diff --git a/main/admin/access_url_add_courses_to_url.php b/main/admin/access_url_add_courses_to_url.php
old mode 100644
new mode 100755
index 624c088fe6..51a57b0ecc
--- a/main/admin/access_url_add_courses_to_url.php
+++ b/main/admin/access_url_add_courses_to_url.php
@@ -15,7 +15,7 @@ require_once '../inc/global.inc.php';
$this_section=SECTION_PLATFORM_ADMIN;
require_once (api_get_path(LIBRARY_PATH).'urlmanager.lib.php');
-api_protect_admin_script();
+api_protect_global_admin_script();
if (!$_configuration['multiple_access_urls']) {
header('Location: index.php');
exit;
diff --git a/main/admin/access_url_add_sessions_to_url.php b/main/admin/access_url_add_sessions_to_url.php
index f98efba4c2..8d225900d5 100755
--- a/main/admin/access_url_add_sessions_to_url.php
+++ b/main/admin/access_url_add_sessions_to_url.php
@@ -15,7 +15,7 @@ require_once '../inc/global.inc.php';
$this_section=SECTION_PLATFORM_ADMIN;
require_once api_get_path(LIBRARY_PATH).'urlmanager.lib.php';
-api_protect_admin_script();
+api_protect_global_admin_script();
if (!$_configuration['multiple_access_urls']) {
header('Location: index.php');
exit;
diff --git a/main/admin/access_url_add_users_to_url.php b/main/admin/access_url_add_users_to_url.php
index c0c12fad9c..29585d1108 100755
--- a/main/admin/access_url_add_users_to_url.php
+++ b/main/admin/access_url_add_users_to_url.php
@@ -15,7 +15,7 @@ require_once '../inc/global.inc.php';
$this_section=SECTION_PLATFORM_ADMIN;
require_once api_get_path(LIBRARY_PATH).'urlmanager.lib.php';
-api_protect_admin_script();
+api_protect_global_admin_script();
if (!$_configuration['multiple_access_urls']) {
header('Location: index.php');
exit;
diff --git a/main/admin/access_url_edit.php b/main/admin/access_url_edit.php
index 9cd6d5a23a..a987024ea6 100755
--- a/main/admin/access_url_edit.php
+++ b/main/admin/access_url_edit.php
@@ -10,7 +10,8 @@ $cidReset = true;
require_once '../inc/global.inc.php';
$this_section = SECTION_PLATFORM_ADMIN;
-api_protect_admin_script();
+//api_protect_admin_script();
+api_protect_global_admin_script();
if (!$_configuration['multiple_access_urls']) {
header('Location: index.php');
exit;
diff --git a/main/admin/access_url_edit_courses_to_url.php b/main/admin/access_url_edit_courses_to_url.php
index 5345ecf62c..f6455e4c2e 100755
--- a/main/admin/access_url_edit_courses_to_url.php
+++ b/main/admin/access_url_edit_courses_to_url.php
@@ -24,7 +24,7 @@ $xajax -> registerFunction (array('search_courses', 'Accessurleditcoursestourl',
$this_section = SECTION_PLATFORM_ADMIN;
// Access restrictions
-api_protect_admin_script();
+api_protect_global_admin_script();
if (!$_configuration['multiple_access_urls']) {
header('Location: index.php');
exit;
diff --git a/main/admin/access_url_edit_sessions_to_url.php b/main/admin/access_url_edit_sessions_to_url.php
index 776611444c..e3892c1d40 100755
--- a/main/admin/access_url_edit_sessions_to_url.php
+++ b/main/admin/access_url_edit_sessions_to_url.php
@@ -26,7 +26,7 @@ $xajax -> registerFunction (array('search_sessions', 'Accessurleditsessionstourl
$this_section = SECTION_PLATFORM_ADMIN;
// Access restrictions
-api_protect_admin_script();
+api_protect_global_admin_script();
if (!$_configuration['multiple_access_urls']) {
header('Location: index.php');
exit;
diff --git a/main/admin/access_url_edit_users_to_url.php b/main/admin/access_url_edit_users_to_url.php
index dfb91e58da..035fc28e52 100755
--- a/main/admin/access_url_edit_users_to_url.php
+++ b/main/admin/access_url_edit_users_to_url.php
@@ -25,7 +25,7 @@ $xajax -> registerFunction (array('search_users', 'Accessurledituserstourl', 'se
$this_section = SECTION_PLATFORM_ADMIN;
// Access restrictions
-api_protect_admin_script();
+api_protect_global_admin_script();
if (!$_configuration['multiple_access_urls']) {
header('Location: index.php');
exit;
diff --git a/main/admin/access_urls.php b/main/admin/access_urls.php
index b5ea9418dd..b9233ac992 100755
--- a/main/admin/access_urls.php
+++ b/main/admin/access_urls.php
@@ -12,7 +12,9 @@ require_once '../inc/global.inc.php';
require_once api_get_path(LIBRARY_PATH).'sortabletable.class.php';
$this_section = SECTION_PLATFORM_ADMIN;
-api_protect_admin_script();
+//api_protect_admin_script();
+api_protect_global_admin_script();
+
if (!$_configuration['multiple_access_urls']) {
header('Location: index.php');
exit;
diff --git a/main/admin/index.php b/main/admin/index.php
index 8b1ce88be5..d6863a0f36 100755
--- a/main/admin/index.php
+++ b/main/admin/index.php
@@ -161,9 +161,10 @@ if(api_is_platform_admin()) {
()
'.get_lang('ConfigureMultipleAccessURLs').'';
+ if(!empty($_configuration['multiple_access_urls'])) {
+ if (api_is_global_platform_admin()) {
+ echo ''.get_lang('ConfigureMultipleAccessURLs').'';
+ }
}
if (api_get_setting('allow_reservation')=='true') {
diff --git a/main/inc/lib/main_api.lib.php b/main/inc/lib/main_api.lib.php
index 7ba588f7be..d262c11959 100755
--- a/main/inc/lib/main_api.lib.php
+++ b/main/inc/lib/main_api.lib.php
@@ -4482,4 +4482,44 @@ function api_send_mail($to, $subject, $message, $additional_headers = null, $add
// Clear all addresses
$mail->ClearAddresses();
return 1;
-}
\ No newline at end of file
+}
+
+
+/**
+ * Function used to protect a "global" admin script.
+ * The function blocks access when the user has no global platform admin rights.
+ * Global admins are the admins that are registered in the main.admin table AND the users who have access to the "principal" portal.
+ * That means that there is a record in the main.access_url_rel_user table with his user id and the access_url_id=1
+ *
+ * @author Julio Montoya
+ */
+function api_is_global_platform_admin() {
+ if (api_is_platform_admin()) {
+ // This user is subscribed in these sites => $my_url_list
+ $my_url_list = api_get_access_url_from_user(api_get_user_id());
+ if (in_array(1, $my_url_list)) {
+ return true;
+ } else {
+ return false;
+ }
+ }
+ return false;
+}
+
+
+/**
+ * Function used to protect a global admin script.
+ * The function blocks access when the user has no global platform admin rights.
+ * See also the api_is_global_platform_admin() function wich defines who's a "global" admin
+ *
+ * @author Julio Montoya
+ */
+function api_protect_global_admin_script() {
+ if (!api_is_global_platform_admin()) {
+ include api_get_path(INCLUDE_PATH).'header.inc.php';
+ api_not_allowed();
+ return false;
+ }
+ return true;
+}
+
diff --git a/main/inc/local.inc.php b/main/inc/local.inc.php
index 5dfa1de17e..ec63d7f458 100755
--- a/main/inc/local.inc.php
+++ b/main/inc/local.inc.php
@@ -272,7 +272,7 @@ if (!empty($_SESSION['_user']['user_id']) && ! ($login || $logout)) {
if ($uData['expiration_date']>date('Y-m-d H:i:s') OR $uData['expiration_date']=='0000-00-00 00:00:00') {
global $_configuration;
- if ($_configuration['multiple_access_urls'] == true) {
+ if ($_configuration['multiple_access_urls'] == true) {
$admin_table = Database::get_main_table(TABLE_MAIN_ADMIN);
//Check if user is an admin
@@ -284,13 +284,15 @@ if (!empty($_SESSION['_user']['user_id']) && ! ($login || $logout)) {
if (Database::num_rows($result) > 0) {
$my_user_is_admin = true;
}
+
+ // This user is subscribed in these sites => $my_url_list
+ $my_url_list = api_get_access_url_from_user($uData['user_id']);
+
+ //Check the access_url configuration setting if the user is registered in the access_url_rel_user table
+ //Getting the current access_url_id of the platform
+ $current_access_url_id = api_get_current_access_url_id();
- if ($my_user_is_admin === false) {
- //Check the access_url configuration setting if the user is registered in the access_url_rel_user table
- //Getting the current access_url_id of the platform
- $current_access_url_id = api_get_current_access_url_id();
- // my user is subscribed in these sites => $my_url_list
- $my_url_list = api_get_access_url_from_user($uData['user_id']);
+ if ($my_user_is_admin === false) {
if (is_array($my_url_list) && count($my_url_list)>0 ){
// the user have the permissions to enter at this site
@@ -310,11 +312,25 @@ if (!empty($_SESSION['_user']['user_id']) && ! ($login || $logout)) {
header('Location: '.api_get_path(WEB_PATH).'index.php?loginFailed=1&error=access_url_inactive');
exit;
}
- } else {
- //All admins can login in any multiple URL
- $_user['user_id'] = $uData['user_id'];
- api_session_register('_user');
- event_login();
+ } else { //Only admins of the "main" (first) Chamilo portal can login wherever they want
+ //var_dump($current_access_url_id, $my_url_list); exit;
+ if (in_array(1, $my_url_list)) { //Check if this admin have the access_url_id = 1 which means the principal
+ $_user['user_id'] = $uData['user_id'];
+ api_session_register('_user');
+ event_login();
+ } else {
+ //This means a secondary admin wants to login so we check as he's a normal user
+ if (in_array($current_access_url_id, $my_url_list)) {
+ $_user['user_id'] = $uData['user_id'];
+ api_session_register('_user');
+ event_login();
+ } else {
+ $loginFailed = true;
+ api_session_unregister('_uid');
+ header('Location: '.api_get_path(WEB_PATH).'index.php?loginFailed=1&error=access_url_inactive');
+ exit;
+ }
+ }
}
} else {
$_user['user_id'] = $uData['user_id'];
@@ -469,6 +485,7 @@ if (!empty($_SESSION['_user']['user_id']) && ! ($login || $logout)) {
// check if the expiration date has not been reached
if ($uData['expiration_date']>date('Y-m-d H:i:s') OR $uData['expiration_date']=='0000-00-00 00:00:00') {
global $_configuration;
+ //If Multiple URL is enabled
if ($_configuration['multiple_access_urls'] == true) {
$admin_table = Database::get_main_table(TABLE_MAIN_ADMIN);
//Check if user is an admin
@@ -478,15 +495,17 @@ if (!empty($_SESSION['_user']['user_id']) && ! ($login || $logout)) {
$my_user_is_admin = false;
if (Database::num_rows($result) > 0) {
$my_user_is_admin = true;
- }
- if ($my_user_is_admin === false) {
- //check the access_url configuration setting if the user is registered in the access_url_rel_user table
- //getting the current access_url_id of the platform
- $current_access_url_id = api_get_current_access_url_id();
- // my user is subscribed in these sites => $my_url_list
- $my_url_list = api_get_access_url_from_user($uData['user_id']);
-
- if (is_array($my_url_list) && count($my_url_list)>0 ) {
+ }
+
+ //Check the access_url configuration setting if the user is registered in the access_url_rel_user table
+ //Getting the current access_url_id of the platform
+ $current_access_url_id = api_get_current_access_url_id();
+
+ // my user is subscribed in these sites => $my_url_list
+ $my_url_list = api_get_access_url_from_user($uData['user_id']);
+
+ if ($my_user_is_admin === false) {
+ if (is_array($my_url_list) && count($my_url_list)>0 ) {
if (in_array($current_access_url_id, $my_url_list)) {
// the user has permission to enter at this site
$_user['user_id'] = $uData['user_id'];
@@ -503,21 +522,34 @@ if (!empty($_SESSION['_user']['user_id']) && ! ($login || $logout)) {
header('Location: '.api_get_path(WEB_PATH).'index.php?loginFailed=1&error=access_url_inactive');
exit;
}
- } else {
+ } else {
// there is no URL in the multiple urls list for this user
$loginFailed = true;
api_session_unregister('_uid');
header('Location: '.api_get_path(WEB_PATH).'index.php?loginFailed=1&error=access_url_inactive');
exit;
- }
- } else {
- //User is an admin, he can login wherever he wants
- $_user['user_id'] = $uData['user_id'];
- api_session_register('_user');
- event_login();
- }
+ }
+ } else { //Only admins of the "main" (first) Chamilo portal can login wherever they want
+ if (in_array(1, $my_url_list)) { //Check if this admin have the access_url_id = 1 which means the principal portal
+ $_user['user_id'] = $uData['user_id'];
+ api_session_register('_user');
+ event_login();
+ } else {
+ //This means a secondary admin wants to login so we check as a normal user
+ if (in_array($current_access_url_id, $my_url_list)) {
+ $_user['user_id'] = $uData['user_id'];
+ api_session_register('_user');
+ event_login();
+ } else {
+ $loginFailed = true;
+ api_session_unregister('_uid');
+ header('Location: '.api_get_path(WEB_PATH).'index.php?loginFailed=1&error=access_url_inactive');
+ exit;
+ }
+ }
+ }
} else {
- //Single URL access
+ //Single URL access (Only 1 portal)
$_user['user_id'] = $uData['user_id'];
api_session_register('_user');
event_login();
@@ -533,35 +565,35 @@ if (!empty($_SESSION['_user']['user_id']) && ! ($login || $logout)) {
exit;
}
} else {
- //user not active
+ //User not active
$loginFailed = true;
api_session_unregister('_uid');
header('Location: '.api_get_path(WEB_PATH).'index.php?loginFailed=1&error=account_inactive');
exit;
}
} else {
- //sha1 of password is wrong
+ //SHA1 of password is wrong
$loginFailed = true;
api_session_unregister('_uid');
header('Location: '.api_get_path(WEB_PATH).'index.php?loginFailed=1&error=account_inactive');
exit;
}
} else {
- //auth_source is wrong
+ //Auth_source is wrong
$loginFailed = true;
api_session_unregister('_uid');
header('Location: '.api_get_path(WEB_PATH).'index.php?loginFailed=1&error=account_inactive');
exit;
}
} else {
- //no user by that login
+ //No user by that login
$loginFailed = true;
api_session_unregister('_uid');
header('Location: '.api_get_path(WEB_PATH).'index.php?loginFailed=1&error=account_inactive');
exit;
}
} else {
- //request comes from unknown source
+ //Request comes from unknown source
$loginFailed = true;
api_session_unregister('_uid');
header('Location: '.api_get_path(WEB_PATH).'index.php?loginFailed=1&error=account_inactive');