} } } } } //successful, maybe, so direct to... if (!$system_message) { header("Location: manage_student.php"); exit; } else { $system_message = "The student has been partially copied. Some errors have occured:<BR>" . $system_message; } } } } if (!connectUserDB()) { $error_message = $error_message; //just to remember we need this $system_message = $error_message; IPP_LOG($system_message, $_SESSION['egps_username'], 'ERROR'); } //find all of the available schools.. if (!connectIPPDB()) { $error_message = $error_message; //just to remember we need this $system_message = $error_message; IPP_LOG($system_message, $_SESSION['egps_username'], 'ERROR'); } $school_query = "SELECT * FROM school WHERE 1=1"; $school_result = mysql_query($school_query); if (!$school_result) {
/** @fn getStudentPermission($student_id='') * @brief Determines user's access to specific student's records * @detail * 1. Returns error or null under some circumstances. * 2. Otherwise, may return NONE,ERROR,READ,WRITE(READ,WRITE),ASSIGN(READ,WRITE,ASSIGN),ALL(READ,WRITE,ASSIGN,DELETE), or support_list['permission'] or NONE for no permissions. * @param string $student_id * @return string|NULL|Ambigous * @todo * 1. Rename function because it is a confusing name * 2. It can start with get_. Separate words with underscores. Perhaps get_access_to_student_record(). */ function getStudentPermission($student_id = '') { //returns NONE,ERROR,READ,WRITE(READ,WRITE),ASSIGN(READ,WRITE,ASSIGN),ALL(READ,WRITE,ASSIGN,DELETE), //or support_list['permission'] or NONE for no permissions. global $error_message, $mysql_user_select_login, $mysql_user_select_password, $mysql_user_table, $mysql_user_append_to_login; $error_message = ""; $permission_level = getPermissionLevel($_SESSION['egps_username']); if ($permission_level == NULL) { return "ERROR"; } //find the currently logged in persons school code... if (!connectUserDB()) { $error_message = $error_message; //just to remember we need this return "ERROR"; } $query = "SELECT * FROM {$mysql_user_table} WHERE (" . $mysql_user_select_login . "='" . $_SESSION['egps_username'] . $mysql_user_append_to_login . "' or " . $mysql_user_select_login . "='" . $_SESSION['egps_username'] . "') and " . $mysql_user_select_password . "='" . $_SESSION['password'] . "' AND aliased_name IS NULL"; $result = mysql_query($query); if (!$result) { $error_message = "Database query failed (" . __FILE__ . ":" . __LINE__ . "): " . mysql_error() . "<BR>Query: '{$query}'<BR>"; return "ERROR"; } $user_row = mysql_fetch_array($result); $school_code = $user_row['school_code']; if (!connectIPPDB()) { $error_message = $error_message; //just to remember we need this return "ERROR"; } //check if this staff member is local to this student... $local_query = "SELECT * FROM school_history WHERE student_id={$student_id} AND school_code='{$school_code}' AND end_date IS NULL"; $local_result = mysql_query($local_query); //ignore errors... $is_local_student = FALSE; if ($local_result && mysql_num_rows($local_result) > 0) { $is_local_student = TRUE; } //Special case we are the school-based IPP administrator //get our school code $error_message = ""; if (!connectIPPDB()) { $error_message = $error_message; //just to remember we need this return NULL; } $system_query = "SELECT * from support_member WHERE egps_username='******'egps_username'] . "'"; $system_result = mysql_query($system_query); if (!$system_result) { $error_message = "Database query failed (" . __FILE__ . ":" . __LINE__ . "): " . mysql_error() . "<BR>Query: '{$system_query}'<BR>"; return "ERROR"; } else { $system_row = mysql_fetch_array($system_result); if ($is_local_student && $system_row['is_local_ipp_administrator'] == 'Y') { return "ASSIGN"; } } //base our permission on the level we're assigned. switch ($permission_level) { case 0: //Super Admin //Super Admin case 10: //Administrator return "ALL"; case 30: //Principal (assign local) special case //fall through and return ALL for local students. //Principal (assign local) special case //fall through and return ALL for local students. case 20: //Assistant Admin. (view all) special case //fall through and return at least read... //Assistant Admin. (view all) special case //fall through and return at least read... case 40: //Vice Principal (view local) //Vice Principal (view local) default: //we need to find the permissions from the support list //as this user has no inherent permissions... $support_query = "SELECT * FROM support_list WHERE egps_username='******'egps_username'] . "' AND student_id={$student_id}"; $support_result = mysql_query($support_query); //if(mysql_num_rows($support_result) <= 0) { switch ($permission_level) { case 30: case 40: //changed as per s. chomistek (2006-03-23) if ($is_local_student) { return "ASSIGN"; } else { return "NONE"; } case 20: //Asst admin special case of read for all if ($is_local_student) { return "ASSIGN"; } else { return "READ"; } //case 40: //vp special case read local // if($is_local_student) return "READ"; //else return "NONE"; //case 40: //vp special case read local // if($is_local_student) return "READ"; //else return "NONE"; default: //return "NONE"; } //} //else { $row = mysql_fetch_array($support_result); if ($row['permission'] != '') { return $row['permission']; } return "NONE"; //} } }