function admin_authenticate($privilege = 0, $check = false) { if (!isset($_SESSION['valid_user']) || !$_SESSION['valid_user'] || $_SESSION['course_id'] != -1) { if ($check) { return false; } header('Location: ' . AT_BASE_HREF . 'login.php'); exit; } if ($_SESSION['privileges'] == AT_ADMIN_PRIV_ADMIN) { return true; } if ($privilege) { $auth = query_bit($_SESSION['privileges'], $privilege); if (!$auth) { if ($check) { return false; } global $msg; $msg->addError('ACCESS_DENIED'); require AT_INCLUDE_PATH . 'header.inc.php'; require AT_INCLUDE_PATH . 'footer.inc.php'; exit; } } return true; }
/* Copyright (c) 2002-2010 */ /* Inclusive Design Institute */ /* http://atutor.ca */ /* */ /* This program is free software. You can redistribute it and/or*/ /* modify it under the terms of the GNU General Public License */ /* as published by the Free Software Foundation. */ /****************************************************************/ // $Id$ define('AT_INCLUDE_PATH', '../../../include/'); require AT_INCLUDE_PATH . 'vitals.inc.php'; require AT_INCLUDE_PATH . '../mods/_standard/file_storage/file_storage.inc.php'; $owner_type = abs($_REQUEST['ot']); $owner_id = abs($_REQUEST['oid']); $owner_arg_prefix = '?ot=' . $owner_type . SEP . 'oid=' . $owner_id . SEP; if (!($owner_status = fs_authenticate($owner_type, $owner_id)) || !query_bit($owner_status, WORKSPACE_AUTH_WRITE)) { $msg->addError('ACCESS_DENIED'); header('Location: ' . url_rewrite('mods/_standard/file_storage/index.php', AT_PRETTY_URL_IS_HEADER)); exit; } if (isset($_POST['cancel'])) { $msg->addFeedback('CANCELLED'); header('Location: ' . url_rewrite('mods/_standard/file_storage/index.php' . $owner_arg_prefix . 'folder=' . abs($_POST['folder']), AT_PRETTY_URL_IS_HEADER)); exit; } else { if (isset($_POST['submit'])) { $_POST['id'] = abs($_POST['id']); if (!$_POST['name']) { $msg->addError('MISSING_FILENAME'); } if (!$msg->containsErrors()) {
/* Copyright (c) 2002-2010 */ /* Inclusive Design Institute */ /* http://atutor.ca */ /* */ /* This program is free software. You can redistribute it and/or*/ /* modify it under the terms of the GNU General Public License */ /* as published by the Free Software Foundation. */ /****************************************************************/ // $Id$ define('AT_INCLUDE_PATH', '../../../include/'); require (AT_INCLUDE_PATH.'vitals.inc.php'); // authenticate ot+oid .... $owner_type = abs($_REQUEST['ot']); $owner_id = abs($_REQUEST['oid']); if (!($owner_status = blogs_authenticate($owner_type, $owner_id)) || !query_bit($owner_status, BLOGS_AUTH_WRITE)) { $msg->addError('ACCESS_DENIED'); header('Location: index.php'); exit; } if (isset($_POST['cancel'])) { $msg->addFeedback('CANCELLED'); header('Location: '.url_rewrite('mods/_standard/blogs/view.php?ot='.BLOGS_GROUP.SEP.'oid='.$_POST['oid'], AT_PRETTY_URL_IS_HEADER)); exit; } else if (isset($_POST['submit'])) { $_POST['title'] = $addslashes(trim($_POST['title'])); $_POST['body'] = $addslashes(trim($_POST['body'])); $id = abs($_POST['id']); if ($_POST['body'] == '') {
} $_POST['login'] = $stripslashes($_POST['login']); } } $_GET['login'] = $addslashes($_REQUEST['login']); $sql = "SELECT login FROM " . TABLE_PREFIX . "admins WHERE login='******'login']}'"; $result = mysql_query($sql, $db); if (!($row = mysql_fetch_assoc($result))) { $msg->addError('USER_NOT_FOUND'); $msg->printErrors(); require AT_INCLUDE_PATH . 'footer.inc.php'; exit; } if (!isset($_POST['submit'])) { $_POST = $row; if (query_bit($row['privileges'], AT_ADMIN_PRIV_ADMIN)) { $_POST['priv_admin'] = 1; } $_POST['privs'] = intval($row['privileges']); } $onload = 'document.form.password1.focus();'; require AT_INCLUDE_PATH . 'header.inc.php'; ?> <script language="JavaScript" src="sha-1factory.js" type="text/javascript"></script> <script type="text/javascript"> function encrypt_password() { document.form.password_error.value = ""; err = verify_password(document.form.password1.value, document.form.confirm_password.value);
<?php $module =& $this->module_list[$module_name]; ?> <?php if (!($module->getAdminPrivilege() > 1)) { continue; } ?> <input type="checkbox" name="privs[]" value="<?php echo $module->getAdminPrivilege(); ?> " id="priv_<?php echo $module->getAdminPrivilege(); ?> " <?php if (query_bit($_POST['privs'], $module->getAdminPrivilege())) { echo 'checked="checked"'; } ?> /><label for="priv_<?php echo $module->getAdminPrivilege(); ?> "><?php echo $module->getName(); ?> </label><br /> <?php } ?> </div>
<div class="row"> <h4 class="date"><?php echo get_display_name($row['member_id']); ?> - <?php echo AT_date(_AT('forum_date_format'), $row['date'], AT_DATE_MYSQL_DATETIME); ?> </h4> <p><?php echo AT_print($row['comment'], 'blog_posts_comments.comment'); ?> </p> <?php if (query_bit($owner_status, BLOGS_AUTH_WRITE)) { ?> <div style="text-align: right; font-size: smaller;"> <a href="mods/_standard/blogs/delete_comment.php?ot=<?php echo $owner_type . SEP . 'oid=' . $owner_id . SEP . 'id=' . $id . SEP . 'delete_id=' . $row['comment_id']; ?> "><?php echo _AT('delete'); ?> </a> </div> <?php } ?> </div> </div>
$course_info = mysql_fetch_assoc($result); if ($_POST['submit']) { $_SESSION['enroll'] = AT_ENROLL_YES; if ($course_info['access'] == 'private') { $sql = "INSERT INTO " . TABLE_PREFIX . "course_enrollment VALUES ({$_SESSION['member_id']}, {$course}, 'n', 0, '" . _AT('student') . "', 0)"; $result = mysql_query($sql, $db); // send the email - if needed if ($system_courses[$course]['notify'] == 1) { $mail_list = array(); //initialize an array to store all the pending emails //Get the list of students with enrollment privilege $module =& $moduleFactory->getModule('_core/enrolment'); $sql = "SELECT email, first_name, last_name, `privileges` FROM " . TABLE_PREFIX . "members m INNER JOIN " . TABLE_PREFIX . "course_enrollment ce ON m.member_id=ce.member_id WHERE ce.privileges > 0 AND ce.course_id={$course}"; $result = mysql_query($sql, $db); while ($row = mysql_fetch_assoc($result)) { if (query_bit($row['privileges'], $module->getPrivilege())) { unset($row['privileges']); //we don't need the privilege to flow around $mail_list[] = $row; } } //Get instructor information $ins_id = $system_courses[$course]['member_id']; $sql = "SELECT email, first_name, last_name FROM " . TABLE_PREFIX . "members WHERE member_id={$ins_id}"; $result = mysql_query($sql, $db); $row = mysql_fetch_assoc($result); $mail_list[] = $row; //Send email notification to both assistants with privileges & Instructor foreach ($mail_list as $row) { $to_email = $row['email']; $tmp_message = $row['first_name'] . ' ' . $row['last_name'] . "\n\n";
/** * Updates the Role & Priviliges of users * @access private * @param int $member The member_id of the user whose values are to be updated * @param int $privs value of the privileges of the user * @author Joel Kronenberg */ function change_privs($member, $privs) { global $db, $course_id; //calculate privileges $privilege = 0; if (!empty($privs)) { foreach ($privs as $priv) { $privilege += intval($priv); } } /* * if we're making a student a GROUP TA then we have to remove them * from all the groups they may belong to. */ if (query_bit($privilege, AT_PRIV_GROUPS)) { $group_list = implode(',', $_SESSION['groups']); if ($group_list) { $sql = "DELETE FROM " . TABLE_PREFIX . "groups_members WHERE group_id IN ({$group_list}) AND member_id={$member}"; $result = mysql_query($sql, $db); } } $sql = "UPDATE " . TABLE_PREFIX . "course_enrollment SET `privileges`={$privilege} WHERE member_id={$member} AND course_id={$course_id} AND `approved`='y'"; $result = mysql_query($sql, $db); //print error or confirm change if (!$result) { $msg->printErrors('DB_NOT_UPDATED'); exit; } }
/** * Transforms text based on formatting preferences. Original $input is also changed (passed by reference). * Can be called as: * 1) $output = AT_print($input, $name); * echo $output; * * 2) echo AT_print($input, $name); // prefered method * * @access public * @param string $input text being transformed * @param string $name the unique name of this field (convension: table_name.field_name) * @param boolean $runtime_html forcefully disables html formatting for $input (only used by fields that * have the 'formatting' option * @return string transformed $input * @see AT_FORMAT constants in include/lib/constants.inc.php * @see query_bit() in include/vitals.inc.php * @author Joel Kronenberg */ function AT_print($input, $name, $runtime_html = true) { global $_field_formatting, $_config; if (!isset($_field_formatting[$name])) { /* field not set, check if there's a global setting */ $parts = explode('.', $name); /* check if wildcard is set: */ if (isset($_field_formatting[$parts[0].'.*'])) { $name = $parts[0].'.*'; } else { /* field not set, and there's no global setting */ /* same as AT_FORMAT_NONE */ return $input; } } if (query_bit($_field_formatting[$name], AT_FORMAT_QUOTES)) { $input = str_replace('"', '"', $input); $input = str_replace('\'', ''', $input); } if (query_bit($_field_formatting[$name], AT_FORMAT_CONTENT_DIR)) { $input = str_replace('CONTENT_DIR/', '', $input); } if (query_bit($_field_formatting[$name], AT_FORMAT_HTML) && $runtime_html) { /* what special things do we have to do if this is HTML ? remove unwanted HTML? validate? */ } else { $input = str_replace('<', '<', $input); $input = nl2br($input); } if (isset($_config['latex_server']) && $_config['latex_server']) { $input = preg_replace('/\[tex\](.*?)\[\/tex\]/sie', "'<img src=\"'.\$_config['latex_server'].rawurlencode('$1').'\" align=\"middle\" alt=\"'.'$1'.'\" title=\"'.'$1'.'\">'", $input); } /* this has to be here, only because AT_FORMAT_HTML is the only check that has an else-block */ if ($_field_formatting[$name] === AT_FORMAT_NONE) { return $input; } if (query_bit($_field_formatting[$name], AT_FORMAT_EMOTICONS)) { $input = smile_replace($input); } if (query_bit($_field_formatting[$name], AT_FORMAT_ATCODES)) { $input = trim(myCodes(' ' . $input . ' ')); } if (query_bit($_field_formatting[$name], AT_FORMAT_LINKS)) { $input = trim(make_clickable(' ' . $input . ' ')); } if (query_bit($_field_formatting[$name], AT_FORMAT_IMAGES)) { $input = trim(image_replace(' ' . $input . ' ')); } return $input; }
"><?php echo _AT('date'); ?> </a></th> </tr> </thead> <tfoot> <tr> <td colspan="7"> <input type="submit" name="download" value="<?php echo _AT('download'); ?> " class="button"/> <?php if (query_bit($owner_status, WORKSPACE_AUTH_WRITE)) { ?> <?php if ($owner_type != WORKSPACE_COURSE && !($owner_type == WORKSPACE_PERSONAL && ($_SESSION['is_admin'] || authenticate(AT_PRIV_GROUPS, true)))) { ?> <input type="submit" name="assignment" value="<?php echo _AT('hand_in'); ?> " class="button"/> <?php } ?> <input type="submit" name="edit" value="<?php echo _AT('edit'); ?> " class="button"/>
/** * Updates the Role & Priviliges of users * @access private * @param int $member The member_id of the user whose values are to be updated * @param int $privs value of the privileges of the user * @author Joel Kronenberg */ function change_privs($member, $privs) { global $db, $course_id, $msg; //calculate privileges $privilege = 0; if (!empty($privs)) { foreach ($privs as $priv) { $privilege += intval($priv); } } /* * if we're making a student a GROUP TA then we have to remove them * from all the groups they may belong to. */ if (query_bit($privilege, AT_PRIV_GROUPS)) { $group_list = implode(',', $_SESSION['groups']); if ($group_list) { $sql = "DELETE FROM %sgroups_members WHERE group_id IN (%s) AND member_id=%d"; $result = queryDB($sql, array(TABLE_PREFIX, $group_list, $member)); } } $sql = "UPDATE %scourse_enrollment SET privileges=%d WHERE member_id=%d AND course_id=%d AND `approved`='y'"; $result = queryDB($sql, array(TABLE_PREFIX, $privilege, $member, $course_id)); //print error or confirm change if ($result == 0) { $msg->addError('DB_NOT_UPDATED'); } }
function authenticate_test($tid) { if (authenticate(AT_PRIV_ADMIN, AT_PRIV_RETURN)) { return TRUE; } if (!$_SESSION['enroll']) { return FALSE; } global $db; $sql = "SELECT approved FROM " . TABLE_PREFIX . "course_enrollment WHERE member_id={$_SESSION['member_id']} AND course_id={$_SESSION['course_id']} AND approved='y'"; $result = mysql_query($sql, $db); if (!($row = mysql_fetch_assoc($result))) { return FALSE; } $sql = "SELECT group_id FROM " . TABLE_PREFIX . "tests_groups WHERE test_id={$tid}"; $result = mysql_query($sql, $db); if (mysql_num_rows($result) == 0) { // not limited to any group; everyone has access: return TRUE; } while ($row = mysql_fetch_assoc($result)) { $sql = "SELECT * FROM " . TABLE_PREFIX . "groups_members WHERE group_id={$row['group_id']} AND member_id={$_SESSION['member_id']}"; $result2 = mysql_query($sql, $db); if ($row2 = mysql_fetch_assoc($result2)) { return TRUE; } } //Check assistants privileges $sql = "SELECT privileges FROM at_course_enrollment a WHERE member_id={$_SESSION['member_id']} AND course_id={$_SESSION['course_id']}"; $result = mysql_query($sql, $db); if ($result) { list($privileges) = mysql_fetch_array($result); if (query_bit($privileges, AT_PRIV_GROUPS) && query_bit($privileges, AT_PRIV_TESTS)) { return TRUE; } } return FALSE; }
/** * Transforms text based on formatting preferences. Original $input is also changed (passed by reference). * Can be called as: * 1) $output = AC_print($input, $name); * echo $output; * * 2) echo AC_print($input, $name); // prefered method * * @access public * @param string $input text being transformed * @param string $name the unique name of this field (convension: table_name.field_name) * @param boolean $runtime_html forcefully disables html formatting for $input (only used by fields that * have the 'formatting' option * @return string transformed $input * @see AC_FORMAT constants in include/lib/constants.inc.php * @see query_bit() in include/vitals.inc.php * @author Joel Kronenberg */ function AC_print($input, $name, $runtime_html = true) { global $_field_formatting; if (!isset($_field_formatting[$name])) { /* field not set, check if there's a global setting */ $parts = explode('.', $name); /* check if wildcard is set: */ if (isset($_field_formatting[$parts[0] . '.*'])) { $name = $parts[0] . '.*'; } else { /* field not set, and there's no global setting */ /* same as AC_FORMAT_NONE */ return $input; } } if (query_bit($_field_formatting[$name], AC_FORMAT_QUOTES)) { $input = str_replace('"', '"', $input); } if (query_bit($_field_formatting[$name], AC_FORMAT_HTML) && $runtime_html) { /* what special things do we have to do if this is HTML ? remove unwanted HTML? validate? */ } else { $input = str_replace('<', '<', $input); $input = nl2br($input); } /* this has to be here, only because AC_FORMAT_HTML is the only check that has an else-block */ if ($_field_formatting[$name] === AC_FORMAT_NONE) { return $input; } if (query_bit($_field_formatting[$name], AC_FORMAT_EMOTICONS)) { $input = smile_replace($input); } if (query_bit($_field_formatting[$name], AC_FORMAT_ATCODES)) { $input = trim(myCodes(' ' . $input . ' ')); } if (query_bit($_field_formatting[$name], AC_FORMAT_LINKS)) { $input = trim(make_clickable(' ' . $input . ' ')); } if (query_bit($_field_formatting[$name], AC_FORMAT_IMAGES)) { $input = trim(image_replace(' ' . $input . ' ')); } return $input; }
<br /> <table width="100%" border="0" cellspacing="5" cellpadding="0" summary=""> <tr> <?php $count = 0; $this->student_row['privileges'] = intval($this->student_row['privileges']); $module_list = $moduleFactory->getModules(AT_MODULE_STATUS_ENABLED, 0, TRUE); $keys = array_keys($module_list); foreach ($keys as $module_name) { $module =& $module_list[$module_name]; if (!($module->getPrivilege() > 1)) { continue; } $count++; echo '<td><label><input type="checkbox" name="privs[' . $k . '][]" value="' . $module->getPrivilege() . '" '; if (query_bit($this->student_row['privileges'], $module->getPrivilege())) { echo 'checked="checked"'; } echo ' />' . $module->getName() . '</label></td>'; if (!($count % $this->num_cols)) { echo '</tr><tr>'; } } if ($count % $this->num_cols) { echo '<td colspan="' . ($this->num_cols - $count % $this->num_cols) . '"> </td>'; } else { echo '<td colspan="' . $this->num_cols . '"> </td>'; } ?> </tr> </table>
function authenticate_test($tid) { if (authenticate(AT_PRIV_ADMIN, AT_PRIV_RETURN)) { return TRUE; } if (!$_SESSION['enroll']) { return FALSE; } $sql = "SELECT approved FROM %scourse_enrollment WHERE member_id=%d AND course_id=%d AND approved='y'"; $result = queryDB($sql, array(TABLE_PREFIX, $_SESSION['member_id'], $_SESSION['course_id']), TRUE); if (count($result) == 0) { return FALSE; } $sql = "SELECT group_id FROM %stests_groups WHERE test_id=%d"; $rows_groups = queryDB($sql, array(TABLE_PREFIX, $tid)); if (count($rows_groups) == 0) { // not limited to any group; everyone has access: return TRUE; } foreach ($rows_groups as $row) { $sql = "SELECT * FROM %sgroups_members WHERE group_id=%d AND member_id=%d"; $rows_members = queryDB($sql, array(TABLE_PREFIX, $row['group_id'], $_SESSION['member_id'])); if (count($rows_members) > 0) { return TRUE; } } //Check assistants privileges $sql = "SELECT privileges FROM %scourse_enrollment a WHERE member_id=%d AND course_id=%d"; $row_privileges = queryDB($sql, array(TABLE_PREFIX, $_SESSION['member_id'], $_SESSION['course_id']), TRUE); if (count($row_privileges) > 0) { list($privileges) = $row_privileges; if (query_bit($privileges, AT_PRIV_GROUPS) && query_bit($privileges, AT_PRIV_TESTS)) { return TRUE; } } return FALSE; }