[svn r16486] the coachs can now delete only surveys of his sessions (FS#2864)

16 years ago · fa32c2301f
parent 4f2ba6eb10
commit fa32c2301f
4 changed files with 69 additions and 12 deletions
--- a/main/inc/lib/main_api.lib.php
+++ b/main/inc/lib/main_api.lib.php
@ -3097,4 +3097,41 @@ function api_is_course_visible_for_user( $userid = null, $cid = null ) {

    return $is_allowed_in_course;
 }
+
+/**
+ * Returns whether an element (forum, message, survey ...) belongs to a session or not
+ * @param String the tool of the element
+ * @param int the element id in database
+ * @param int the session_id to compare with element session id
+ * @return boolean true if the element is in the session, false else
+ */
+function api_is_element_in_the_session($tool, $element_id, $session_id=null)
+{
+	if(is_null($session_id))
+	{
+		$session_id = intval($_SESSION['id_session']);
+	}
+	
+	// get informations to build query depending of the tool
+	switch ($tool)
+	{
+		case TOOL_SURVEY : 
+			$table_tool = Database::get_course_table(TABLE_SURVEY);
+			$key_field = 'survey_id';
+			break;
+		default: return false;
+	}
+	
+	
+	$sql = 'SELECT session_id FROM '.$table_tool.' WHERE '.$key_field.'='.intval($element_id);
+	$rs = api_sql_query($sql, __FILE__, __LINE__);
+	if($element_session_id = Database::result($rs, 0, 0))
+	{
+		if($element_session_id == intval($session_id))
+		{ // element belongs to the session
+			return true;
+		}
+	}
+	return false;
+}
 ?>
--- a/main/survey/create_new_survey.php
+++ b/main/survey/create_new_survey.php
@ -25,7 +25,7 @@
 * 	@author unknown, the initial survey that did not make it in 1.8 because of bad code
 * 	@author Patrick Cool <patrick.cool@UGent.be>, Ghent University: cleanup, refactoring and rewriting large parts (if not all) of the code
 *	@author Julio Montoya Armas <gugli100@gmail.com>, Dokeos: Personality Test modification and rewriting large parts of the code
-* 	@version $Id: create_new_survey.php 16410 2008-09-22 17:43:07Z juliomontoya $
+* 	@version $Id: create_new_survey.php 16486 2008-10-10 13:32:05Z elixir_inter $
 *
 * 	@todo only the available platform languages should be used => need an api get_languages and and api_get_available_languages (or a parameter)
 */
@ -56,12 +56,16 @@ $table_course 				= Database :: get_main_table(TABLE_MAIN_COURSE);
 $table_course_survey_rel 	= Database :: get_main_table(TABLE_MAIN_COURSE_SURVEY);

 /** @todo this has to be moved to a more appropriate place (after the display_header of the code)*/
-if (!api_is_allowed_to_edit(false,true))
+// if user is not teacher or if he's a coach trying to access an element out of his session
+if (!api_is_allowed_to_edit())
 {
-	Display :: display_header();
-	Display :: display_error_message(get_lang('NotAllowed'), false);
-	Display :: display_footer();
-	exit;
+	if(!api_is_course_coach() || (!empty($_GET['survey_id']) && !api_is_element_in_the_session(TOOL_SURVEY,intval($_GET['survey_id']))))
+	{
+		Display :: display_header();
+		Display :: display_error_message(get_lang('NotAllowed'), false);
+		Display :: display_footer();
+		exit;
+	}
 }

 // getting the survey information
--- a/main/survey/survey.lib.php
+++ b/main/survey/survey.lib.php
@ -24,7 +24,7 @@
 *	@package dokeos.survey
 * 	@author Patrick Cool <patrick.cool@UGent.be>, Ghent University: cleanup, refactoring and rewriting large parts (if not all) of the code
 	@author Julio Montoya Armas <gugli100@gmail.com>, Dokeos: Personality Test modification and rewriting large parts of the code
-* 	@version $Id: survey.lib.php 16453 2008-10-08 08:26:33Z elixir_inter $
+* 	@version $Id: survey.lib.php 16486 2008-10-10 13:32:05Z elixir_inter $
 *
 * 	@todo move this file to inc/lib
 * 	@todo use consistent naming for the functions (save vs store for instance)
@ -4307,14 +4307,20 @@ class SurveyUtil {
 	function modify_filter($survey_id)
 	{
 		global $charset;
-		$survey_id = Security::remove_XSS($survey_id);		
-		$return = '<a href="create_new_survey.php?'.api_get_cidreq().'&amp;action=edit&amp;survey_id='.$survey_id.'">'.Display::return_icon('edit.gif', get_lang('Edit')).'</a>';
-		$return .= '<a href="survey_list.php?'.api_get_cidreq().'&amp;action=delete&amp;survey_id='.$survey_id.'" onclick="javascript:if(!confirm(\''.addslashes(htmlentities(get_lang("DeleteSurvey").'?',ENT_QUOTES,$charset)).'\')) return false;">'.Display::return_icon('delete.gif', get_lang('Delete')).'</a>';
+		$survey_id = Security::remove_XSS($survey_id);
+		$return = '';
+		
+		// coach can see that only if the survey is in his session
+		if(api_is_allowed_to_edit() || api_is_element_in_the_session(TOOL_SURVEY, $survey_id))
+		{
+			$return .= '<a href="create_new_survey.php?'.api_get_cidreq().'&amp;action=edit&amp;survey_id='.$survey_id.'">'.Display::return_icon('edit.gif', get_lang('Edit')).'</a>';
+			$return .= '<a href="survey_list.php?'.api_get_cidreq().'&amp;action=delete&amp;survey_id='.$survey_id.'" onclick="javascript:if(!confirm(\''.addslashes(htmlentities(get_lang("DeleteSurvey").'?',ENT_QUOTES,$charset)).'\')) return false;">'.Display::return_icon('delete.gif', get_lang('Delete')).'</a>';
+			$return .= '<a href="survey_list.php?'.api_get_cidreq().'&amp;action=empty&amp;survey_id='.$survey_id.'" onclick="javascript:if(!confirm(\''.addslashes(htmlentities(get_lang("EmptySurvey").'?')).'\')) return false;">'.Display::return_icon('empty.gif', get_lang('EmptySurvey')).'</a>';
+		}
 		//$return .= '<a href="create_survey_in_another_language.php?id_survey='.$survey_id.'">'.Display::return_icon('copy.gif', get_lang('Copy')).'</a>';
 		//$return .= '<a href="survey.php?survey_id='.$survey_id.'">'.Display::return_icon('add.gif', get_lang('Add')).'</a>';
 		$return .= '<a href="preview.php?'.api_get_cidreq().'&amp;survey_id='.$survey_id.'">'.Display::return_icon('preview.gif', get_lang('Preview')).'</a>';
 		$return .= '<a href="survey_invite.php?'.api_get_cidreq().'&amp;survey_id='.$survey_id.'">'.Display::return_icon('survey_publish.gif', get_lang('Publish')).'</a>';
-		$return .= '<a href="survey_list.php?'.api_get_cidreq().'&amp;action=empty&amp;survey_id='.$survey_id.'" onclick="javascript:if(!confirm(\''.addslashes(htmlentities(get_lang("EmptySurvey").'?')).'\')) return false;">'.Display::return_icon('empty.gif', get_lang('EmptySurvey')).'</a>';
 		$return .= '<a href="reporting.php?'.api_get_cidreq().'&amp;survey_id='.$survey_id.'">'.Display::return_icon('statistics.gif', get_lang('Reporting')).'</a>';
 		return $return;
 	}
--- a/main/survey/survey_list.php
+++ b/main/survey/survey_list.php
@ -26,7 +26,7 @@
 * 	@author unknown, the initial survey that did not make it in 1.8 because of bad code
 * 	@author Patrick Cool <patrick.cool@UGent.be>, Ghent University: cleanup, refactoring and rewriting large parts of the code
 *	@author Julio Montoya Armas <gugli100@gmail.com>, Dokeos: Personality Test modification and rewriting large parts of the code
-* 	@version $Id: survey_list.php 16485 2008-10-10 12:49:22Z elixir_inter $
+* 	@version $Id: survey_list.php 16486 2008-10-10 13:32:05Z elixir_inter $
 *
 * 	@todo use quickforms for the forms
 */
@ -85,6 +85,11 @@ if (isset($_GET['action']) AND $_GET['action'] == 'delete' AND isset($_GET['surv
 {
 	// getting the information of the survey (used for when the survey is shared)
 	$survey_data = survey_manager::get_survey($_GET['survey_id']);
+	if(api_is_course_coach() && intval($_SESSION['id_session']) != $survey_data['session_id'])
+	{ // the coach can't delete a survey not belonging to his session
+		api_not_allowed();
+		exit;
+	}
 	// if the survey is shared => also delete the shared content
 	if (is_numeric($survey_data['survey_share']))
 	{
@ -103,6 +108,11 @@ if (isset($_GET['action']) AND $_GET['action'] == 'delete' AND isset($_GET['surv

 if(isset($_GET['action']) && $_GET['action'] == 'empty')
 {
+	if(!(api_is_course_coach() && !api_is_element_in_the_session(TOOL_SURVEY,intval($_GET['survey_id']))))
+	{// the coach can't empty a survey not belonging to his session
+		api_not_allowed();
+		exit;
+	}
 	$return = survey_manager::empty_survey(intval($_GET['survey_id']));
 	if ($return)
 	{