From fa8e7dd66f6893fc531adeb334d8a5b3080ff1fc Mon Sep 17 00:00:00 2001 From: Yannick Warnier Date: Mon, 6 Jul 2009 22:18:25 +0200 Subject: [PATCH] [svn r21826] Removing right to "login-as" from session-admins, apart from logging-as normal students --- main/admin/user_list.php | 49 ++++++++++++++++++++------------------- main/img/login_as_na.gif | Bin 0 -> 1156 bytes 2 files changed, 25 insertions(+), 24 deletions(-) create mode 100755 main/img/login_as_na.gif diff --git a/main/admin/user_list.php b/main/admin/user_list.php index 9f19bd8b44..61f3d0505d 100644 --- a/main/admin/user_list.php +++ b/main/admin/user_list.php @@ -1,4 +1,4 @@ - */ function login_user($user_id) { //init --------------------------------------------------------------------- @@ -153,8 +153,7 @@ function login_user($user_id) { //logic -------------------------------------------------------------------- unset($_user['user_id']); // uid not in session ? prevent any hacking - if (!isset ($user_id)) - { + if (!isset ($user_id)) { $uidReset = true; return; } @@ -165,10 +164,14 @@ function login_user($user_id) { $sql_query = "SELECT * FROM $main_user_table WHERE user_id='$user_id'"; $sql_result = api_sql_query($sql_query, __FILE__, __LINE__); $result = Database :: fetch_array($sql_result); + + // check if the user is allowed to 'login_as' + $can_login_as = (api_is_platform_admin() OR (api_is_session_admin() && $result['status'] == 5 )); + if (!$can_login_as) { return false; } - $firstname = $result["firstname"]; - $lastname = $result["lastname"]; - $user_id = $result["user_id"]; + $firstname = $result['firstname']; + $lastname = $result['lastname']; + $user_id = $result['user_id']; //$message = "Attempting to login as ".$firstname." ".$lastname." (id ".$user_id.")"; $message = sprintf(get_lang('AttemptingToLoginAs'),$firstname,$lastname,$user_id); @@ -176,10 +179,8 @@ function login_user($user_id) { $loginFailed = false; $uidReset = false; - if ($user_id) // a uid is given (log in succeeded) - { - if ($_configuration['tracking_enabled']) - { + if ($user_id) { // a uid is given (log in succeeded) + if ($_configuration['tracking_enabled']) { $sql_query = "SELECT user.*, a.user_id is_admin, UNIX_TIMESTAMP(login.login_date) login_date FROM $main_user_table @@ -189,9 +190,7 @@ function login_user($user_id) { ON user.user_id = login.login_user_id WHERE user.user_id = '".$user_id."' ORDER BY login.login_date DESC LIMIT 1"; - } - else - { + } else { $sql_query = "SELECT user.*, a.user_id is_admin FROM $main_user_table LEFT JOIN $main_admin_table a @@ -199,11 +198,10 @@ function login_user($user_id) { WHERE user.user_id = '".$user_id."'"; } - $sql_result = api_sql_query($sql_query, __FILE__, __LINE__); + $sql_result = Database::query($sql_query, __FILE__, __LINE__); - if (Database::num_rows($sql_result) > 0) - { + if (Database::num_rows($sql_result) > 0) { // Extracting the user data $user_data = Database::fetch_array($sql_result); @@ -245,10 +243,8 @@ function login_user($user_id) { Display :: display_normal_message($message,false); Display :: display_footer(); exit; - } - else - { - exit ("
WARNING UNDEFINED UID !! "); + } else { + exit ("
WARNING UNDEFINED UID !! "); } } } @@ -438,9 +434,14 @@ function modify_filter($user_id,$url_params,$row) if (api_is_platform_admin()) { $result .= ''.Display::return_icon('synthese_view.gif', get_lang('Info')).'  '; } - $result .= ''.Display::return_icon('login_as.gif', get_lang('LoginAs')).'  '; $statusname = api_get_status_langvars(); + //only allow platform admins to login_as, or session admins only for students (not teachers nor other admins) + if (api_is_platform_admin() or (api_is_session_admin() && $row['6'] == $statusname[STUDENT])) { + $result .= ''.Display::return_icon('login_as.gif', get_lang('LoginAs')).'  '; + } else { + $result .= Display::return_icon('login_as_na.gif', get_lang('LoginAs')).'  '; + } if ($row['6'] != $statusname[STUDENT]) { $result .= Display::return_icon('statistics_na.gif', get_lang('Reporting')).'  '; diff --git a/main/img/login_as_na.gif b/main/img/login_as_na.gif new file mode 100755 index 0000000000000000000000000000000000000000..4243ea9fe69e262ba7016138926fadd943ed5848 GIT binary patch literal 1156 zcmV-~1bh2ONk%w1VHN-u0Ox%G000010RaL60s{jB1Ox;H1qB8M1_uWR2nYxX2?+`c z3JVJh3=9kn4Gj(s4i66x5D*X%5fKs+5)%^>6ciK{6%`g178e&67#J8C85tTH8XFrM z92^`S9UUGX9v>ecARr(iAt53nA|oRsBqSsyB_$>%CMPE+C@3f?DJd!{Dl021EG#T7 zEiEoCE-x=HFfcGNF)=bSGBYzXG&D3dH8nOiHa9mnI5;>tIXOByIy*Z%JUl!-Jv}}? zK0iM{KtMo2K|w-7LPJACL_|bIMMXwNMn^|SNJvOYNl8jdN=r*iOiWBoO-)WtPESuy zP*6}&QBhJ-Qd3h?R8&+|RaI72R##V7SXfwDSy@_IT3cINTwGjTU0q&YUSD5dU|?Wj zVPRroVq;@tWMpJzWo2e&W@l$-XlQ6@X=!R|YHMq2Y;0_8ZEbFDZf|dIaBy&OadC2T za&vQYbaZreb#-=jc6WDoczAeud3kzzdV70&e0+R;eSLm@et&;|fPjF3fq{a8f`fyD zgoK2Jg@uNOhKGlTh=_=ZiHVAeii?YjjEszpjg5|uj*pLzkdTm(k&%*;l9Q8@l$4Z} zm6ev3mY0{8n3$NEnVFiJnwy)OoSdAUot>VZo}ZteprD|kp`oIpqNAguq@<*!rKP5( zrl+T;sHmu^si~@}s;jH3tgNi9t*x%EuCK4Ju&}VPv9YqUva_?Zw6wIfwY9dkwzs#p zxVX5vxw*Q!y1To(yu7@dCU$jHda z$;ryf%FD~k%*@Qq&CSlv&d<-!(9qD)(b3Y<($mw^)YR0~)z#M4*4Nk9*x1lt)=I7_<=;-L_>FMg~>g((4 z?Ck9A?d|UF?(gsK@bK{Q@$vHV^7Hfa^z`)g_4W4l_V@Sq`1ttw`T6?#`uqF){QUg= z{r&#_{{R2~A^8LW3IP8AEC2ui02Tli000R70RIUbNU)&6g9sBUTv$-wH)!1MF(k+> z7PD!?NGbC-Fx+t!U1uz~zw zEmOwt9zSKE&`hcoELpN;w?fSu=#Q2rTDE}2qC}_+ELo-$5i4bqps!xNVmW&BDAXuM zpj`2*WeF+4YRI^`%SI~4C1|crDRSj+-aCV*u)%X@FW#ef^-fum#wgvvccG+>L#K`> zPf?kqjnZ{6nJH$~wtX8HF5I_My`EyNqO_GDG)~5tF^fj++BIs^o*4s`sQkcle|7;Y zW~_hzVZ-dw$0qg(q|YFk(1Ob?y6mD0F0|0ni4@QvBo82G{P74TnPBn=A7@ly3qA?u WlT9p~93qGyi*VA*IRy?B5CA*2=q$ki literal 0 HcmV?d00001