Skip to content

Commit cd05124

Browse files
Merge pull request #7436 from christianbeeznest/fixes-updates240
Internal: Improve teacher access permissions for reporting pages
2 parents 4205d77 + 74d0508 commit cd05124

3 files changed

Lines changed: 71 additions & 55 deletions

File tree

public/main/inc/ajax/model.ajax.php

Lines changed: 44 additions & 34 deletions
Original file line numberDiff line numberDiff line change
@@ -48,41 +48,51 @@
4848
$sord = 'desc';
4949
}
5050

51-
// Actions allowed to other roles.
52-
if (!in_array(
53-
$action,
54-
[
55-
'get_exercise_results',
56-
'get_exercise_pending_results',
57-
'get_exercise_results_report',
58-
'get_work_student_list_overview',
59-
'get_work_teacher',
60-
'get_work_student',
61-
'get_all_work_student',
62-
'get_work_user_list',
63-
'get_work_user_list_others',
64-
'get_work_user_list_all',
65-
'get_work_pending_list',
66-
'get_user_skill_ranking',
67-
'get_usergroups',
68-
'get_usergroups_teacher',
69-
'get_user_course_report_resumed',
70-
'get_user_course_report',
71-
'get_sessions_tracking',
72-
'get_sessions',
73-
'get_course_announcements',
74-
'course_log_events',
75-
'get_learning_path_calendars',
76-
'get_usergroups_users',
77-
'get_calendar_users',
78-
'get_exercise_categories',
79-
]
80-
) && !isset($_REQUEST['from_course_session'])) {
51+
$courseActions = [
52+
'get_exercise_results',
53+
'get_exercise_pending_results',
54+
'get_exercise_results_report',
55+
'get_work_student_list_overview',
56+
'get_work_teacher',
57+
'get_work_student',
58+
'get_all_work_student',
59+
'get_work_user_list',
60+
'get_work_user_list_others',
61+
'get_work_user_list_all',
62+
'get_work_pending_list',
63+
'get_course_announcements',
64+
'course_log_events',
65+
'get_learning_path_calendars',
66+
'get_usergroups_users',
67+
'get_calendar_users',
68+
'get_exercise_categories',
69+
'get_usergroups_teacher',
70+
'get_group_reporting',
71+
];
72+
73+
$adminActions = [
74+
'get_user_skill_ranking',
75+
'get_usergroups',
76+
'get_user_course_report_resumed',
77+
'get_user_course_report',
78+
'get_sessions_tracking',
79+
'get_sessions',
80+
];
81+
82+
if (in_array($action, $courseActions, true)) {
83+
// Must be in a course context.
84+
api_protect_course_script();
85+
86+
// In course context, require edit rights (teacher/coach/course admin).
87+
// Some actions later check api_is_teacher() explicitly; keep this generic guard.
88+
if (!api_is_allowed_to_edit(null, true)) {
89+
api_not_allowed(true);
90+
}
91+
} elseif (in_array($action, $adminActions, true)) {
92+
api_protect_admin_script(true);
93+
} else {
94+
// Unknown / not whitelisted actions => block by default.
8195
api_protect_admin_script(true);
82-
} elseif (isset($_REQUEST['from_course_session']) &&
83-
1 == $_REQUEST['from_course_session']
84-
) {
85-
api_protect_teacher_script(true);
8696
}
8797

8898
$toRemove = ['extra_access_start_date', 'extra_access_end_date'];

public/main/tracking/course_log_groups.php

Lines changed: 1 addition & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -24,14 +24,13 @@
2424
$isAllowedToTrack = Tracking::isAllowToTrack($sessionId);
2525
if (!$isAllowedToTrack) {
2626
api_not_allowed(true);
27-
exit;
2827
}
2928

3029
$nameTools = get_lang('Group reporting');
3130

3231
// jqGrid will use this URL to do the selects.
3332
$url = api_get_path(WEB_AJAX_PATH).'model.ajax.php?a=get_group_reporting&course_id='.
34-
$courseId.'&session_id='.$sessionId;
33+
$courseId.'&session_id='.$sessionId.'&'.api_get_cidreq();
3534

3635
// The order is important; you need to check the $columns variable
3736
// in the model.ajax.php file.

public/main/tracking/exams.php

Lines changed: 26 additions & 19 deletions
Original file line numberDiff line numberDiff line change
@@ -16,7 +16,7 @@
1616
$this_section = SECTION_TRACKING;
1717

1818
$is_allowedToTrack =
19-
api_is_course_admin() ||
19+
api_is_allowed_to_edit() ||
2020
api_is_platform_admin(true) ||
2121
api_is_session_general_coach();
2222

@@ -80,26 +80,33 @@
8080
if ($global) {
8181
$form->addElement('hidden', 'view', 'admin');
8282
} else {
83-
// Course context – add optional test selector.
84-
$courseId = api_get_course_int_id();
85-
86-
$sql = "SELECT quiz.title, iid
87-
FROM $quizTable AS quiz
88-
WHERE
89-
c_id = $courseId AND
90-
active = 1
91-
$sessionCondition
92-
ORDER BY quiz.title ASC";
93-
$result = Database::query($sql);
94-
95-
if (Database::num_rows($result) > 0) {
96-
$exerciseList = [get_lang('All')];
97-
while ($row = Database::fetch_array($result)) {
98-
$exerciseList[$row['iid']] = $row['title'];
99-
}
83+
$courseId = (int) api_get_course_int_id();
84+
$sessionId = (int) api_get_session_id();
85+
86+
$course = api_get_course_entity($courseId);
87+
$session = $sessionId ? api_get_session_entity($sessionId) : null;
88+
89+
$repo = Container::getQuizRepository();
90+
$qb = $repo->getResourcesByCourse($course, $session);
91+
92+
$qb->select('DISTINCT resource');
10093

101-
$form->addSelect('exercise_id', get_lang('Test'), $exerciseList);
94+
if ($session) {
95+
$qb->andWhere('(links.session = :sess OR links.session IS NULL)')
96+
->setParameter('sess', $session);
97+
} else {
98+
$qb->andWhere('links.session IS NULL');
99+
}
100+
$qb->orderBy('resource.title', 'ASC');
101+
$quizzes = $qb->getQuery()->getResult();
102+
$exerciseList = [0 => get_lang('All')];
103+
104+
foreach ($quizzes as $quiz) {
105+
$id = method_exists($quiz, 'getIid') ? (int) $quiz->getIid() : (int) $quiz->getId();
106+
$exerciseList[$id] = $quiz->getTitle();
102107
}
108+
109+
$form->addSelect('exercise_id', get_lang('Test'), $exerciseList);
103110
}
104111

105112
$form->addButton(

0 commit comments

Comments
 (0)