[svn r16486] the coachs can now delete only surveys of his sessions (FS#2864)

skala
Eric Marguin 16 years ago
parent 4f2ba6eb10
commit fa32c2301f
  1. 37
      main/inc/lib/main_api.lib.php
  2. 8
      main/survey/create_new_survey.php
  3. 12
      main/survey/survey.lib.php
  4. 12
      main/survey/survey_list.php

@ -3097,4 +3097,41 @@ function api_is_course_visible_for_user( $userid = null, $cid = null ) {
return $is_allowed_in_course;
}
/**
* Returns whether an element (forum, message, survey ...) belongs to a session or not
* @param String the tool of the element
* @param int the element id in database
* @param int the session_id to compare with element session id
* @return boolean true if the element is in the session, false else
*/
function api_is_element_in_the_session($tool, $element_id, $session_id=null)
{
if(is_null($session_id))
{
$session_id = intval($_SESSION['id_session']);
}
// get informations to build query depending of the tool
switch ($tool)
{
case TOOL_SURVEY :
$table_tool = Database::get_course_table(TABLE_SURVEY);
$key_field = 'survey_id';
break;
default: return false;
}
$sql = 'SELECT session_id FROM '.$table_tool.' WHERE '.$key_field.'='.intval($element_id);
$rs = api_sql_query($sql, __FILE__, __LINE__);
if($element_session_id = Database::result($rs, 0, 0))
{
if($element_session_id == intval($session_id))
{ // element belongs to the session
return true;
}
}
return false;
}
?>

@ -25,7 +25,7 @@
* @author unknown, the initial survey that did not make it in 1.8 because of bad code
* @author Patrick Cool <patrick.cool@UGent.be>, Ghent University: cleanup, refactoring and rewriting large parts (if not all) of the code
* @author Julio Montoya Armas <gugli100@gmail.com>, Dokeos: Personality Test modification and rewriting large parts of the code
* @version $Id: create_new_survey.php 16410 2008-09-22 17:43:07Z juliomontoya $
* @version $Id: create_new_survey.php 16486 2008-10-10 13:32:05Z elixir_inter $
*
* @todo only the available platform languages should be used => need an api get_languages and and api_get_available_languages (or a parameter)
*/
@ -56,12 +56,16 @@ $table_course = Database :: get_main_table(TABLE_MAIN_COURSE);
$table_course_survey_rel = Database :: get_main_table(TABLE_MAIN_COURSE_SURVEY);
/** @todo this has to be moved to a more appropriate place (after the display_header of the code)*/
if (!api_is_allowed_to_edit(false,true))
// if user is not teacher or if he's a coach trying to access an element out of his session
if (!api_is_allowed_to_edit())
{
if(!api_is_course_coach() || (!empty($_GET['survey_id']) && !api_is_element_in_the_session(TOOL_SURVEY,intval($_GET['survey_id']))))
{
Display :: display_header();
Display :: display_error_message(get_lang('NotAllowed'), false);
Display :: display_footer();
exit;
}
}
// getting the survey information

@ -24,7 +24,7 @@
* @package dokeos.survey
* @author Patrick Cool <patrick.cool@UGent.be>, Ghent University: cleanup, refactoring and rewriting large parts (if not all) of the code
@author Julio Montoya Armas <gugli100@gmail.com>, Dokeos: Personality Test modification and rewriting large parts of the code
* @version $Id: survey.lib.php 16453 2008-10-08 08:26:33Z elixir_inter $
* @version $Id: survey.lib.php 16486 2008-10-10 13:32:05Z elixir_inter $
*
* @todo move this file to inc/lib
* @todo use consistent naming for the functions (save vs store for instance)
@ -4308,13 +4308,19 @@ class SurveyUtil {
{
global $charset;
$survey_id = Security::remove_XSS($survey_id);
$return = '<a href="create_new_survey.php?'.api_get_cidreq().'&amp;action=edit&amp;survey_id='.$survey_id.'">'.Display::return_icon('edit.gif', get_lang('Edit')).'</a>';
$return = '';
// coach can see that only if the survey is in his session
if(api_is_allowed_to_edit() || api_is_element_in_the_session(TOOL_SURVEY, $survey_id))
{
$return .= '<a href="create_new_survey.php?'.api_get_cidreq().'&amp;action=edit&amp;survey_id='.$survey_id.'">'.Display::return_icon('edit.gif', get_lang('Edit')).'</a>';
$return .= '<a href="survey_list.php?'.api_get_cidreq().'&amp;action=delete&amp;survey_id='.$survey_id.'" onclick="javascript:if(!confirm(\''.addslashes(htmlentities(get_lang("DeleteSurvey").'?',ENT_QUOTES,$charset)).'\')) return false;">'.Display::return_icon('delete.gif', get_lang('Delete')).'</a>';
$return .= '<a href="survey_list.php?'.api_get_cidreq().'&amp;action=empty&amp;survey_id='.$survey_id.'" onclick="javascript:if(!confirm(\''.addslashes(htmlentities(get_lang("EmptySurvey").'?')).'\')) return false;">'.Display::return_icon('empty.gif', get_lang('EmptySurvey')).'</a>';
}
//$return .= '<a href="create_survey_in_another_language.php?id_survey='.$survey_id.'">'.Display::return_icon('copy.gif', get_lang('Copy')).'</a>';
//$return .= '<a href="survey.php?survey_id='.$survey_id.'">'.Display::return_icon('add.gif', get_lang('Add')).'</a>';
$return .= '<a href="preview.php?'.api_get_cidreq().'&amp;survey_id='.$survey_id.'">'.Display::return_icon('preview.gif', get_lang('Preview')).'</a>';
$return .= '<a href="survey_invite.php?'.api_get_cidreq().'&amp;survey_id='.$survey_id.'">'.Display::return_icon('survey_publish.gif', get_lang('Publish')).'</a>';
$return .= '<a href="survey_list.php?'.api_get_cidreq().'&amp;action=empty&amp;survey_id='.$survey_id.'" onclick="javascript:if(!confirm(\''.addslashes(htmlentities(get_lang("EmptySurvey").'?')).'\')) return false;">'.Display::return_icon('empty.gif', get_lang('EmptySurvey')).'</a>';
$return .= '<a href="reporting.php?'.api_get_cidreq().'&amp;survey_id='.$survey_id.'">'.Display::return_icon('statistics.gif', get_lang('Reporting')).'</a>';
return $return;
}

@ -26,7 +26,7 @@
* @author unknown, the initial survey that did not make it in 1.8 because of bad code
* @author Patrick Cool <patrick.cool@UGent.be>, Ghent University: cleanup, refactoring and rewriting large parts of the code
* @author Julio Montoya Armas <gugli100@gmail.com>, Dokeos: Personality Test modification and rewriting large parts of the code
* @version $Id: survey_list.php 16485 2008-10-10 12:49:22Z elixir_inter $
* @version $Id: survey_list.php 16486 2008-10-10 13:32:05Z elixir_inter $
*
* @todo use quickforms for the forms
*/
@ -85,6 +85,11 @@ if (isset($_GET['action']) AND $_GET['action'] == 'delete' AND isset($_GET['surv
{
// getting the information of the survey (used for when the survey is shared)
$survey_data = survey_manager::get_survey($_GET['survey_id']);
if(api_is_course_coach() && intval($_SESSION['id_session']) != $survey_data['session_id'])
{ // the coach can't delete a survey not belonging to his session
api_not_allowed();
exit;
}
// if the survey is shared => also delete the shared content
if (is_numeric($survey_data['survey_share']))
{
@ -103,6 +108,11 @@ if (isset($_GET['action']) AND $_GET['action'] == 'delete' AND isset($_GET['surv
if(isset($_GET['action']) && $_GET['action'] == 'empty')
{
if(!(api_is_course_coach() && !api_is_element_in_the_session(TOOL_SURVEY,intval($_GET['survey_id']))))
{// the coach can't empty a survey not belonging to his session
api_not_allowed();
exit;
}
$return = survey_manager::empty_survey(intval($_GET['survey_id']));
if ($return)
{

Loading…
Cancel
Save