diff --git a/main/forum/forumfunction.inc.php b/main/forum/forumfunction.inc.php index b7482748c2..7a134080b9 100644 --- a/main/forum/forumfunction.inc.php +++ b/main/forum/forumfunction.inc.php @@ -1103,7 +1103,7 @@ function get_forum_categories($id = '') { $condition_session .= "AND forum_categories.c_id = $course_id "; if ($id == '') { - $sql = "SELECT * FROM".$table_categories." forum_categories, ".$table_item_property." item_properties + $sql = "SELECT * FROM".$table_categories." forum_categories, ".$table_item_property." item_properties WHERE forum_categories.cat_id=item_properties.ref AND item_properties.visibility=1 AND item_properties.tool='".TOOL_FORUM_CATEGORY."' $condition_session @@ -1193,8 +1193,7 @@ function get_forums($id='', $course_code = '') { $table_posts = Database :: get_course_table(TABLE_FORUM_POST); $table_item_property = Database :: get_course_table(TABLE_ITEM_PROPERTY); - - // GETTING ALL THE FORUMS // + // GETTING ALL THE FORUMS // Condition for the session $session_id = api_get_session_id(); @@ -1713,11 +1712,11 @@ function get_thread_users_qualify($thread_id, $course_id = null) { * @version octubre 2008, dokeos 1.8 */ function get_thread_users_not_qualify($thread_id, $course_id = null) { - $t_posts = Database :: get_course_table(TABLE_FORUM_POST); - $t_qualify = Database :: get_course_table(TABLE_FORUM_THREAD_QUALIFY); - $t_users = Database :: get_main_table(TABLE_MAIN_USER); - $t_course_user = Database :: get_main_table(TABLE_MAIN_COURSE_USER); - $t_session_rel_user = Database :: get_main_table(TABLE_MAIN_SESSION_COURSE_USER); + $t_posts = Database :: get_course_table(TABLE_FORUM_POST); + $t_qualify = Database :: get_course_table(TABLE_FORUM_THREAD_QUALIFY); + $t_users = Database :: get_main_table(TABLE_MAIN_USER); + $t_course_user = Database :: get_main_table(TABLE_MAIN_COURSE_USER); + $t_session_rel_user = Database :: get_main_table(TABLE_MAIN_SESSION_COURSE_USER); $is_western_name_order = api_is_western_name_order(); if ($is_western_name_order) { @@ -1730,9 +1729,7 @@ function get_thread_users_not_qualify($thread_id, $course_id = null) { $course_id = api_get_course_int_id(); } else { $course_id = intval($course_id); - } - - + } $sql1 = "select user_id FROM $t_qualify WHERE thread_id = '".$thread_id."'"; $result1 = Database::query($sql1); @@ -1796,7 +1793,6 @@ function get_forum_information($forum_id) { item_properties.ref = '".Database::escape_string($forum_id)."' AND forums.forum_id = '".Database::escape_string($forum_id)."' AND forums.c_id = ".api_get_course_int_id()." - "; $result = Database::query($sql); diff --git a/main/forum/index.php b/main/forum/index.php index 13b8ff4f58..1c8b940d73 100644 --- a/main/forum/index.php +++ b/main/forum/index.php @@ -148,11 +148,13 @@ $forum_categories_list = get_forum_categories(); $forum_list = array(); $forum_list = get_forums(); +$user_id = api_get_user_id(); + /* RETRIEVING ALL GROUPS AND THOSE OF THE USER */ // The groups of the user. $groups_of_user = array(); -$groups_of_user = GroupManager::get_group_ids($_course['real_id'], $_user['user_id']); +$groups_of_user = GroupManager::get_group_ids($_course['real_id'], $user_id); // All groups in the course (and sorting them as the id of the group = the key of the array). if (!api_is_anonymous()) { $all_groups = GroupManager::get_group_list(); @@ -200,7 +202,7 @@ if (is_array($forum_categories_list)) { // The forums in this category. $forums_in_category = get_forums_in_category($forum_category['cat_id']); - + echo ''; // Validacion when belongs to a session. @@ -262,8 +264,8 @@ if (is_array($forum_categories_list)) { } // Note: This can be speeded up if we transform the $forum_list to an array that uses the forum_category as the key. - if ($forum['forum_category'] == $forum_category['cat_id']) { - // The forum has to be showed if + if ($forum['forum_category'] == $forum_category['cat_id']) { + // The forum has to be showed if // 1.v it is a not a group forum (teacher and student) // 2.v it is a group forum and it is public (teacher and student) // 3. it is a group forum and it is private (always for teachers only if the user is member of the forum @@ -286,6 +288,9 @@ if (is_array($forum_categories_list)) { //echo '-gewoon forum'; $show_forum = true; } else { + $show_forum = GroupManager::user_has_access($user_id, $forum['forum_of_group'], GROUP_TOOL_FORUM); + //var_dump($forum['forum_id'].' - '.$show_forum); + /* // it is a group forum //echo '-groepsforum'; // it is a group forum but it is public => show @@ -305,7 +310,7 @@ if (is_array($forum_categories_list)) { } } else { $show_forum = false; - } + }*/ } } diff --git a/main/forum/newthread.php b/main/forum/newthread.php index 635462c6ba..cbad196ef8 100644 --- a/main/forum/newthread.php +++ b/main/forum/newthread.php @@ -91,6 +91,39 @@ if (!empty($_GET['gidReq'])) { api_session_register('toolgroup'); } + +/* Is the user allowed here? */ + +// The user is not allowed here if: +// 1. the forumcategory or forum is invisible (visibility==0) and the user is not a course manager +// 2. the forumcategory or forum is locked (locked <>0) and the user is not a course manager +// 3. new threads are not allowed and the user is not a course manager +// 4. anonymous posts are not allowed and the user is not logged in +// I have split this is several pieces for clarity. + +if (!api_is_allowed_to_edit(false, true) && (($current_forum_category['visibility'] == 0 || $current_forum['visibility'] == 0))) { + api_not_allowed(); +} +// 2. the forumcategory or forum is locked (locked <>0) and the user is not a course manager +if (!api_is_allowed_to_edit(false, true) AND ($current_forum_category['locked'] <> 0 OR $current_forum['locked'] <> 0)) { + api_not_allowed(); +} +// 3. new threads are not allowed and the user is not a course manager +if (!api_is_allowed_to_edit(false, true) AND $current_forum['allow_new_threads'] <> 1) { + api_not_allowed(); +} +// 4. anonymous posts are not allowed and the user is not logged in +if (!$_user['user_id'] AND $current_forum['allow_anonymous'] <> 1) { + api_not_allowed(); +} + +if ($current_forum['forum_of_group'] != 0) { + $show_forum = GroupManager::user_has_access(api_get_user_id(), $current_forum['forum_of_group'], GROUP_TOOL_FORUM); + if (!$show_forum) { + api_not_allowed(); + } +} + $session_toolgroup = 0; if ($origin == 'group') { $session_toolgroup = intval($_SESSION['toolgroup']); @@ -115,6 +148,8 @@ if (isset($_POST['add_resources']) AND $_POST['add_resources'] == get_lang('Reso header('Location: ../resourcelinker/resourcelinker.php'); } + + /* Header */ if ($origin == 'learnpath') { @@ -123,44 +158,6 @@ if ($origin == 'learnpath') { Display :: display_header(null); //api_display_tool_title($nameTools); } - -/* Is the user allowed here? */ - -// The user is not allowed here if: -// 1. the forumcategory or forum is invisible (visibility==0) and the user is not a course manager -// 2. the forumcategory or forum is locked (locked <>0) and the user is not a course manager -// 3. new threads are not allowed and the user is not a course manager -// 4. anonymous posts are not allowed and the user is not logged in -// I have split this is several pieces for clarity. - -if (!api_is_allowed_to_edit(false, true) && (($current_forum_category['visibility'] == 0 || $current_forum['visibility'] == 0))) { - $forum_allow = forum_not_allowed_here(); - if ($forum_allow === false) { - exit; - } -} -// 2. the forumcategory or forum is locked (locked <>0) and the user is not a course manager -if (!api_is_allowed_to_edit(false, true) AND ($current_forum_category['locked'] <> 0 OR $current_forum['locked'] <> 0)) { - $forum_allow = forum_not_allowed_here(); - if ($forum_allow === false) { - exit; - } -} -// 3. new threads are not allowed and the user is not a course manager -if (!api_is_allowed_to_edit(false, true) AND $current_forum['allow_new_threads'] <> 1) { - $forum_allow = forum_not_allowed_here(); - if ($forum_allow === false) { - exit; - } -} -// 4. anonymous posts are not allowed and the user is not logged in -if (!$_user['user_id'] AND $current_forum['allow_anonymous'] <> 1) { - $forum_allow = forum_not_allowed_here(); - if ($forum_allow === false) { - exit; - } -} - /* Display forms / Feedback Messages */ handle_forum_and_forumcategories(); diff --git a/main/forum/reply.php b/main/forum/reply.php index 3b9a105d85..08fcade8c4 100644 --- a/main/forum/reply.php +++ b/main/forum/reply.php @@ -68,6 +68,32 @@ $current_thread = get_thread_information($_GET['thread']); // Note: This has to $current_forum = get_forum_information($current_thread['forum_id']); // Note: This has to be validated that it is an existing forum. $current_forum_category = get_forumcategory_information(Security::remove_XSS($current_forum['forum_category'])); +/* Is the user allowed here? */ +// The user is not allowed here if +// 1. the forumcategory, forum or thread is invisible (visibility==0 +// 2. the forumcategory, forum or thread is locked (locked <>0) +// 3. if anonymous posts are not allowed +// The only exception is the course manager +// I have split this is several pieces for clarity. +//if (!api_is_allowed_to_edit() AND (($current_forum_category['visibility'] == 0 OR $current_forum['visibility'] == 0) OR ($current_forum_category['locked'] <> 0 OR $current_forum['locked'] <> 0 OR $current_thread['locked'] <> 0))) { +if (!api_is_allowed_to_edit(false, true) AND (($current_forum_category['visibility'] == 0 OR $current_forum['visibility'] == 0))) { + api_not_allowed(); +} +if (!api_is_allowed_to_edit(false, true) AND ($current_forum_category['locked'] <> 0 OR $current_forum['locked'] <> 0 OR $current_thread['locked'] <> 0)) { + api_not_allowed(); +} +if (!$_user['user_id'] AND $current_forum['allow_anonymous'] == 0) { + api_not_allowed(); +} + +if ($current_forum['forum_of_group'] != 0) { + $show_forum = GroupManager::user_has_access(api_get_user_id(), $current_forum['forum_of_group'], GROUP_TOOL_FORUM); + if (!$show_forum) { + api_not_allowed(); + } +} + + /* Breadcrumbs */ if (isset($_SESSION['gradebook'])){ @@ -107,6 +133,8 @@ if (isset($_POST['add_resources']) AND $_POST['add_resources'] == get_lang('Reso exit; } + + /* Header */ if ($origin == 'learnpath') { @@ -117,33 +145,6 @@ if ($origin == 'learnpath') { Display :: display_header(''); } -/* Is the user allowed here? */ -// The user is not allowed here if -// 1. the forumcategory, forum or thread is invisible (visibility==0 -// 2. the forumcategory, forum or thread is locked (locked <>0) -// 3. if anonymous posts are not allowed -// The only exception is the course manager -// I have split this is several pieces for clarity. -//if (!api_is_allowed_to_edit() AND (($current_forum_category['visibility'] == 0 OR $current_forum['visibility'] == 0) OR ($current_forum_category['locked'] <> 0 OR $current_forum['locked'] <> 0 OR $current_thread['locked'] <> 0))) { -if (!api_is_allowed_to_edit(false, true) AND (($current_forum_category['visibility'] == 0 OR $current_forum['visibility'] == 0))) { - $forum_allow = forum_not_allowed_here(); - if ($forum_allow === false) { - exit; - } -} -if (!api_is_allowed_to_edit(false, true) AND ($current_forum_category['locked'] <> 0 OR $current_forum['locked'] <> 0 OR $current_thread['locked'] <> 0)) { - $forum_allow = forum_not_allowed_here(); - if ($forum_allow === false) { - exit; - } -} -if (!$_user['user_id'] AND $current_forum['allow_anonymous'] == 0) { - $forum_allow = forum_not_allowed_here(); - if ($forum_allow === false) { - exit; - } -} - /* Action links */ if ($origin != 'learnpath') { diff --git a/main/forum/viewforum.php b/main/forum/viewforum.php index 6523ed9e01..4868fbe072 100644 --- a/main/forum/viewforum.php +++ b/main/forum/viewforum.php @@ -63,20 +63,49 @@ $userinf = api_get_user_info($userid); // but the problem is that the visibility of the forum AND forum cateogory are stored in the item_property table. //$my_forum_group = isset($_GET['gidReq']) ? $_GET['gidReq'] : ''; + $group_id = api_get_group_id(); + $my_forum = isset($_GET['forum']) ? $_GET['forum'] : ''; -$val = GroupManager::user_has_access($userid, $group_id, GROUP_TOOL_FORUM); -if (!empty($group_id)) { - if (api_is_allowed_to_edit(false, true) || $val || GroupManager::is_tutor_of_group(api_get_user_id(), $group_id)) { - $current_forum = get_forum_information($my_forum); // Note: This has to be validated that it is an existing forum. - $current_forum_category = get_forumcategory_information($current_forum['forum_category']); +$current_forum = get_forum_information($my_forum); // Note: This has to be validated that it is an existing forum. + +if (empty($current_forum)) { + api_not_allowed(); +} + +$current_forum_category = get_forumcategory_information($current_forum['forum_category']); + +if ($group_id) { + //Group info & group category info + $group_properties = GroupManager::get_group_properties($group_id); + //$group_cat_info = GroupManager::get_category(GroupManager::get_category_from_group($group_id)); + + //User has access in the group? + $user_has_access_in_group = GroupManager::user_has_access($userid, $group_id, GROUP_TOOL_FORUM); + + + //User is a tutor in the group? the function GroupManager::user_has_access already contains the is_tutor_of_group() + //$is_tutor_group = GroupManager::is_tutor_of_group($userid, $group_id); + // + // the function GroupManager::user_has_access already contains the is_tutor_of_group() + //$is_my_forum = GroupManager::is_user_in_group($userid, $group_id); + + //$group_cat_forum_visibility = $group_cat_info['forum_state']; + //$group_forum_visibility = $group_properties['forum_state']; + + //Course + if (!api_is_allowed_to_edit(false, true) AND //is a student + ($current_forum_category['visibility'] == 0 OR $current_forum['visibility'] == 0 OR !$user_has_access_in_group) + ) { + api_not_allowed(); } } else { - $result = get_forum_information($my_forum); - if ($result['forum_of_group'] == 0) { - $current_forum = get_forum_information($my_forum); // Note: This has to be validated that it is an existing forum. - $current_forum_category = get_forumcategory_information($current_forum['forum_category']); + //Course + if (!api_is_allowed_to_edit(false, true) AND //is a student + ($current_forum_category['visibility'] == 0 OR $current_forum['visibility'] == 0) //forum category or forum visibility is false + ) { + api_not_allowed(); } } @@ -103,7 +132,7 @@ if (!empty($_GET['gidReq'])) { if ($origin == 'group') { $_clean['toolgroup'] = (int)$_SESSION['toolgroup']; - $group_properties = GroupManager :: get_group_properties($_clean['toolgroup']); + $interbreadcrumb[] = array('url' => '../group/group.php', 'name' => get_lang('Groups')); $interbreadcrumb[] = array('url'=>'../group/group_space.php?gidReq='.$_SESSION['toolgroup'], 'name'=> get_lang('GroupSpace').' '.$group_properties['name']); $interbreadcrumb[] = array('url' => '#', 'name' => get_lang('Forum').' '.Security::remove_XSS($current_forum['forum_title'])); @@ -237,16 +266,6 @@ if ($my_action == 'liststd' AND isset($_GET['content']) AND isset($_GET['id']) A } } - -/* Is the user allowed here? */ - -// If the user is not a course administrator and the forum is hidden -// then the user is not allowed here. - -if (!api_is_allowed_to_edit(false, true) AND ($current_forum_category['visibility'] == 0 OR $current_forum['visibility'] == 0)) { - api_not_allowed(); -} - if ($origin == 'learnpath') { echo '
 
'; } diff --git a/main/inc/lib/groupmanager.lib.php b/main/inc/lib/groupmanager.lib.php index 7761d3badd..a30ac8e8a9 100644 --- a/main/inc/lib/groupmanager.lib.php +++ b/main/inc/lib/groupmanager.lib.php @@ -550,17 +550,19 @@ class GroupManager { * @param string $course_code The course (default = current course) */ public static function get_category ($id, $course_code = null) { + if (empty($id)) { + return array(); + } $course_info = api_get_course_info($course_code); - $course_id = $course_info['real_id']; - - $id = Database::escape_string($id); + $course_id = $course_info['real_id']; + $id = Database::escape_string($id); $table_group_cat = Database :: get_course_table(TABLE_GROUP_CATEGORY); - $sql = "SELECT * FROM $table_group_cat WHERE c_id = $course_id AND id = $id"; + $sql = "SELECT * FROM $table_group_cat WHERE c_id = $course_id AND id = $id LIMIT 1"; $res = Database::query($sql); return Database::fetch_array($res); } /** - * Get the category of a given group + * Get the unique category of a given group * @param int $group_id The id of the group * @param string $course_code The course in which the group is (default = * current course) @@ -569,6 +571,10 @@ class GroupManager { public static function get_category_from_group ($group_id, $course_code = null) { $table_group = Database :: get_course_table(TABLE_GROUP); $table_group_cat = Database :: get_course_table(TABLE_GROUP_CATEGORY); + + if (empty($group_id)) { + return array(); + } $course_info = api_get_course_info($course_code); $course_id = $course_info['real_id']; @@ -577,9 +583,12 @@ class GroupManager { $sql = "SELECT gc.* FROM $table_group_cat gc, $table_group g WHERE gc.c_id = $course_id AND g.c_id = $course_id AND - gc.id = g.category_id AND g.id=$group_id"; + gc.id = g.category_id AND g.id= $group_id LIMIT 1"; $res = Database::query($sql); - $cat = Database::fetch_array($res); + $cat = array(); + if (Database::num_rows($res)) { + $cat = Database::fetch_array($res); + } return $cat; } /** @@ -1008,7 +1017,7 @@ class GroupManager { $category['groups_per_user'] = INFINITE; } $result &= (self :: user_in_number_of_groups($user_id, $category['id']) < $category['groups_per_user']); - $result &= !self :: is_tutor($user_id); + $result &= !self :: is_tutor_of_group($user_id, $group_id); return $result; } /** @@ -1199,6 +1208,7 @@ class GroupManager { * @param $user_id the id of the user * @param $group_id the id of the group * @return boolean true/false + * @todo use the function user_has_access that includes this function * @author Patrick Cool , Ghent University */ public static function is_tutor_of_group ($user_id,$group_id) { @@ -1245,7 +1255,7 @@ class GroupManager { * tutors in the current course. * @deprecated this function uses the old tutor implementation */ - public static function get_all_tutors () { + public static function get_all_tutors() { global $_course; $course_user_table = Database :: get_main_table(TABLE_MAIN_COURSE_USER); $user_table = Database :: get_main_table(TABLE_MAIN_USER); @@ -1320,9 +1330,7 @@ class GroupManager { return $groups; } /* - Group functions - these take virtual/linked courses into account when necessary - ----------------------------------------------------------- + Group functions - these take virtual/linked courses into account when necessary */ /** * Get a combined list of all users of the real course $course_code @@ -1406,10 +1414,8 @@ class GroupManager { $total_number = count($user_array_in); $user_array_out[0] = $user_array_in[0]; $count_out = 0; - for ($count_in = 1; $count_in < $total_number; $count_in ++) - { - if ($user_array_in[$count_in][$compare_field] != $user_array_out[$count_out][$compare_field]) - { + for ($count_in = 1; $count_in < $total_number; $count_in ++) { + if ($user_array_in[$count_in][$compare_field] != $user_array_out[$count_out][$compare_field]) { $count_out ++; $user_array_out[$count_out] = $user_array_in[$count_in]; } @@ -1420,12 +1426,9 @@ class GroupManager { * Filters from the array $user_array_in the users already in the group $group_id. */ public static function filter_users_already_in_group ($user_array_in, $group_id) { - - foreach ($user_array_in as $this_user) - { - if (!self :: is_subscribed($this_user['user_id'], $group_id)) - { - $user_array_out[] = $this_user; + foreach ($user_array_in as $this_user) { + if (!self :: is_subscribed($this_user['user_id'], $group_id)) { + $user_array_out[] = $this_user; } } return $user_array_out; @@ -1460,9 +1463,8 @@ class GroupManager { * @return bool True if the given user has access to the given tool in the * given course. */ - public static function user_has_access ($user_id, $group_id, $tool) { - switch ($tool) - { + public static function user_has_access($user_id, $group_id, $tool) { + switch ($tool) { case GROUP_TOOL_FORUM : $state_key = 'forum_state'; break; @@ -1487,26 +1489,38 @@ class GroupManager { default: return false; } - $group = self :: get_group_properties($group_id); - if ($group[$state_key] == TOOL_NOT_AVAILABLE) - { + + $user_is_in_group = self :: is_user_in_group($user_id, $group_id); + + //Check group properties + $group_info = self :: get_group_properties($group_id); + + //Check group category if exists + $category_group_info = self::get_category_from_group($group_id); + + if (!empty($category_group_info)) { + //if exists check the category group status first + if ($category_group_info[$state_key] == TOOL_NOT_AVAILABLE) { + return false; + } elseif($category_group_info[$state_key] == TOOL_PRIVATE && !$user_is_in_group) { + return false; + } + } + + //is_user_in_group() is more complete that the is_subscribed() function + + if ($group_info[$state_key] == TOOL_NOT_AVAILABLE) { return false; - } - elseif ($group[$state_key] == TOOL_PUBLIC) - { + } elseif ($group_info[$state_key] == TOOL_PUBLIC) { return true; - } - elseif (api_is_allowed_to_edit(false,true)) - { + } elseif (api_is_allowed_to_edit(false,true)) { return true; - } - elseif($group['tutor_id'] == $user_id) - { - return true; - } - else - { - return self :: is_subscribed($user_id, $group_id); + } elseif($group_info['tutor_id'] == $user_id) { //this tutor implementation was dropped + return true; + } elseif($group_info[$state_key] == TOOL_PRIVATE && !$user_is_in_group) { + return false; + } else { + return $user_is_in_group; } } /** @@ -1599,4 +1613,4 @@ class GroupManager { //now sort by # of group left $complete_user_list = TableSort :: sort_table($complete_user_list, 'number_groups_left', SORT_DESC); return $complete_user_list; } -} +} \ No newline at end of file