From f0926c0875355fc18d310af1eda16ff495318d9b Mon Sep 17 00:00:00 2001 From: Julio Montoya Date: Mon, 2 Sep 2013 13:26:17 +0200 Subject: [PATCH] Blocking access if user is not subscribed see BT#6615 --- main/work/download.php | 35 +++++++++-------- main/work/downloadfolder.inc.php | 3 ++ main/work/edit.php | 7 ++-- main/work/upload.php | 2 + main/work/view.php | 2 + main/work/work.lib.php | 66 +++++++++++++++----------------- main/work/work_list.php | 2 + main/work/work_list_others.php | 3 +- 8 files changed, 66 insertions(+), 54 deletions(-) diff --git a/main/work/download.php b/main/work/download.php index f8b8e3c247..f1c981c73e 100644 --- a/main/work/download.php +++ b/main/work/download.php @@ -12,6 +12,8 @@ session_cache_limiter('public'); require_once '../inc/global.inc.php'; +require_once 'work.lib.php'; + $current_course_tool = TOOL_STUDENTPUBLICATION; $this_section = SECTION_COURSES; @@ -29,26 +31,29 @@ $id = intval($_GET['id']); $course_info = api_get_course_info(); if (empty($course_info)) { - api_not_allowed(true); + api_not_allowed(true); } $tbl_student_publication = Database::get_course_table(TABLE_STUDENT_PUBLICATION); -if (!empty($course_info['real_id'])) { +if (!empty($course_info['real_id'])) { $sql = 'SELECT * FROM '.$tbl_student_publication.' WHERE c_id = '.$course_info['real_id'].' AND id = "'.$id.'"'; $result = Database::query($sql); - if ($result && Database::num_rows($result)) { - $row = Database::fetch_array($result, 'ASSOC'); + if ($result && Database::num_rows($result)) { + $row = Database::fetch_array($result, 'ASSOC'); $full_file_name = api_get_path(SYS_COURSE_PATH).api_get_course_path().'/'.$row['url']; - - $item_info = api_get_item_property_info(api_get_course_int_id(), 'work', $row['id']); + + $item_info = api_get_item_property_info(api_get_course_int_id(), 'work', $row['id']); + + allowOnlySubscribedUser(api_get_user_id(), $row['parent_id'], $course_info['real_id']); + if (empty($item_info)) { exit; } - + /* field show_score in table course : 0 => New documents are visible for all users - 1 => New documents are only visible for the teacher(s) + 1 => New documents are only visible for the teacher(s) field visibility in table item_property : 0 => eye closed, invisible for all students 1 => eye open field accepted in table c_student_publication : 0 => eye closed, invisible for all students @@ -56,24 +61,24 @@ if (!empty($course_info['real_id'])) { (we should have visibility == accepted , otherwise there is an inconsistency in the Database) field value in table c_course_setting : 0 => Allow learners to delete their own publications = NO 1 => Allow learners to delete their own publications = YES - + +------------------+------------------------------+----------------------------+ |Can download work?| doc visible for all = 0 | doc visible for all = 1| +------------------+------------------------------+----------------------------+ | visibility = 0 | editor only | editor only | | | | | - +------------------+------------------------------+----------------------------+ + +------------------+------------------------------+----------------------------+ | visibility = 1 | editor | editor | | | + owner of the work | + any student | - +------------------+------------------------------+----------------------------+ + +------------------+------------------------------+----------------------------+ (editor = teacher + admin + anybody with right api_is_allowed_to_edit) */ - + $work_is_visible = ($item_info['visibility'] == 1 && $row['accepted'] == 1); $doc_visible_for_all = ($course_info['show_score'] == 1); $is_editor = api_is_allowed_to_edit(true,true,true); $student_is_owner_of_work = ($row['user_id'] == api_get_user_id()); - + if ($is_editor || (!$doc_visible_for_all && $work_is_visible && $student_is_owner_of_work) || ($doc_visible_for_all && $work_is_visible)) { @@ -84,7 +89,7 @@ if (!empty($course_info['real_id'])) { } } else { api_not_allowed(); - } + } } } -exit; \ No newline at end of file +exit; diff --git a/main/work/downloadfolder.inc.php b/main/work/downloadfolder.inc.php index 33267aa9c3..6deb26046b 100644 --- a/main/work/downloadfolder.inc.php +++ b/main/work/downloadfolder.inc.php @@ -71,6 +71,9 @@ if (api_is_allowed_to_edit()) { } else { $courseInfo = api_get_course_info(); + + allowOnlySubscribedUser(api_get_user_id(), $work_id, $courseInfo['real_id']); + $userCondition = null; // All users diff --git a/main/work/edit.php b/main/work/edit.php index 51bc245f8c..af2de7447a 100644 --- a/main/work/edit.php +++ b/main/work/edit.php @@ -147,7 +147,7 @@ if ($is_allowed_to_edit && !empty($item_id)) { } } -$form->addElement('hidden', 'active', 1); +$form->addElement('hidden', 'active', 1); $form->addElement('hidden', 'accepted', 1); $form->addElement('hidden', 'item_to_edit', $item_id); $form->addElement('hidden', 'sec_token', $token); @@ -178,9 +178,10 @@ if ($form->validate()) { if ($is_author) { $work_data = get_work_data_by_id($item_to_edit_id); - if (!empty($_POST['title'])) + if (!empty($_POST['title'])) { $title = isset($_POST['title']) ? $_POST['title'] : $work_data['title']; - $description = isset($_POST['description']) ? $_POST['description'] : $work_data['description']; + } + $description = isset($_POST['description']) ? $_POST['description'] : $work_data['description']; if ($is_allowed_to_edit && ($_POST['qualification'] !='' )) { $add_to_update = ', qualificator_id ='."'".api_get_user_id()."',"; diff --git a/main/work/upload.php b/main/work/upload.php index fbff4796cc..66ffa4d1f2 100644 --- a/main/work/upload.php +++ b/main/work/upload.php @@ -35,6 +35,8 @@ if (empty($work_id)) { api_not_allowed(true); } +allowOnlySubscribedUser($user_id, $work_id, $course_id); + $parent_data = $my_folder_data = get_work_data_by_id($work_id); if (empty($parent_data)) { diff --git a/main/work/view.php b/main/work/view.php index acb2394226..caa7727fc1 100644 --- a/main/work/view.php +++ b/main/work/view.php @@ -20,6 +20,8 @@ $interbreadcrumb[] = array ('url' => 'work.php', 'name' => get_lang('StudentPubl $my_folder_data = get_work_data_by_id($work['parent_id']); $course_info = api_get_course_info(); +allowOnlySubscribedUser(api_get_user_id(), $work['parent_id'], $course_info['real_id']); + if (user_is_author($id) || $course_info['show_score'] == 0 && $work['active'] == 1 && $work['accepted'] == 1) { $url_dir = 'work.php?&id=' . $my_folder_data['id']; $interbreadcrumb[] = array ('url' => $url_dir,'name' => $my_folder_data['title']); diff --git a/main/work/work.lib.php b/main/work/work.lib.php index fb0db07fdc..1a02643c75 100644 --- a/main/work/work.lib.php +++ b/main/work/work.lib.php @@ -808,46 +808,14 @@ function display_student_publications_list($id, $my_folder_data, $work_parents, if (api_is_allowed_to_edit()) { $cant_files = get_count_work($work_data['id']); - - /*$sql_document = "SELECT count(*) - FROM $work_table w INNER JOIN $user_table u ON w.user_id = u.user_id - WHERE w.c_id = $course_id AND w.parent_id = ".$work_data['id']." AND w.active IN (0, 1)";*/ } else { - - if (ADD_DOCUMENT_TO_WORK) { - $subscribedUsers = getAllUserToWork($work_data['id'], $course_id); - if (!empty($subscribedUsers)) { - if (!in_array(api_get_user_id(), $subscribedUsers)) { - continue; - } - } + $isSubscribed = userIsSubscribedToWork(api_get_user_id(), $work_data['id'], $course_id); + if ($isSubscribed == false) { + continue; } - $cant_files = get_count_work($work_data['id'], api_get_user_id()); - /* - $user_filter = "user_id = ".api_get_user_id()." AND "; - if ($course_info['show_score'] == 0) { - $user_filter = null; - } - - $sql_document = "SELECT count(*) FROM $work_table s, $iprop_table p - WHERE s.c_id = $course_id AND - p.c_id = $course_id AND - s.id = p.ref AND - p.tool='work' AND - s.accepted='1' AND - $user_filter - parent_id = ".$work_data['id']." AND - active = 1 AND - parent_id = ".$work_parent->id."";*/ } - - //count documents - /*$res_document = Database::query($sql_document); - $count_document = Database::fetch_row($res_document); - $cant_files = $count_document[0];*/ - $text_file = get_lang('FilesUpload'); if ($cant_files == 1) { @@ -2246,5 +2214,33 @@ function deleteUserToWork($userId, $workId, $courseId) Database::delete($table, $params); } +function userIsSubscribedToWork($userId, $workId, $courseId) +{ + if (ADD_DOCUMENT_TO_WORK == false) { + return true; + } + $subscribedUsers = getAllUserToWork($workId, $courseId); + if (empty($subscribedUsers)) { + return true; + } else { + if (in_array($userId, $subscribedUsers)) { + return true; + } + } + return false; +} + +function allowOnlySubscribedUser($userId, $workId, $courseId) +{ + if (ADD_DOCUMENT_TO_WORK == false) { + return true; + } + if (api_is_platform_admin() || api_is_allowed_to_edit()) { + return true; + } + if (userIsSubscribedToWork($userId, $workId, $courseId) == false) { + api_not_allowed(true); + } +} diff --git a/main/work/work_list.php b/main/work/work_list.php index bf92a34959..a39d9cb209 100644 --- a/main/work/work_list.php +++ b/main/work/work_list.php @@ -35,6 +35,8 @@ $courseInfo = api_get_course_info(); $htmlHeadXtra[] = api_get_jqgrid_js(); $url_dir = api_get_path(WEB_CODE_PATH).'work/work.php?'.api_get_cidreq(); +allowOnlySubscribedUser(api_get_user_id(), $workId, $courseInfo['real_id']); + if (!empty($group_id)) { $group_properties = GroupManager :: get_group_properties($group_id); diff --git a/main/work/work_list_others.php b/main/work/work_list_others.php index f994e31d68..ba3cc200ca 100644 --- a/main/work/work_list_others.php +++ b/main/work/work_list_others.php @@ -38,8 +38,9 @@ if ($courseInfo['show_score'] == 1) { api_not_allowed(true); } -$htmlHeadXtra[] = api_get_jqgrid_js(); +allowOnlySubscribedUser(api_get_user_id(), $workId, $courseInfo['real_id']); +$htmlHeadXtra[] = api_get_jqgrid_js(); if (!empty($group_id)) { $group_properties = GroupManager :: get_group_properties($group_id);