Skip to content
Merged
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
61 changes: 28 additions & 33 deletions public/main/my_space/myStudents.php
Original file line number Diff line number Diff line change
Expand Up @@ -53,49 +53,44 @@
api_is_drh() ||
api_is_student_boss();

$allowedToTrackUser =
// Access to a student's tracking is granted on two levels:
// 1) Wide scope: platform/session admins, HR managers (DRH) and student bosses
// may view any student's tracking data.
// 2) Teachers, coaches and course tutors may only view a student they have a
// real relationship with: a shared course (as teacher), a shared session (as
// coach), or a course they tutor where the student is enrolled. This closes
// the hole where any teacher could read any student's data regardless of
// enrollment.
$hasWideTrackingScope =
api_is_platform_admin(true, true) ||
api_is_allowed_to_edit(null, true) ||
api_is_session_admin() ||
api_is_drh() ||
api_is_student_boss() ||
api_is_course_admin() ||
api_is_teacher()
;
api_is_student_boss();

if (false === $allowedToTrackUser && null !== $course) {
if (empty($sessionId)) {
$isTeacher = CourseManager::isCourseTeacher(
$tracksThisStudent = false;
if (!$hasWideTrackingScope && !empty($studentId)) {
$tracksThisStudent =
UserManager::isTeacherOfStudent(api_get_user_id(), $studentId)
|| Tracking::is_allowed_to_coach_student(api_get_user_id(), $studentId);

// A course tutor keeps access, but only to students enrolled in the course
// they tutor (not to any student, as the previous check allowed).
if (!$tracksThisStudent && null !== $course) {
$isCourseTutor = 1 === (int) CourseManager::get_tutor_in_course_status(
api_get_user_id(),
$course->getId()
);

if ($isTeacher) {
$allowedToTrackUser = true;
} else {
// Check if the user is tutor of the course
$userCourseStatus = CourseManager::get_tutor_in_course_status(
api_get_user_id(),
$course->getId()
);

if (1 === $userCourseStatus) {
$allowedToTrackUser = true;
}
}
} else {
$coach = api_is_coach($sessionId, $course->getId());

if ($coach) {
$allowedToTrackUser = true;
}
$studentInCourse = CourseManager::is_user_subscribed_in_course(
$studentId,
$course->getCode(),
!empty($sessionId),
$sessionId
);
$tracksThisStudent = $isCourseTutor && $studentInCourse;
}
}

if (!$allowedToTrackUser) {
api_not_allowed(true);
}
if (empty($studentId)) {
if (empty($studentId) || (!$hasWideTrackingScope && !$tracksThisStudent)) {
api_not_allowed(true);
}

Expand Down
Loading