CATEGORY);
$sql = "SELECT * FROM $table_group_cat WHERE c_id = $course_id AND id = $id";
$sql = "SELECT * FROM $table_group_cat WHERE c_id = $course_id AND id = $id LIMIT 1";
$res = Database::query($sql);
return Database::fetch_array($res);
}
/**
* Get the category of a given group
* Get the unique category of a given group
* @param int $group_id The id of the group
* @param string $course_code The course in which the group is (default =
* current course)
@ -569,6 +571,10 @@ class GroupManager {
public static function get_category_from_group ($group_id, $course_code = null) {
$table_group = Database :: get_course_table(TABLE_GROUP);
$table_group_cat = Database :: get_course_table(TABLE_GROUP_CATEGORY);
if (empty($group_id)) {
return array();
}
$course_info = api_get_course_info($course_code);
$course_id = $course_info['real_id'];
@ -577,9 +583,12 @@ class GroupManager {
$sql = "SELECT gc.* FROM $table_group_cat gc, $table_group g
WHERE gc.c_id = $course_id AND
g.c_id = $course_id AND
gc.id = g.category_id AND g.id=$group_id";
gc.id = g.category_id AND g.id= $group_id LIMIT 1";
$res = Database::query($sql);
$cat = Database::fetch_array($res);
$cat = array();
if (Database::num_rows($res)) {
$cat = Database::fetch_array($res);
}
return $cat;
}
/**
@ -1008,7 +1017,7 @@ class GroupManager {
$category['groups_per_user'] = INFINITE;
}
$result &= (self :: user_in_number_of_groups($user_id, $category['id']) < $category['groups_per_user']);
$result &= !self :: is_tutor($user_id);
$result &= !self :: is_tutor_of_group($user_id, $group_id);
return $result;
}
/**
@ -1199,6 +1208,7 @@ class GroupManager {
* @param $user_id the id of the user
* @param $group_id the id of the group
* @return boolean true/false
* @todo use the function user_has_access that includes this function
* @author Patrick Cool <patrick.cool@UGent.be>, Ghent University
*/
public static function is_tutor_of_group ($user_id,$group_id) {
@ -1245,7 +1255,7 @@ class GroupManager {
* tutors in the current course.
* @deprecated this function uses the old tutor implementation
*/
public static function get_all_tutors () {
public static function get_all_tutors() {
global $_course;
$course_user_table = Database :: get_main_table(TABLE_MAIN_COURSE_USER);
$user_table = Database :: get_main_table(TABLE_MAIN_USER);
@ -1320,9 +1330,7 @@ class GroupManager {
return $groups;
}
/*
Group functions
these take virtual/linked courses into account when necessary
-----------------------------------------------------------
Group functions - these take virtual/linked courses into account when necessary
*/
/**
* Get a combined list of all users of the real course $course_code
@ -1406,10 +1414,8 @@ class GroupManager {
$total_number = count($user_array_in);
$user_array_out[0] = $user_array_in[0];
$count_out = 0;
for ($count_in = 1; $count_in < $total_number; $count_in ++)
{
if ($user_array_in[$count_in][$compare_field] != $user_array_out[$count_out][$compare_field])
{
for ($count_in = 1; $count_in < $total_number; $count_in ++) {
if ($user_array_in[$count_in][$compare_field] != $user_array_out[$count_out][$compare_field]) {
$count_out ++;
$user_array_out[$count_out] = $user_array_in[$count_in];
}
@ -1420,12 +1426,9 @@ class GroupManager {
* Filters from the array $user_array_in the users already in the group $group_id.
*/
public static function filter_users_already_in_group ($user_array_in, $group_id) {
foreach ($user_array_in as $this_user)
{
if (!self :: is_subscribed($this_user['user_id'], $group_id))
{
$user_array_out[] = $this_user;
foreach ($user_array_in as $this_user) {
if (!self :: is_subscribed($this_user['user_id'], $group_id)) {
$user_array_out[] = $this_user;
}
}
return $user_array_out;
@ -1460,9 +1463,8 @@ class GroupManager {
* @return bool True if the given user has access to the given tool in the
* given course.
*/
public static function user_has_access ($user_id, $group_id, $tool) {
switch ($tool)
{
public static function user_has_access($user_id, $group_id, $tool) {
switch ($tool) {
case GROUP_TOOL_FORUM :
$state_key = 'forum_state';
break;
@ -1487,26 +1489,38 @@ class GroupManager {
default:
return false;
}
$group = self :: get_group_properties($group_id);
if ($group[$state_key] == TOOL_NOT_AVAILABLE)
{
$user_is_in_group = self :: is_user_in_group($user_id, $group_id);
//Check group properties
$group_info = self :: get_group_properties($group_id);
//Check group category if exists
$category_group_info = self::get_category_from_group($group_id);
if (!empty($category_group_info)) {
//if exists check the category group status first
if ($category_group_info[$state_key] == TOOL_NOT_AVAILABLE) {
return false;
} elseif($category_group_info[$state_key] == TOOL_PRIVATE && !$user_is_in_group) {
return false;
}
}
//is_user_in_group() is more complete that the is_subscribed() function
if ($group_info[$state_key] == TOOL_NOT_AVAILABLE) {
return false;
}
elseif ($group[$state_key] == TOOL_PUBLIC)
{
} elseif ($group_info[$state_key] == TOOL_PUBLIC) {
return true;
}
elseif (api_is_allowed_to_edit(false,true))
{
} elseif (api_is_allowed_to_edit(false,true)) {
return true;
}
elseif($group['tutor_id'] == $user_id)
{
return true;
}
else
{
return self :: is_subscribed($user_id, $group_id);
} elseif($group_info['tutor_id'] == $user_id) { //this tutor implementation was dropped
return true;
} elseif($group_info[$state_key] == TOOL_PRIVATE && !$user_is_in_group) {
return false;
} else {
return $user_is_in_group;
}
}
/**
@ -1599,4 +1613,4 @@ class GroupManager {
//now sort by # of group left
$complete_user_list = TableSort :: sort_table($complete_user_list, 'number_groups_left', SORT_DESC);
return $complete_user_list; }
}
}
Write Preview
Loading…
Cancel
Save