From fa1203ae6b90dc7d7af920a7c81063dedd2b0ab7 Mon Sep 17 00:00:00 2001 From: Julio Montoya Date: Fri, 10 Jul 2015 10:49:03 +0200 Subject: [PATCH] Add student publication folder visibility see #6760 --- main/group/group_space.php | 12 +--- main/inc/lib/course.lib.php | 10 ++-- main/tracking/userLog.php | 2 +- main/tracking/userlogCSV.php | 2 +- main/work/download_comment_file.php | 3 +- main/work/downloadfolder.inc.php | 3 +- main/work/edit.php | 2 +- main/work/upload.php | 14 +---- main/work/upload_from_template.php | 11 ++-- main/work/view.php | 6 +- main/work/work.lib.php | 89 +++++++++++++++++++++++++---- main/work/work.php | 69 ++++++++++++++++++++-- main/work/work_list.php | 46 ++++----------- main/work/work_list_others.php | 2 +- tests/main/work/work.lib.test.php | 16 ------ 15 files changed, 179 insertions(+), 108 deletions(-) diff --git a/main/group/group_space.php b/main/group/group_space.php index 8960f903a9..968174f464 100755 --- a/main/group/group_space.php +++ b/main/group/group_space.php @@ -101,20 +101,12 @@ if (isset($_GET['action'])) { /* Main Display Area */ -$course_code = api_get_course_id(); -$is_course_member = CourseManager::is_user_subscribed_in_real_or_linked_course( - api_get_user_id(), - $course_code -); - -// Edit the group. - $edit_url = ''; -if (api_is_allowed_to_edit(false, true) or +if (api_is_allowed_to_edit(false, true) || GroupManager::is_tutor_of_group(api_get_user_id(), api_get_group_id()) ) { $my_origin = isset($origin) ? $origin : ''; - $edit_url = ''. + $edit_url = ''. Display::return_icon('edit.png', get_lang('EditGroup'),'',ICON_SIZE_SMALL).''; } diff --git a/main/inc/lib/course.lib.php b/main/inc/lib/course.lib.php index ae6d584f33..029e7be288 100755 --- a/main/inc/lib/course.lib.php +++ b/main/inc/lib/course.lib.php @@ -1113,17 +1113,17 @@ class CourseManager * Is the user subscribed in the real course or linked courses? * * @param int the id of the user - * @param array info about the course (comes from course table, see database lib) + * @param int $courseId * @deprecated linked_courses definition doesn't exists * @return true if the user is registered in the real course or linked courses, false otherwise */ - public static function is_user_subscribed_in_real_or_linked_course($user_id, $course_code, $session_id = '') + public static function is_user_subscribed_in_real_or_linked_course($user_id, $courseId, $session_id = '') { if ($user_id != strval(intval($user_id))) { return false; } - $course_code = Database::escape_string($course_code); + $courseId = intval($courseId); if ($session_id == '') { $result = Database::fetch_array( @@ -1135,7 +1135,7 @@ class CourseManager WHERE course_user.user_id = '$user_id' AND course_user.relation_type<>" . COURSE_RELATION_TYPE_RRHH . " AND - ( course.code = '$course_code')" + ( course.id = '$courseId')" ) ); return !empty($result); @@ -1160,7 +1160,7 @@ class CourseManager FROM " . Database::get_main_table(TABLE_MAIN_SESSION_COURSE_USER) . " WHERE session_id='" . $session_id . "' AND user_id = '$user_id' AND status = 2 - AND course_code='$course_code'")) + AND c_id ='$courseId'")) ) { return true; } diff --git a/main/tracking/userLog.php b/main/tracking/userLog.php index c496c04057..b58baaef20 100755 --- a/main/tracking/userLog.php +++ b/main/tracking/userLog.php @@ -59,7 +59,7 @@ Display::display_header($nameTools,"Tracking"); /* Constants and variables */ $is_allowedToTrack = $is_courseAdmin; -$is_course_member = CourseManager::is_user_subscribed_in_real_or_linked_course($user_id, $course_id); +$is_course_member = CourseManager::is_user_subscribed_in_real_or_linked_course($user_id, $courseId); // Database Table Definitions $TABLECOURSUSER = Database::get_main_table(TABLE_MAIN_COURSE_USER); diff --git a/main/tracking/userlogCSV.php b/main/tracking/userlogCSV.php index e49047863d..a554aa6dd0 100755 --- a/main/tracking/userlogCSV.php +++ b/main/tracking/userlogCSV.php @@ -50,7 +50,7 @@ $nameTools = get_lang('ToolName'); $is_allowedToTrack = $is_courseAdmin; $is_course_member = CourseManager::is_user_subscribed_in_real_or_linked_course( $user_id, - $course_id + $courseId ); // Database Table Definitions diff --git a/main/work/download_comment_file.php b/main/work/download_comment_file.php index becd18ddb9..e98198eae2 100755 --- a/main/work/download_comment_file.php +++ b/main/work/download_comment_file.php @@ -31,7 +31,8 @@ if (!empty($workData)) { } $work = get_work_data_by_id($workData['work_id']); - allowOnlySubscribedUser(api_get_user_id(), $work['parent_id'], $courseInfo['real_id']); + + protectWork($courseInfo, $work['parent_id']); if (user_is_author($workData['work_id']) || $courseInfo['show_score'] == 0 && diff --git a/main/work/downloadfolder.inc.php b/main/work/downloadfolder.inc.php index dc832f9612..b229d6b016 100755 --- a/main/work/downloadfolder.inc.php +++ b/main/work/downloadfolder.inc.php @@ -92,8 +92,7 @@ if (api_is_allowed_to_edit() || api_is_coach()) { } else { $courseInfo = api_get_course_info(); - - allowOnlySubscribedUser(api_get_user_id(), $work_id, $courseInfo['real_id']); + protectWork($courseInfo, $work_id); $userCondition = null; diff --git a/main/work/edit.php b/main/work/edit.php index b8a6ce744d..431719d01c 100755 --- a/main/work/edit.php +++ b/main/work/edit.php @@ -36,7 +36,7 @@ if (empty($parent_data)) { $is_course_member = CourseManager::is_user_subscribed_in_real_or_linked_course( $user_id, - $course_code, + $course_id, $session_id ); diff --git a/main/work/upload.php b/main/work/upload.php index edfa4cd6d5..74730970bf 100755 --- a/main/work/upload.php +++ b/main/work/upload.php @@ -28,19 +28,11 @@ if (empty($work_id)) { api_not_allowed(true); } -$workInfo = get_work_data_by_id($work_id); - -if (empty($workInfo)) { - api_not_allowed(true); -} +protectWork($course_info, $work_id); -if ($workInfo['active'] != 1) { - api_not_allowed(true); -} - -allowOnlySubscribedUser($user_id, $work_id, $course_id); +$workInfo = get_work_data_by_id($work_id); -$is_course_member = CourseManager::is_user_subscribed_in_real_or_linked_course($user_id, $course_code, $session_id); +$is_course_member = CourseManager::is_user_subscribed_in_real_or_linked_course($user_id, $course_id, $session_id); $is_course_member = $is_course_member || api_is_platform_admin(); if ($is_course_member == false || api_is_invitee()) { diff --git a/main/work/upload_from_template.php b/main/work/upload_from_template.php index 72bb694632..7742908bff 100755 --- a/main/work/upload_from_template.php +++ b/main/work/upload_from_template.php @@ -29,19 +29,16 @@ if (empty($work_id)) { api_not_allowed(true); } -$workInfo = get_work_data_by_id($work_id); - -if (empty($workInfo)) { - api_not_allowed(true); -} +protectWork($course_info, $work_id); -allowOnlySubscribedUser($user_id, $work_id, $course_id); +$workInfo = get_work_data_by_id($work_id); $is_course_member = CourseManager::is_user_subscribed_in_real_or_linked_course( $user_id, - $course_code, + $course_id, $session_id ); + $is_course_member = $is_course_member || api_is_platform_admin(); if ($is_course_member == false) { diff --git a/main/work/view.php b/main/work/view.php index a62ba76a9a..94dee32c2e 100755 --- a/main/work/view.php +++ b/main/work/view.php @@ -22,11 +22,13 @@ $interbreadcrumb[] = array ('url' => 'work.php', 'name' => get_lang('StudentPubl $my_folder_data = get_work_data_by_id($work['parent_id']); $courseInfo = api_get_course_info(); -allowOnlySubscribedUser( +/*allowOnlySubscribedUser( api_get_user_id(), $work['parent_id'], $courseInfo['real_id'] -); +);*/ + +protectWork(api_get_course_info(), $work['parent_id']); $isDrhOfCourse = CourseManager::isUserSubscribedInCourseAsDrh( api_get_user_id(), diff --git a/main/work/work.lib.php b/main/work/work.lib.php index 9bc9e4ef34..015d8afcaa 100755 --- a/main/work/work.lib.php +++ b/main/work/work.lib.php @@ -1386,6 +1386,13 @@ function getWorkListStudent( if ($isSubscribed == false) { continue; } + + $visibility = api_get_item_visibility($courseInfo, 'work', $work['id'], $session_id); + + if ($visibility != 1) { + continue; + } + $work['type'] = Display::return_icon('work.png'); $work['expires_on'] = empty($work['expires_on']) ? null : api_get_local_time($work['expires_on']); @@ -1410,12 +1417,6 @@ function getWorkListStudent( $work['feedback'] = ' '.Display::label($count.' '.get_lang('Feedback'), 'info'); } - /*$score = getTotalWorkScore($workList); - - if (!is_null($score) && !empty($score)) { - $work['title'] .= ' '.Display::return_icon('rate_work.png', get_lang('Score')); - }*/ - $lastWork = getLastWorkStudentFromParentByUser($userId, $work['id'], $courseInfo); if (!empty($lastWork)) { @@ -1453,8 +1454,9 @@ function getWorkListTeacher( $getCount = false ) { $workTable = Database::get_course_table(TABLE_STUDENT_PUBLICATION); - $workTableAssignment = Database::get_course_table(TABLE_STUDENT_PUBLICATION_ASSIGNMENT); + $workTableAssignment = Database::get_course_table(TABLE_STUDENT_PUBLICATION_ASSIGNMENT); + $courseInfo = api_get_course_info(); $course_id = api_get_course_int_id(); $session_id = api_get_session_id(); $condition_session = api_get_session_condition($session_id); @@ -1483,7 +1485,8 @@ function getWorkListTeacher( } $sql = " $select FROM $workTable w - LEFT JOIN $workTableAssignment a ON (a.publication_id = w.id AND a.c_id = w.c_id) + LEFT JOIN $workTableAssignment a + ON (a.publication_id = w.id AND a.c_id = w.c_id) WHERE w.c_id = $course_id $condition_session AND @@ -1526,10 +1529,29 @@ function getWorkListTeacher( 'success' ); + $visibility = api_get_item_visibility($courseInfo, 'work', $workId, $session_id); + + if ($visibility == 1) { + $icon = 'visible.png'; + $text = get_lang('Visible'); + $action = 'invisible'; + $class = ''; + } else { + $icon = 'invisible.png'; + $text = get_lang('invisible'); + $action = 'visible'; + $class = 'muted'; + } + + $visibilityLink = Display::url( + Display::return_icon($icon, $text, array(), ICON_SIZE_SMALL), + api_get_path(WEB_CODE_PATH).'work/work.php?id='.$workId.'&action='.$action.'&'.api_get_cidreq() + ); + if (empty($work['title'])) { $work['title'] = basename($work['url']); } - $work['title'] = Display::url($work['title'], $url.'&id='.$workId); + $work['title'] = Display::url($work['title'], $url.'&id='.$workId, ['class' => $class]); $work['title'] .= ' '.Display::label(get_count_work($work['id']), 'success'); $work['sent_date'] = api_get_local_time($work['sent_date']); @@ -1572,7 +1594,7 @@ function getWorkListTeacher( $deleteLink = null; $editLink = null; } - $work['actions'] = $downloadLink.$editLink.$deleteLink; + $work['actions'] = $visibilityLink.$downloadLink.$editLink.$deleteLink; $works[] = $work; } } @@ -2739,6 +2761,7 @@ function allowOnlySubscribedUser($userId, $workId, $courseId) if (api_is_platform_admin() || api_is_allowed_to_edit()) { return true; } + if (userIsSubscribedToWork($userId, $workId, $courseId) == false) { api_not_allowed(true); } @@ -4828,3 +4851,49 @@ function getWorkCreatedByUser($user_id, $courseId, $sessionId) return $forumList; } + +/** + * @param array $courseInfo + * @param int $workId + * @return bool + */ +function protectWork($courseInfo, $workId) +{ + $userId = api_get_user_id(); + $groupId = api_get_group_id(); + $sessionId = api_get_session_id(); + $workData = get_work_data_by_id($workId); + + if (empty($workData) || empty($courseInfo)) { + api_not_allowed(true); + } + + if (api_is_platform_admin() || api_is_allowed_to_edit()) { + return true; + } + + $workId = $workData['id']; + + if ($workData['active'] != 1) { + api_not_allowed(true); + } + + $visibility = api_get_item_visibility($courseInfo, 'work', $workId, $sessionId); + + if ($visibility != 1) { + api_not_allowed(true); + } + + allowOnlySubscribedUser($userId, $workId, $courseInfo['real_id']); + + if (!empty($groupId)) { + $showWork = GroupManager::user_has_access( + $userId, + $groupId, + GroupManager::GROUP_TOOL_WORK + ); + if (!$showWork) { + api_not_allowed(true); + } + } +} diff --git a/main/work/work.php b/main/work/work.php index 12c00baf4a..a617d5ed68 100755 --- a/main/work/work.php +++ b/main/work/work.php @@ -14,10 +14,10 @@ api_protect_course_script(true); require_once 'work.lib.php'; -$course_info = api_get_course_info(); -$course_id = $course_info['real_id']; -$user_id = api_get_user_id(); -$id_session = api_get_session_id(); +$course_info = api_get_course_info(); +$course_id = $course_info['real_id']; +$user_id = api_get_user_id(); +$id_session = api_get_session_id(); // Section (for the tabs) $this_section = SECTION_COURSES; @@ -79,11 +79,11 @@ if (!empty($group_id)) { } if ($action == 'upload_form') { - $interbreadcrumb[] = array('url' => 'work.php','name' => get_lang('UploadADocument')); + $interbreadcrumb[] = array('url' => 'work.php?'.api_get_cidreq(),'name' => get_lang('UploadADocument')); } if ($action == 'create_dir') { - $interbreadcrumb[] = array('url' => 'work.php','name' => get_lang('CreateAssignment')); + $interbreadcrumb[] = array('url' => 'work.php?'.api_get_cidreq(),'name' => get_lang('CreateAssignment')); } } else { if ($origin != 'learnpath') { @@ -254,6 +254,63 @@ switch ($action) { header('Location: '.$currentUrl); exit; } + break; + case 'visible': + if (!$is_allowed_to_edit) { + api_not_allowed(); + } + + api_item_property_update( + $courseInfo, + 'work', + $work_id, + 'visible', + api_get_user_id(), + null, + null, + null, + null, + $session_id + ); + Display::addFlash( + Display::return_message( + get_lang('VisibilityChanged'), + 'confirmation' + ) + ); + + header('Location: '.$currentUrl); + exit; + + break; + case 'invisible': + if (!$is_allowed_to_edit) { + api_not_allowed(); + } + + api_item_property_update( + $courseInfo, + 'work', + $work_id, + 'invisible', + api_get_user_id(), + null, + null, + null, + null, + $session_id + ); + + Display::addFlash( + Display::return_message( + get_lang('VisibilityChanged'), + 'confirmation' + ) + ); + + header('Location: '.$currentUrl); + exit; + break; case 'list': /* Display list of student publications */ diff --git a/main/work/work_list.php b/main/work/work_list.php index c14a96203d..c7b6ceac0a 100755 --- a/main/work/work_list.php +++ b/main/work/work_list.php @@ -19,58 +19,35 @@ if (empty($workId)) { api_not_allowed(true); } -$my_folder_data = get_work_data_by_id($workId); +$courseInfo = api_get_course_info(); -if (empty($my_folder_data)) { - api_not_allowed(true); -} - -if ($my_folder_data['active'] != 1) { - api_not_allowed(true); -} +protectWork($courseInfo, $workId); +$my_folder_data = get_work_data_by_id($workId); $work_data = get_work_assignment_by_id($workId); $tool_name = get_lang('StudentPublications'); $group_id = api_get_group_id(); -$courseInfo = api_get_course_info(); + $htmlHeadXtra[] = api_get_jqgrid_js(); $url_dir = api_get_path(WEB_CODE_PATH).'work/work.php?'.api_get_cidreq(); -allowOnlySubscribedUser(api_get_user_id(), $workId, $courseInfo['real_id']); - if (!empty($group_id)) { $group_properties = GroupManager :: get_group_properties($group_id); - $show_work = false; - - if (api_is_allowed_to_edit(false, true)) { - $show_work = true; - } else { - // you are not a teacher - $show_work = GroupManager::user_has_access( - $user_id, - $group_id, - GroupManager::GROUP_TOOL_WORK - ); - } - - if (!$show_work) { - api_not_allowed(); - } - - $interbreadcrumb[] = array ('url' => api_get_path(WEB_CODE_PATH).'group/group.php', 'name' => get_lang('Groups')); - $interbreadcrumb[] = array ('url' => api_get_path(WEB_CODE_PATH).'group/group_space.php?gidReq='.$group_id, 'name' => get_lang('GroupSpace').' '.$group_properties['name']); + $interbreadcrumb[] = array('url' => api_get_path(WEB_CODE_PATH).'group/group.php?'.api_get_cidreq(), 'name' => get_lang('Groups')); + $interbreadcrumb[] = array('url' => api_get_path(WEB_CODE_PATH).'group/group_space.php?'.api_get_cidreq(), 'name' => get_lang('GroupSpace').' '.$group_properties['name']); } -$interbreadcrumb[] = array ('url' => api_get_path(WEB_CODE_PATH).'work/work.php?'.api_get_cidreq(), 'name' => get_lang('StudentPublications')); -$interbreadcrumb[] = array ('url' => api_get_path(WEB_CODE_PATH).'work/work_list.php?'.api_get_cidreq().'&id='.$workId, 'name' => $my_folder_data['title']); +$interbreadcrumb[] = array('url' => api_get_path(WEB_CODE_PATH).'work/work.php?'.api_get_cidreq(), 'name' => get_lang('StudentPublications')); +$interbreadcrumb[] = array('url' => api_get_path(WEB_CODE_PATH).'work/work_list.php?'.api_get_cidreq().'&id='.$workId, 'name' => $my_folder_data['title']); $documentsAddedInWork = getAllDocumentsFromWorkToString($workId, $courseInfo); Display :: display_header(null); echo '
'; -echo ''.Display::return_icon('back.png', get_lang('BackToWorksList'),'',ICON_SIZE_MEDIUM).''; +echo ''. + Display::return_icon('back.png', get_lang('BackToWorksList'),'',ICON_SIZE_MEDIUM).''; if (api_is_allowed_to_session_edit(false, true) && !empty($workId) && !api_is_invitee() ) { echo ''; echo Display::return_icon('upload_file.png', get_lang('UploadADocument'), '', ICON_SIZE_MEDIUM).''; @@ -88,7 +65,8 @@ if (!empty($error_message)) { } if (!empty($my_folder_data['description'])) { - echo '

'.get_lang('Description').':

'.Security::remove_XSS($my_folder_data['description']).'

'; + echo '

'.get_lang('Description').':

'. + Security::remove_XSS($my_folder_data['description']).'

'; } $action = isset($_REQUEST['action']) ? $_REQUEST['action'] : null; diff --git a/main/work/work_list_others.php b/main/work/work_list_others.php index 363656a236..fbba47836b 100755 --- a/main/work/work_list_others.php +++ b/main/work/work_list_others.php @@ -31,7 +31,7 @@ if ($courseInfo['show_score'] == 1) { api_not_allowed(true); } -allowOnlySubscribedUser(api_get_user_id(), $workId, $courseInfo['real_id']); +protectWork($courseInfo, $workId); $htmlHeadXtra[] = api_get_jqgrid_js(); diff --git a/tests/main/work/work.lib.test.php b/tests/main/work/work.lib.test.php index 20c579a43f..ddf23b8cbd 100755 --- a/tests/main/work/work.lib.test.php +++ b/tests/main/work/work.lib.test.php @@ -244,22 +244,6 @@ class TestWork extends UnitTestCase { //var_dump($res); } - /** - * Checks if the first given directory exists as a subdir of the second given directory - * This function should now be deprecated by Security::check_abs_path() - * @param string Subdir - * @param string Base dir - * @return integer -1 on error, 0 if not subdir, 1 if subdir - */ - - function testis_subdir_of() { - $path_name = api_get_path(SYS_COURSE_PATH); - $subdir=$path_name.'work/testing'; - $basedir=$path_name; - $res=is_subdir_of($subdir,$basedir); - $this->assertTrue(is_numeric($res)); - //var_dump($res); - } /** * returns all the javascript that is required for easily