|
48 | 48 | $sord = 'desc'; |
49 | 49 | } |
50 | 50 |
|
51 | | -// Actions allowed to other roles. |
52 | | -if (!in_array( |
53 | | - $action, |
54 | | - [ |
55 | | - 'get_exercise_results', |
56 | | - 'get_exercise_pending_results', |
57 | | - 'get_exercise_results_report', |
58 | | - 'get_work_student_list_overview', |
59 | | - 'get_work_teacher', |
60 | | - 'get_work_student', |
61 | | - 'get_all_work_student', |
62 | | - 'get_work_user_list', |
63 | | - 'get_work_user_list_others', |
64 | | - 'get_work_user_list_all', |
65 | | - 'get_work_pending_list', |
66 | | - 'get_user_skill_ranking', |
67 | | - 'get_usergroups', |
68 | | - 'get_usergroups_teacher', |
69 | | - 'get_user_course_report_resumed', |
70 | | - 'get_user_course_report', |
71 | | - 'get_sessions_tracking', |
72 | | - 'get_sessions', |
73 | | - 'get_course_announcements', |
74 | | - 'course_log_events', |
75 | | - 'get_learning_path_calendars', |
76 | | - 'get_usergroups_users', |
77 | | - 'get_calendar_users', |
78 | | - 'get_exercise_categories', |
79 | | - ] |
80 | | - ) && !isset($_REQUEST['from_course_session'])) { |
| 51 | +$courseActions = [ |
| 52 | + 'get_exercise_results', |
| 53 | + 'get_exercise_pending_results', |
| 54 | + 'get_exercise_results_report', |
| 55 | + 'get_work_student_list_overview', |
| 56 | + 'get_work_teacher', |
| 57 | + 'get_work_student', |
| 58 | + 'get_all_work_student', |
| 59 | + 'get_work_user_list', |
| 60 | + 'get_work_user_list_others', |
| 61 | + 'get_work_user_list_all', |
| 62 | + 'get_work_pending_list', |
| 63 | + 'get_course_announcements', |
| 64 | + 'course_log_events', |
| 65 | + 'get_learning_path_calendars', |
| 66 | + 'get_usergroups_users', |
| 67 | + 'get_calendar_users', |
| 68 | + 'get_exercise_categories', |
| 69 | + 'get_usergroups_teacher', |
| 70 | + 'get_group_reporting', |
| 71 | +]; |
| 72 | + |
| 73 | +$adminActions = [ |
| 74 | + 'get_user_skill_ranking', |
| 75 | + 'get_usergroups', |
| 76 | + 'get_user_course_report_resumed', |
| 77 | + 'get_user_course_report', |
| 78 | + 'get_sessions_tracking', |
| 79 | + 'get_sessions', |
| 80 | +]; |
| 81 | + |
| 82 | +if (in_array($action, $courseActions, true)) { |
| 83 | + // Must be in a course context. |
| 84 | + api_protect_course_script(); |
| 85 | + |
| 86 | + // In course context, require edit rights (teacher/coach/course admin). |
| 87 | + // Some actions later check api_is_teacher() explicitly; keep this generic guard. |
| 88 | + if (!api_is_allowed_to_edit(null, true)) { |
| 89 | + api_not_allowed(true); |
| 90 | + } |
| 91 | +} elseif (in_array($action, $adminActions, true)) { |
| 92 | + api_protect_admin_script(true); |
| 93 | +} else { |
| 94 | + // Unknown / not whitelisted actions => block by default. |
81 | 95 | api_protect_admin_script(true); |
82 | | -} elseif (isset($_REQUEST['from_course_session']) && |
83 | | - 1 == $_REQUEST['from_course_session'] |
84 | | -) { |
85 | | - api_protect_teacher_script(true); |
86 | 96 | } |
87 | 97 |
|
88 | 98 | $toRemove = ['extra_access_start_date', 'extra_access_end_date']; |
|
0 commit comments