diff --git a/main/admin/user_list.php b/main/admin/user_list.php
index 9f19bd8b44..61f3d0505d 100644
--- a/main/admin/user_list.php
+++ b/main/admin/user_list.php
@@ -1,4 +1,4 @@
-
*/
function login_user($user_id) {
//init ---------------------------------------------------------------------
@@ -153,8 +153,7 @@ function login_user($user_id) {
//logic --------------------------------------------------------------------
unset($_user['user_id']); // uid not in session ? prevent any hacking
- if (!isset ($user_id))
- {
+ if (!isset ($user_id)) {
$uidReset = true;
return;
}
@@ -165,10 +164,14 @@ function login_user($user_id) {
$sql_query = "SELECT * FROM $main_user_table WHERE user_id='$user_id'";
$sql_result = api_sql_query($sql_query, __FILE__, __LINE__);
$result = Database :: fetch_array($sql_result);
+
+ // check if the user is allowed to 'login_as'
+ $can_login_as = (api_is_platform_admin() OR (api_is_session_admin() && $result['status'] == 5 ));
+ if (!$can_login_as) { return false; }
- $firstname = $result["firstname"];
- $lastname = $result["lastname"];
- $user_id = $result["user_id"];
+ $firstname = $result['firstname'];
+ $lastname = $result['lastname'];
+ $user_id = $result['user_id'];
//$message = "Attempting to login as ".$firstname." ".$lastname." (id ".$user_id.")";
$message = sprintf(get_lang('AttemptingToLoginAs'),$firstname,$lastname,$user_id);
@@ -176,10 +179,8 @@ function login_user($user_id) {
$loginFailed = false;
$uidReset = false;
- if ($user_id) // a uid is given (log in succeeded)
- {
- if ($_configuration['tracking_enabled'])
- {
+ if ($user_id) { // a uid is given (log in succeeded)
+ if ($_configuration['tracking_enabled']) {
$sql_query = "SELECT user.*, a.user_id is_admin,
UNIX_TIMESTAMP(login.login_date) login_date
FROM $main_user_table
@@ -189,9 +190,7 @@ function login_user($user_id) {
ON user.user_id = login.login_user_id
WHERE user.user_id = '".$user_id."'
ORDER BY login.login_date DESC LIMIT 1";
- }
- else
- {
+ } else {
$sql_query = "SELECT user.*, a.user_id is_admin
FROM $main_user_table
LEFT JOIN $main_admin_table a
@@ -199,11 +198,10 @@ function login_user($user_id) {
WHERE user.user_id = '".$user_id."'";
}
- $sql_result = api_sql_query($sql_query, __FILE__, __LINE__);
+ $sql_result = Database::query($sql_query, __FILE__, __LINE__);
- if (Database::num_rows($sql_result) > 0)
- {
+ if (Database::num_rows($sql_result) > 0) {
// Extracting the user data
$user_data = Database::fetch_array($sql_result);
@@ -245,10 +243,8 @@ function login_user($user_id) {
Display :: display_normal_message($message,false);
Display :: display_footer();
exit;
- }
- else
- {
- exit ("
WARNING UNDEFINED UID !! ");
+ } else {
+ exit ("
WARNING UNDEFINED UID !! ");
}
}
}
@@ -438,9 +434,14 @@ function modify_filter($user_id,$url_params,$row)
if (api_is_platform_admin()) {
$result .= ''.Display::return_icon('synthese_view.gif', get_lang('Info')).' ';
}
- $result .= ''.Display::return_icon('login_as.gif', get_lang('LoginAs')).' ';
$statusname = api_get_status_langvars();
+ //only allow platform admins to login_as, or session admins only for students (not teachers nor other admins)
+ if (api_is_platform_admin() or (api_is_session_admin() && $row['6'] == $statusname[STUDENT])) {
+ $result .= ''.Display::return_icon('login_as.gif', get_lang('LoginAs')).' ';
+ } else {
+ $result .= Display::return_icon('login_as_na.gif', get_lang('LoginAs')).' ';
+ }
if ($row['6'] != $statusname[STUDENT])
{
$result .= Display::return_icon('statistics_na.gif', get_lang('Reporting')).' ';
diff --git a/main/img/login_as_na.gif b/main/img/login_as_na.gif
new file mode 100755
index 0000000000..4243ea9fe6
Binary files /dev/null and b/main/img/login_as_na.gif differ