From d64a02c156c7adf3983807be860a7848311dbfb3 Mon Sep 17 00:00:00 2001
From: Imanol Losada <imanol.losada@gmail.com>
Date: Wed, 15 Oct 2014 10:29:33 -0500
Subject: [PATCH 1/6] Fix SQL injection threats and replace SESSION variable
 with api_get_user_id - refs #7272

---
 plugin/buycourses/src/buy_course.lib.php   | 57 ++++++++++++++--------
 plugin/buycourses/src/index.buycourses.php |  4 +-
 plugin/buycourses/view/index.tpl           |  2 +-
 plugin/buycourses/view/process.tpl         |  4 +-
 4 files changed, 41 insertions(+), 26 deletions(-)

diff --git a/plugin/buycourses/src/buy_course.lib.php b/plugin/buycourses/src/buy_course.lib.php
index f5d380947c..642ce4a0d0 100644
--- a/plugin/buycourses/src/buy_course.lib.php
+++ b/plugin/buycourses/src/buy_course.lib.php
@@ -136,7 +136,8 @@ function listCourses()
 }
 
 /**
- *
+ * Lists current user session details, including each session course details
+ * @return array Sessions details list
  */
 function userSessionList()
 {
@@ -148,6 +149,7 @@ function userSessionList()
     $tableCourse = Database::get_main_table(TABLE_MAIN_COURSE);
     $tableSessionRelUser = Database::get_main_table(TABLE_MAIN_SESSION_USER);
     $tableBuySessionTemporal = Database::get_main_table(TABLE_BUY_SESSION_TEMPORARY);
+    $currentUserId = api_get_user_id();
 
     // get existing sessions
     $sql = "SELECT a.session_id, a.visible, a.price, b.*
@@ -192,17 +194,17 @@ function userSessionList()
             }
         }
         //check if the user is enrolled in the current session
-        if (isset($_SESSION['_user']) || $_SESSION['_user']['user_id'] != '') {
+        if ($currentUserId > 0) {
             $sql = "SELECT 1 FROM $tableSessionRelUser
                 WHERE id_session='".$rowSession['session_id']."' AND
-                id_user ='" . $_SESSION['_user']['user_id'] . "';";
+                id_user ='" . $currentUserId . "';";
             Database::query($sql);
             if (Database::affected_rows() > 0) {
                 $rowSession['enrolled'] = "YES";
             } else {
                 $sql = "SELECT 1 FROM $tableBuySessionTemporal
                     WHERE session_id ='".$rowSession['session_id']."' AND
-                    user_id='" . $_SESSION['_user']['user_id'] . "';";
+                    user_id='" . $currentUserId . "';";
                 Database::query($sql);
                 if (Database::affected_rows() > 0) {
                     $rowSession['enrolled'] = "TMP";
@@ -213,7 +215,7 @@ function userSessionList()
         } else {
             $sql = "SELECT 1 FROM $tableBuySessionTemporal
                 WHERE session_id ='".$rowSession['session_id']."' AND
-                user_id='" . $_SESSION['_user']['user_id'] . "';";
+                user_id='" . $currentUserId . "';";
             Database::query($sql);
             if (Database::affected_rows() > 0) {
                 $rowSession['enrolled'] = "TMP";
@@ -230,7 +232,8 @@ function userSessionList()
 }
 
 /**
- *
+ * Lists current user course details
+ * @return array Course details list
  */
 function userCourseList()
 {
@@ -238,6 +241,7 @@ function userCourseList()
     $tableCourse = Database::get_main_table(TABLE_MAIN_COURSE);
     $tableCourseRelUser = Database::get_main_table(TABLE_MAIN_COURSE_USER);
     $tableBuyCourseTemporal = Database::get_main_table(TABLE_BUY_COURSE_TEMPORAL);
+    $currentUserId = api_get_user_id();
 
     $sql = "SELECT a.course_id, a.visible, a.price, b.*
         FROM $tableBuyCourse a, $tableCourse b
@@ -255,17 +259,17 @@ function userCourseList()
         $rowTmp = Database::fetch_assoc($tmp);
         $row['teacher'] = $rowTmp['firstname'] . ' ' . $rowTmp['lastname'];
         //check if the user is enrolled
-        if (isset($_SESSION['_user']) || $_SESSION['_user']['user_id'] != '') {
+        if ($currentUserId > 0) {
             $sql = "SELECT 1 FROM $tableCourseRelUser
                 WHERE course_code='" . $row['code'] . "'
-                AND user_id='" . $_SESSION['_user']['user_id'] . "';";
+                AND user_id='" . $currentUserId . "';";
             Database::query($sql);
             if (Database::affected_rows() > 0) {
                 $row['enrolled'] = "YES";
             } else {
                 $sql = "SELECT 1 FROM $tableBuyCourseTemporal
                     WHERE course_code='" . $row['code'] . "'
-                    AND user_id='" . $_SESSION['_user']['user_id'] . "';";
+                    AND user_id='" . $currentUserId . "';";
                 Database::query($sql);
                 if (Database::affected_rows() > 0) {
                     $row['enrolled'] = "TMP";
@@ -276,7 +280,7 @@ function userCourseList()
         } else {
             $sql = "SELECT 1 FROM $tableBuyCourseTemporal
                 WHERE course_code='" . $row['code'] . "'
-                AND user_id='" . $_SESSION['_user']['user_id'] . "';";
+                AND user_id='" . $currentUserId . "';";
             Database::query($sql);
             if (Database::affected_rows() > 0) {
                 $row['enrolled'] = "TMP";
@@ -297,11 +301,15 @@ function userCourseList()
 }
 
 /**
- *
+ * Checks if a session or a course is already bought
+ * @param string Session id or course code
+ * @param int User id
+ * @param string What has to be checked
+ * @return boolean True if it is already bought, and false otherwise
  */
 function checkUserBuy($parameter, $user, $type = 'COURSE')
 {
-    $sql = "SELECT 1 FROM %s WHERE %s ='" . $parameter . "' AND id_user='" . $user . "';";
+    $sql = "SELECT 1 FROM %s WHERE %s ='" . Database::escape_string($parameter) . "' AND id_user='" . intval($user) . "';";
     $sql = $type === 'SESSION' ?
         sprintf($sql, Database::get_main_table(TABLE_MAIN_SESSION_USER), 'id_session') :
         sprintf($sql, Database::get_main_table(TABLE_MAIN_COURSE_USER), 'course_code');
@@ -314,11 +322,15 @@ function checkUserBuy($parameter, $user, $type = 'COURSE')
 }
 
 /**
- *
+ * Checks if a session or a course has already a transfer
+ * @param string Session id or course code
+ * @param int User id
+ * @param string What has to be checked
+ * @return boolean True if it has already a transfer, and false otherwise
  */
 function checkUserBuyTransfer($parameter, $user, $type = 'COURSE')
 {
-    $sql = "SELECT 1 FROM %s WHERE %s ='" . $parameter . "' AND id_user='" . $user . "';";
+    $sql = "SELECT 1 FROM %s WHERE %s ='" . Database::escape_string($parameter) . "' AND id_user='" . intval($user) . "';";
     $sql = $type === 'SESSION' ?
         sprintf($sql, Database::get_main_table(TABLE_BUY_SESSION_TEMPORARY), 'session_id') :
         sprintf($sql, Database::get_main_table(TABLE_BUY_COURSE_TEMPORAL), 'course_code');
@@ -331,7 +343,8 @@ function checkUserBuyTransfer($parameter, $user, $type = 'COURSE')
 }
 
 /**
- *
+ * Returns an array with all the categories
+ * @return array All the categories
  */
 function listCategories()
 {
@@ -462,6 +475,7 @@ function sessionInfo($code)
     $tableCourse = Database::get_main_table(TABLE_MAIN_COURSE);
     $tableSessionRelUser = Database::get_main_table(TABLE_MAIN_SESSION_USER);
     $tableBuySessionTemporal = Database::get_main_table(TABLE_BUY_SESSION_TEMPORARY);
+    $currentUserId = api_get_user_id();
 
     $code = Database::escape_string($code);
     $sql = "SELECT a.session_id, a.visible, a.price, b.*
@@ -505,15 +519,15 @@ function sessionInfo($code)
         }
     }
     //check if the user is enrolled in the current session
-    if (isset($_SESSION['_user']) || $_SESSION['_user']['user_id'] != '') {
+    if ($currentUserId > 0) {
         $sql = "SELECT 1 FROM $tableSessionRelUser
-            WHERE user_id='".$_SESSION['_user']['user_id']."';";
+            WHERE user_id='".$currentUserId."';";
         Database::query($sql);
         if (Database::affected_rows() > 0) {
             $rowSession['enrolled'] = "YES";
         } else {
             $sql = "SELECT 1 FROM $tableBuySessionTemporal
-                WHERE user_id='".$_SESSION['_user']['user_id']."';";
+                WHERE user_id='".$currentUserId."';";
             Database::query($sql);
             if (Database::affected_rows() > 0) {
                 $rowSession['enrolled'] = "TMP";
@@ -523,7 +537,7 @@ function sessionInfo($code)
         }
     } else {
         $sql = "SELECT 1 FROM $tableBuySessionTemporal
-            WHERE user_id='".$_SESSION['_user']['user_id']."';";
+            WHERE user_id='".$currentUserId."';";
         Database::query($sql);
         if (Database::affected_rows() > 0) {
             $rowSession['enrolled'] = "TMP";
@@ -546,6 +560,7 @@ function courseInfo($code)
     $tableBuyCourse = Database::get_main_table(TABLE_BUY_COURSE);
     $tableCourseRelUser = Database::get_main_table(TABLE_MAIN_COURSE_USER);
     $tableUser = Database::get_main_table(TABLE_MAIN_USER);
+    $currentUserId = api_get_user_id();
     $code = Database::escape_string($code);
     $sql = "SELECT a.course_id, a.visible, a.price, b.*
         FROM $tableBuyCourse a, course b
@@ -564,10 +579,10 @@ function courseInfo($code)
     $rowTmp = Database::fetch_assoc($tmp);
     $row['teacher'] = $rowTmp['firstname'] . ' ' . $rowTmp['lastname'];
     //Check if student is enrolled
-    if (isset($_SESSION['_user']) || $_SESSION['_user']['user_id'] != '') {
+    if ($currentUserId > 0) {
         $sql = "SELECT 1 FROM $tableCourseRelUser
             WHERE course_code='" . $row['code'] . "'
-            AND user_id='" . $_SESSION['_user']['user_id'] . "';";
+            AND user_id='" . $currentUserId . "';";
         Database::query($sql);
         if (Database::affected_rows() > 0) {
             $row['enrolled'] = "YES";
diff --git a/plugin/buycourses/src/index.buycourses.php b/plugin/buycourses/src/index.buycourses.php
index 3fd88c431c..606652ce8e 100644
--- a/plugin/buycourses/src/index.buycourses.php
+++ b/plugin/buycourses/src/index.buycourses.php
@@ -25,7 +25,7 @@ if ($guess_enable == "true" || isset($_SESSION['_user'])) {
     $tpl->assign('OrdersPendingOfPayment', $plugin->get_lang('OrdersPendingOfPayment'));
     $listing_tpl = 'buycourses/view/index.tpl';
     $content = $tpl->fetch($listing_tpl);
-    $tpl->assign('content', $content);    
+    $tpl->assign('content', $content);
     $tpl->display_one_col_template();
 }
- 
+
diff --git a/plugin/buycourses/view/index.tpl b/plugin/buycourses/view/index.tpl
index 3176ac492a..0523e4e3c0 100644
--- a/plugin/buycourses/view/index.tpl
+++ b/plugin/buycourses/view/index.tpl
@@ -3,7 +3,7 @@
     <ul class="nav nav-list">
         <li>
             <a href="src/list.php"> {{ BuyCourses }} </a>
-        </li>        
+        </li>
         {% if isAdmin == 'true' %}
         <li>
             <a href="src/configuration.php"> {{ ConfigurationOfCoursesAndPrices }} </a>
diff --git a/plugin/buycourses/view/process.tpl b/plugin/buycourses/view/process.tpl
index fea838a738..b2624a50b4 100644
--- a/plugin/buycourses/view/process.tpl
+++ b/plugin/buycourses/view/process.tpl
@@ -23,7 +23,7 @@
             <div class="row">
                 <div class="span4">
                     <div class="categories-course-description">
-                        <h3>{{ title }}</h3>                                
+                        <h3>{{ title }}</h3>
                         <h5>{{ 'From'|get_lang }} {{ session.date_start }} {{ 'To'|get_lang }} {{ session.date_end }}</h5>
                     </div>
                 </div>
@@ -65,7 +65,7 @@
                     </div>
                 </div>
             {% endfor %}
-        {% else %}        
+        {% else %}
             <div class="row">
                 <div class="span">
                     <div class="thumbnail">

From 40ea9ccc8a9667930a69043004894a36c48b9e0d Mon Sep 17 00:00:00 2001
From: Imanol Losada <imanol.losada@gmail.com>
Date: Wed, 22 Oct 2014 15:31:45 -0500
Subject: [PATCH 2/6] If user has only one option to choose from buy courses
 menu, redirect it there - refs #7272

---
 plugin/buycourses/src/index.buycourses.php | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/plugin/buycourses/src/index.buycourses.php b/plugin/buycourses/src/index.buycourses.php
index 606652ce8e..bfb7007250 100644
--- a/plugin/buycourses/src/index.buycourses.php
+++ b/plugin/buycourses/src/index.buycourses.php
@@ -26,6 +26,7 @@ if ($guess_enable == "true" || isset($_SESSION['_user'])) {
     $listing_tpl = 'buycourses/view/index.tpl';
     $content = $tpl->fetch($listing_tpl);
     $tpl->assign('content', $content);
-    $tpl->display_one_col_template();
+    //$matches = null;
+    preg_match_all('/src\/.*\.php/', $content, $matches);
+    count($matches[0]) > 1 ? $tpl->display_one_col_template() : header('Location: '.$matches[0][0]);
 }
-

From 7e0404a210194b88637f82d3c46aea0ec2938f93 Mon Sep 17 00:00:00 2001
From: Imanol Losada <imanol.losada@gmail.com>
Date: Wed, 22 Oct 2014 15:38:18 -0500
Subject: [PATCH 3/6] Fix. Replace a pair of id_user with user_id - refs #7272

---
 plugin/buycourses/src/buy_course.lib.php | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/plugin/buycourses/src/buy_course.lib.php b/plugin/buycourses/src/buy_course.lib.php
index 642ce4a0d0..2a030e12b6 100644
--- a/plugin/buycourses/src/buy_course.lib.php
+++ b/plugin/buycourses/src/buy_course.lib.php
@@ -330,7 +330,7 @@ function checkUserBuy($parameter, $user, $type = 'COURSE')
  */
 function checkUserBuyTransfer($parameter, $user, $type = 'COURSE')
 {
-    $sql = "SELECT 1 FROM %s WHERE %s ='" . Database::escape_string($parameter) . "' AND id_user='" . intval($user) . "';";
+    $sql = "SELECT 1 FROM %s WHERE %s ='" . Database::escape_string($parameter) . "' AND user_id='" . intval($user) . "';";
     $sql = $type === 'SESSION' ?
         sprintf($sql, Database::get_main_table(TABLE_BUY_SESSION_TEMPORARY), 'session_id') :
         sprintf($sql, Database::get_main_table(TABLE_BUY_COURSE_TEMPORAL), 'course_code');
@@ -521,7 +521,7 @@ function sessionInfo($code)
     //check if the user is enrolled in the current session
     if ($currentUserId > 0) {
         $sql = "SELECT 1 FROM $tableSessionRelUser
-            WHERE user_id='".$currentUserId."';";
+            WHERE id_user='".$currentUserId."';";
         Database::query($sql);
         if (Database::affected_rows() > 0) {
             $rowSession['enrolled'] = "YES";

From 1a6a4a927eaf9aa919e47852a5ea7d6698063fac Mon Sep 17 00:00:00 2001
From: Imanol Losada <imanol.losada@gmail.com>
Date: Thu, 23 Oct 2014 10:24:57 -0500
Subject: [PATCH 4/6] Add manageTab function to plugin main class - refs #7272

---
 main/admin/configure_plugin.php               |  4 ++
 main/inc/lib/plugin.class.php                 | 37 +++++++++++++++++++
 plugin/buycourses/database.php                |  8 ----
 plugin/buycourses/lang/english.php            |  2 +
 plugin/buycourses/lang/french.php             |  2 +
 plugin/buycourses/lang/spanish.php            |  2 +
 .../src/buy_course_plugin.class.php           |  5 +--
 7 files changed, 49 insertions(+), 11 deletions(-)

diff --git a/main/admin/configure_plugin.php b/main/admin/configure_plugin.php
index e55624b281..6e6b8d195c 100755
--- a/main/admin/configure_plugin.php
+++ b/main/admin/configure_plugin.php
@@ -69,6 +69,10 @@ if (isset($form)) {
                 1
             );
         }
+        if (isset($values['show_main_menu_tab'])) {
+            $objPlugin = $plugin_info['plugin_class']::create();
+            $objPlugin->manageTab($values['show_main_menu_tab']);
+        }
         $message = Display::return_message(get_lang('Updated'), 'success');
     }
 }
diff --git a/main/inc/lib/plugin.class.php b/main/inc/lib/plugin.class.php
index e7a42d0aca..6982890b6a 100755
--- a/main/inc/lib/plugin.class.php
+++ b/main/inc/lib/plugin.class.php
@@ -189,6 +189,12 @@ class Plugin
             $help = null;
             if ($this->get_lang_plugin_exists($name.'_help')) {
                 $help = $this->get_lang($name.'_help');
+                if ($name === "show_main_menu_tab") {
+                    $pluginName = strtolower(str_replace('Plugin', '', get_class($this)));
+                    $pluginUrl = api_get_path(WEB_PATH)."plugin/$pluginName/index.php";
+                    $pluginUrl = "<a href=$pluginUrl>$pluginUrl</a>";
+                    $help = sprintf($help, $pluginUrl);
+                }
             }
 
             switch ($type) {
@@ -635,4 +641,35 @@ class Plugin
 
         return $resp;
     }
+
+    /**
+     * This method shows or hides plugin's tab
+     * @param boolean Shows or hides the main menu plugin tab
+     */
+    public function manageTab($showTab)
+    {
+        $langString = str_replace('Plugin', '', get_class($this));
+        $pluginName = strtolower($langString);
+        $pluginUrl = 'plugin/'.$pluginName.'/index.php';
+        if ($showTab === 'true') {
+            $rsTab = $this->addTab($this->get_lang($langString), $pluginUrl);
+            if ($rsTab) {
+                echo "<script>location.href = '".Security::remove_XSS($_SERVER['REQUEST_URI'])."';</script>";
+            }
+        } else {
+            $settingsCurrentTable = Database::get_main_table(TABLE_MAIN_SETTINGS_CURRENT);
+            $conditions = array(
+                'where' => array(
+                    "variable = 'show_tabs' AND title = ? AND comment = ? " => array(
+                        $this->get_lang($langString),
+                        $pluginUrl
+                    )
+                )
+            );
+            $result = Database::select('subkey', $settingsCurrentTable, $conditions);
+            if (!empty($result)) {
+                $this->deleteTab($result[0]['subkey']);
+            }
+        }
+    }
 }
diff --git a/plugin/buycourses/database.php b/plugin/buycourses/database.php
index 10b3221b3e..f1cc054280 100644
--- a/plugin/buycourses/database.php
+++ b/plugin/buycourses/database.php
@@ -14,7 +14,6 @@ if (!function_exists('api_get_path')) {
 /**
  * Create the script context, then execute database queries to enable
  */
-$objPlugin = BuyCoursesPlugin::create();
 
 $table = Database::get_main_table(TABLE_BUY_SESSION);
 $sql = "CREATE TABLE IF NOT EXISTS $table (
@@ -407,10 +406,3 @@ $sql = "CREATE TABLE IF NOT EXISTS $table (
     status VARCHAR(20) NOT NULL DEFAULT '',
     date TIMESTAMP NOT NULL DEFAULT CURRENT_TIMESTAMP)";
 Database::query($sql);
-
-//Menu main tabs
-$rsTab = $objPlugin->addTab($objPlugin->get_lang('BuyCourses'), 'plugin/buycourses/index.php');
-
-if ($rsTab) {
-    echo "<script>location.href = '" . Security::remove_XSS($_SERVER['REQUEST_URI']) . "';</script>";
-}
diff --git a/plugin/buycourses/lang/english.php b/plugin/buycourses/lang/english.php
index 2a81b17f81..41e7787a68 100644
--- a/plugin/buycourses/lang/english.php
+++ b/plugin/buycourses/lang/english.php
@@ -1,6 +1,8 @@
 <?php
 $strings['plugin_title'] = "Sell courses";
 $strings['plugin_comment'] = "Sell courses directly through your Chamilo portal, using a PayPal account to receive funds. This plugin is in beta version. Neither the Chamilo association nor the developers involved could be considered responsible of any issue you might suffer using this plugin.";
+$strings['show_main_menu_tab'] = "Show tab in main menu";
+$strings['show_main_menu_tab_help'] = "In case of not wanting to show the tab, you can create this link in your Chamilo homepage : %s";
 $strings['Visible'] = "Show list";
 $strings['Options'] = "Options";
 $strings['Price'] = "Price";
diff --git a/plugin/buycourses/lang/french.php b/plugin/buycourses/lang/french.php
index ff45b6dd24..3702eaddad 100644
--- a/plugin/buycourses/lang/french.php
+++ b/plugin/buycourses/lang/french.php
@@ -1,6 +1,8 @@
 <?php
 $strings['plugin_title'] = "Vente de cours";
 $strings['plugin_comment'] = "Vendez vos cours directement depuis votre portail Chamilo, au travers d'un compte PayPal. Plugin en version beta, à utiliser avec précaution. Ni l'association Chamilo ni les développeurs impliqués dans le développement de ce plugin ne sauraient être tenus responsables d'un quelconque inconvénient causé par celui-ci.";
+$strings['show_main_menu_tab'] = "Montrer l'onglet dans le menu principal";
+$strings['show_main_menu_tab_help'] = "Dans le cas où l'onglet ne se montre pas, il est possible de rajouter le lien suivant à votre portail Chamilo: %s";
 $strings['Visible'] = "Montrer dans la liste";
 $strings['Options'] = "Options";
 $strings['Price'] = "Prix";
diff --git a/plugin/buycourses/lang/spanish.php b/plugin/buycourses/lang/spanish.php
index 90ed780839..49d7d2062e 100644
--- a/plugin/buycourses/lang/spanish.php
+++ b/plugin/buycourses/lang/spanish.php
@@ -1,6 +1,8 @@
 <?php
 $strings['plugin_title'] = "Venta de cursos";
 $strings['plugin_comment'] = "Vender cursos a través de PayPal directamente desde su portal Chamilo. Plugin en versión Beta, a usar con mucha precaución. La asociación Chamilo y los desarrolladores involucrados no pueden ser considerados responsables de cualquier inconveniente que se presente.";
+$strings['show_main_menu_tab'] = "Mostrar pestaña en el menu principal";
+$strings['show_main_menu_tab_help'] = "En caso de no querer mostrar la pestaña, puede agregar el siguiente enlace a su portal Chamilo: %s";
 $strings['Visible'] = "Mostrar en el listado";
 $strings['Options'] = "Opciones";
 $strings['Price'] = "Precio";
diff --git a/plugin/buycourses/src/buy_course_plugin.class.php b/plugin/buycourses/src/buy_course_plugin.class.php
index d143f91391..b2b79b325c 100644
--- a/plugin/buycourses/src/buy_course_plugin.class.php
+++ b/plugin/buycourses/src/buy_course_plugin.class.php
@@ -29,6 +29,7 @@ class BuyCoursesPlugin extends Plugin
             Francis Gonzales and Yannick Warnier - BeezNest (integration),
             Imanol Losada - BeezNest',
             array(
+                'show_main_menu_tab' => 'boolean',
                 'include_sessions' => 'boolean',
                 'paypal_enable' => 'boolean',
                 'transfer_enable' => 'boolean',
@@ -67,8 +68,6 @@ class BuyCoursesPlugin extends Plugin
             $sql = "DROP TABLE IF EXISTS $tableToBeDeleted";
             Database::query($sql);
         }
-
-        $objPlugin = BuyCoursesPlugin::create();
-        $objPlugin->deleteTab('custom_tab_1');
+        $this->manageTab(false);
     }
 }

From 1f565793d0134dd6c117b8272d3a553bcff12319 Mon Sep 17 00:00:00 2001
From: Imanol Losada <imanol.losada@gmail.com>
Date: Thu, 23 Oct 2014 10:40:20 -0500
Subject: [PATCH 5/6] Minor - Remove a useless commented line - refs #7272

---
 plugin/buycourses/src/index.buycourses.php | 1 -
 1 file changed, 1 deletion(-)

diff --git a/plugin/buycourses/src/index.buycourses.php b/plugin/buycourses/src/index.buycourses.php
index bfb7007250..81091e6b49 100644
--- a/plugin/buycourses/src/index.buycourses.php
+++ b/plugin/buycourses/src/index.buycourses.php
@@ -26,7 +26,6 @@ if ($guess_enable == "true" || isset($_SESSION['_user'])) {
     $listing_tpl = 'buycourses/view/index.tpl';
     $content = $tpl->fetch($listing_tpl);
     $tpl->assign('content', $content);
-    //$matches = null;
     preg_match_all('/src\/.*\.php/', $content, $matches);
     count($matches[0]) > 1 ? $tpl->display_one_col_template() : header('Location: '.$matches[0][0]);
 }

From b2fb1b880070ad4ee8e65da2cc5ad57a5cfd8969 Mon Sep 17 00:00:00 2001
From: Imanol Losada <imanol.losada@gmail.com>
Date: Fri, 24 Oct 2014 10:30:00 -0500
Subject: [PATCH 6/6] Add comments. Fix french translation. Change redirection
 process to a much cleaner one. - refs #7272

---
 main/inc/lib/plugin.class.php              | 10 ++++++----
 plugin/buycourses/lang/french.php          |  2 +-
 plugin/buycourses/src/buy_course.lib.php   |  6 +++---
 plugin/buycourses/src/index.buycourses.php |  7 ++++---
 4 files changed, 14 insertions(+), 11 deletions(-)

diff --git a/main/inc/lib/plugin.class.php b/main/inc/lib/plugin.class.php
index 6982890b6a..d25c19acc9 100755
--- a/main/inc/lib/plugin.class.php
+++ b/main/inc/lib/plugin.class.php
@@ -645,15 +645,17 @@ class Plugin
     /**
      * This method shows or hides plugin's tab
      * @param boolean Shows or hides the main menu plugin tab
+     * @param string Plugin starter file path
      */
-    public function manageTab($showTab)
+    public function manageTab($showTab, $filePath = 'index.php')
     {
         $langString = str_replace('Plugin', '', get_class($this));
         $pluginName = strtolower($langString);
-        $pluginUrl = 'plugin/'.$pluginName.'/index.php';
+        $pluginUrl = 'plugin/'.$pluginName.'/'.$filePath;
         if ($showTab === 'true') {
-            $rsTab = $this->addTab($this->get_lang($langString), $pluginUrl);
-            if ($rsTab) {
+            $tabAdded = $this->addTab($this->get_lang($langString), $pluginUrl);
+            if ($tabAdded) {
+                // The page must be refreshed to show the recently created tab
                 echo "<script>location.href = '".Security::remove_XSS($_SERVER['REQUEST_URI'])."';</script>";
             }
         } else {
diff --git a/plugin/buycourses/lang/french.php b/plugin/buycourses/lang/french.php
index 9d2775c412..97c20312dc 100644
--- a/plugin/buycourses/lang/french.php
+++ b/plugin/buycourses/lang/french.php
@@ -2,7 +2,7 @@
 $strings['plugin_title'] = "Vente de cours";
 $strings['plugin_comment'] = "Vendez vos cours directement depuis votre portail Chamilo, au travers d'un compte PayPal. Plugin en version beta, à utiliser avec précaution. Ni l'association Chamilo ni les développeurs impliqués dans le développement de ce plugin ne sauraient être tenus responsables d'un quelconque inconvénient causé par celui-ci.";
 $strings['show_main_menu_tab'] = "Montrer l'onglet dans le menu principal";
-$strings['show_main_menu_tab_help'] = "Dans le cas où l'onglet ne se montre pas, il est possible de rajouter le lien suivant à votre portail Chamilo: %s";
+$strings['show_main_menu_tab_help'] = "Dans le cas où vous ne souhaitez pas montrer l'onglet, il est possible de rajouter le lien suivant à votre portail Chamilo: %s";
 $strings['Visible'] = "Montrer dans la liste";
 $strings['Options'] = "Options";
 $strings['Price'] = "Prix";
diff --git a/plugin/buycourses/src/buy_course.lib.php b/plugin/buycourses/src/buy_course.lib.php
index 2a030e12b6..e3eb0b6a13 100644
--- a/plugin/buycourses/src/buy_course.lib.php
+++ b/plugin/buycourses/src/buy_course.lib.php
@@ -196,8 +196,8 @@ function userSessionList()
         //check if the user is enrolled in the current session
         if ($currentUserId > 0) {
             $sql = "SELECT 1 FROM $tableSessionRelUser
-                WHERE id_session='".$rowSession['session_id']."' AND
-                id_user ='" . $currentUserId . "';";
+                WHERE id_session ='".$rowSession['session_id']."' AND
+                id_user = $currentUserId";
             Database::query($sql);
             if (Database::affected_rows() > 0) {
                 $rowSession['enrolled'] = "YES";
@@ -521,7 +521,7 @@ function sessionInfo($code)
     //check if the user is enrolled in the current session
     if ($currentUserId > 0) {
         $sql = "SELECT 1 FROM $tableSessionRelUser
-            WHERE id_user='".$currentUserId."';";
+            WHERE id_user = $currentUserId";
         Database::query($sql);
         if (Database::affected_rows() > 0) {
             $rowSession['enrolled'] = "YES";
diff --git a/plugin/buycourses/src/index.buycourses.php b/plugin/buycourses/src/index.buycourses.php
index 81091e6b49..780b757ef9 100644
--- a/plugin/buycourses/src/index.buycourses.php
+++ b/plugin/buycourses/src/index.buycourses.php
@@ -11,11 +11,12 @@ $plugin = BuyCoursesPlugin::create();
 $guess_enable = $plugin->get('unregistered_users_enable');
 
 if ($guess_enable == "true" || isset($_SESSION['_user'])) {
+    $isAdmin = api_is_platform_admin();
     $title = $plugin->get_lang('CourseListOnSale');
     $templateName = $plugin->get_lang('BuyCourses');
 
     $tpl = new Template($templateName);
-    $tpl->assign('isAdmin', api_is_platform_admin());
+    $tpl->assign('isAdmin', $isAdmin);
     $tpl->assign('title', $title);
     $tpl->assign('BuySessions', $plugin->get_lang('BuySessions'));
     $tpl->assign('BuyCourses', $templateName);
@@ -26,6 +27,6 @@ if ($guess_enable == "true" || isset($_SESSION['_user'])) {
     $listing_tpl = 'buycourses/view/index.tpl';
     $content = $tpl->fetch($listing_tpl);
     $tpl->assign('content', $content);
-    preg_match_all('/src\/.*\.php/', $content, $matches);
-    count($matches[0]) > 1 ? $tpl->display_one_col_template() : header('Location: '.$matches[0][0]);
+    // If the user is NOT an administrator, redirect it to course/session buy list
+    $isAdmin ? $tpl->display_one_col_template() : header('Location: src/list.php');
 }