diff --git a/main/inc/lib/main_api.lib.php b/main/inc/lib/main_api.lib.php index ffe302ee1c..e26863e7d2 100644 --- a/main/inc/lib/main_api.lib.php +++ b/main/inc/lib/main_api.lib.php @@ -3097,4 +3097,41 @@ function api_is_course_visible_for_user( $userid = null, $cid = null ) { return $is_allowed_in_course; } + +/** + * Returns whether an element (forum, message, survey ...) belongs to a session or not + * @param String the tool of the element + * @param int the element id in database + * @param int the session_id to compare with element session id + * @return boolean true if the element is in the session, false else + */ +function api_is_element_in_the_session($tool, $element_id, $session_id=null) +{ + if(is_null($session_id)) + { + $session_id = intval($_SESSION['id_session']); + } + + // get informations to build query depending of the tool + switch ($tool) + { + case TOOL_SURVEY : + $table_tool = Database::get_course_table(TABLE_SURVEY); + $key_field = 'survey_id'; + break; + default: return false; + } + + + $sql = 'SELECT session_id FROM '.$table_tool.' WHERE '.$key_field.'='.intval($element_id); + $rs = api_sql_query($sql, __FILE__, __LINE__); + if($element_session_id = Database::result($rs, 0, 0)) + { + if($element_session_id == intval($session_id)) + { // element belongs to the session + return true; + } + } + return false; +} ?> \ No newline at end of file diff --git a/main/survey/create_new_survey.php b/main/survey/create_new_survey.php index 4db9a3be8a..252ed08ae1 100644 --- a/main/survey/create_new_survey.php +++ b/main/survey/create_new_survey.php @@ -25,7 +25,7 @@ * @author unknown, the initial survey that did not make it in 1.8 because of bad code * @author Patrick Cool , Ghent University: cleanup, refactoring and rewriting large parts (if not all) of the code * @author Julio Montoya Armas , Dokeos: Personality Test modification and rewriting large parts of the code -* @version $Id: create_new_survey.php 16410 2008-09-22 17:43:07Z juliomontoya $ +* @version $Id: create_new_survey.php 16486 2008-10-10 13:32:05Z elixir_inter $ * * @todo only the available platform languages should be used => need an api get_languages and and api_get_available_languages (or a parameter) */ @@ -56,12 +56,16 @@ $table_course = Database :: get_main_table(TABLE_MAIN_COURSE); $table_course_survey_rel = Database :: get_main_table(TABLE_MAIN_COURSE_SURVEY); /** @todo this has to be moved to a more appropriate place (after the display_header of the code)*/ -if (!api_is_allowed_to_edit(false,true)) +// if user is not teacher or if he's a coach trying to access an element out of his session +if (!api_is_allowed_to_edit()) { - Display :: display_header(); - Display :: display_error_message(get_lang('NotAllowed'), false); - Display :: display_footer(); - exit; + if(!api_is_course_coach() || (!empty($_GET['survey_id']) && !api_is_element_in_the_session(TOOL_SURVEY,intval($_GET['survey_id'])))) + { + Display :: display_header(); + Display :: display_error_message(get_lang('NotAllowed'), false); + Display :: display_footer(); + exit; + } } // getting the survey information diff --git a/main/survey/survey.lib.php b/main/survey/survey.lib.php index b22fa75179..51fef70b36 100644 --- a/main/survey/survey.lib.php +++ b/main/survey/survey.lib.php @@ -24,7 +24,7 @@ * @package dokeos.survey * @author Patrick Cool , Ghent University: cleanup, refactoring and rewriting large parts (if not all) of the code @author Julio Montoya Armas , Dokeos: Personality Test modification and rewriting large parts of the code -* @version $Id: survey.lib.php 16453 2008-10-08 08:26:33Z elixir_inter $ +* @version $Id: survey.lib.php 16486 2008-10-10 13:32:05Z elixir_inter $ * * @todo move this file to inc/lib * @todo use consistent naming for the functions (save vs store for instance) @@ -4307,14 +4307,20 @@ class SurveyUtil { function modify_filter($survey_id) { global $charset; - $survey_id = Security::remove_XSS($survey_id); - $return = ''.Display::return_icon('edit.gif', get_lang('Edit')).''; - $return .= ''.Display::return_icon('delete.gif', get_lang('Delete')).''; + $survey_id = Security::remove_XSS($survey_id); + $return = ''; + + // coach can see that only if the survey is in his session + if(api_is_allowed_to_edit() || api_is_element_in_the_session(TOOL_SURVEY, $survey_id)) + { + $return .= ''.Display::return_icon('edit.gif', get_lang('Edit')).''; + $return .= ''.Display::return_icon('delete.gif', get_lang('Delete')).''; + $return .= ''.Display::return_icon('empty.gif', get_lang('EmptySurvey')).''; + } //$return .= ''.Display::return_icon('copy.gif', get_lang('Copy')).''; //$return .= ''.Display::return_icon('add.gif', get_lang('Add')).''; $return .= ''.Display::return_icon('preview.gif', get_lang('Preview')).''; $return .= ''.Display::return_icon('survey_publish.gif', get_lang('Publish')).''; - $return .= ''.Display::return_icon('empty.gif', get_lang('EmptySurvey')).''; $return .= ''.Display::return_icon('statistics.gif', get_lang('Reporting')).''; return $return; } diff --git a/main/survey/survey_list.php b/main/survey/survey_list.php index 4ae995a7e2..3b026380e5 100644 --- a/main/survey/survey_list.php +++ b/main/survey/survey_list.php @@ -26,7 +26,7 @@ * @author unknown, the initial survey that did not make it in 1.8 because of bad code * @author Patrick Cool , Ghent University: cleanup, refactoring and rewriting large parts of the code * @author Julio Montoya Armas , Dokeos: Personality Test modification and rewriting large parts of the code -* @version $Id: survey_list.php 16485 2008-10-10 12:49:22Z elixir_inter $ +* @version $Id: survey_list.php 16486 2008-10-10 13:32:05Z elixir_inter $ * * @todo use quickforms for the forms */ @@ -85,6 +85,11 @@ if (isset($_GET['action']) AND $_GET['action'] == 'delete' AND isset($_GET['surv { // getting the information of the survey (used for when the survey is shared) $survey_data = survey_manager::get_survey($_GET['survey_id']); + if(api_is_course_coach() && intval($_SESSION['id_session']) != $survey_data['session_id']) + { // the coach can't delete a survey not belonging to his session + api_not_allowed(); + exit; + } // if the survey is shared => also delete the shared content if (is_numeric($survey_data['survey_share'])) { @@ -103,6 +108,11 @@ if (isset($_GET['action']) AND $_GET['action'] == 'delete' AND isset($_GET['surv if(isset($_GET['action']) && $_GET['action'] == 'empty') { + if(!(api_is_course_coach() && !api_is_element_in_the_session(TOOL_SURVEY,intval($_GET['survey_id'])))) + {// the coach can't empty a survey not belonging to his session + api_not_allowed(); + exit; + } $return = survey_manager::empty_survey(intval($_GET['survey_id'])); if ($return) {