function update_wkst($id, $objec, $instr, $coa)
{
// verify access to worksheet
if (!abet_is_admin_authenticated() && !check_assessment_access($_SESSION['id'], $id, 'assessment_worksheet')) {
page_fail(UNAUTHORIZED);
}
// prepare fields
$us = array();
if (!is_null($objec)) {
$us['objective'] = "s:{$objec}";
}
if (!is_null($instr)) {
$us['instrument'] = "s:{$instr}";
}
if (!is_null($coa)) {
$us['course_of_action'] = "s:{$coa}";
}
if (count($us) > 0) {
// update the three fields of importance
$query = new Query(new QueryBuilder(UPDATE_QUERY, array('table' => 'assessment_worksheet', 'updates' => $us, 'where' => 'id = ?', 'where-params' => array("i:{$id}"), 'limit' => 1)));
}
echo "{\"success\":true}";
}
<head>
<title>ABET</title>
<script src="scripts/jquery.min.js" type="text/javascript"></script>
<script src="scripts/jquery-ui.min.js" type="text/javascript"></script>
<script src="scripts/abet.js" type="text/javascript"></script>
<script src="scripts/home.js" type="text/javascript"></script>
<script src="scripts/profile.js" type="text/javascript"></script>
<script src="scripts/navigation.js" type="text/javascript"></script>
<script src="scripts/content.js" type="text/javascript"></script>
<script src="scripts/rubric.js" type="text/javascript"></script>
<script src="scripts/worksheet.js" type="text/javascript"></script>
<script src="scripts/search.js" type="text/javascript"></script>
<script src="scripts/tree.js" type="text/javascript"></script>
<script src="scripts/confirm.js" type="text/javascript"></script>
<?php
if (abet_is_admin_authenticated()) {
?>
<!-- Admin only scripts go here -->
<script src="scripts/usercreate.js" type="text/javascript"></script>
<script src="scripts/program.js" type="text/javascript"></script>
<script src="scripts/assessment.js" type="text/javascript"></script>
<script src="scripts/characteristics.js" type="text/javascript"></script>
<script src="scripts/course.js" type="text/javascript"></script>
<?php
}
?>
<link rel="stylesheet" href="stylesheets/abet.css" />
<link rel="stylesheet" href="stylesheets/tree.css" />
<link rel="stylesheet" href="stylesheets/confirm.css" />
<script type="text/javascript">
user = "<?php
create_unique_id($editAssessment, 'edit-assessment');
$assessment->children[] = $editAssessment;
}
$parent->children[] = $assessment;
return $assessment;
}
header('Content-Type: application/json');
if (!abet_is_authenticated()) {
page_fail(UNAUTHORIZED);
}
if ($_SERVER['REQUEST_METHOD'] != 'GET') {
page_fail(BAD_REQUEST);
}
// output is array of navigation trees
$navTrees = array();
$isAdmin = abet_is_admin_authenticated();
// design query to select all navigation for current user
$qbInfo = array('tables' => array('abet_assessment' => array('id', 'name'), 'program' => array('id', 'name', 'semester', 'year'), 'abet_criterion' => array('id', 'rank', 'description'), 'abet_characteristic' => array('id', 'level', 'program_specifier', 'short_name'), 'assessment_worksheet' => array('id', 'activity'), 'general_content' => 'id', 'rubric' => 'id', 'course' => 'course_number'), 'joins' => array("INNER JOIN program ON abet_assessment.fk_program = program.id", ($isAdmin ? "RIGHT OUTER" : "INNER") . " JOIN abet_criterion ON abet_assessment.fk_criterion = abet_criterion.id", "LEFT OUTER JOIN abet_characteristic ON abet_assessment.fk_characteristic = abet_characteristic.id", "LEFT OUTER JOIN assessment_worksheet ON abet_assessment.id = assessment_worksheet.fk_assessment", "LEFT OUTER JOIN general_content ON abet_assessment.id = general_content.fk_assessment", "LEFT OUTER JOIN rubric ON assessment_worksheet.fk_rubric = rubric.id", "LEFT OUTER JOIN course ON assessment_worksheet.fk_course = course.id"), 'orderby' => "program.year, program.semester, program.name, abet_criterion.rank, abet_characteristic.level, course.course_number");
// is the user is not an admin and not an observer, restrict their access
// according to the ACLs for the given assessments
if (!$isAdmin && !abet_is_observer()) {
// join on the acl tables to restrict access
$qbInfo['joins'][] = "INNER JOIN acl ON abet_assessment.fk_acl = acl.id";
$qbInfo['joins'][] = "INNER JOIN acl_entry ON acl_entry.fk_acl = acl.id AND acl_entry.fk_profile = '{$_SESSION['id']}'";
}
// grab all assessments that the user can access, along with their keys
$query = new Query(new QueryBuilder(SELECT_QUERY, $qbInfo));
// structure the navigation tree around the heirarchy of assessments to which the
// user has access; we present the same navigation structure to all kinds of users
$userTools = new stdClass();
$userTools->label = 'Content';
// delete the specified entity
echo delete_content($_POST['delete'], $kind);
} else {
if (array_key_exists('id', $_POST)) {
// update content (single entity)
if (array_key_exists('file_comment', $_POST)) {
$kind = 'file_upload';
} else {
if (array_key_exists('content', $_POST)) {
$kind = 'user_comment';
} else {
page_fail(BAD_REQUEST);
}
}
// verify that the user can access the entity
if (!abet_is_admin_authenticated() && !check_general_content_item_access($_SESSION['id'], $_POST['id'], $kind, $found)) {
page_fail($found ? UNAUTHORIZED : NOT_FOUND);
}
// for security's sake I create these manually
$updates = array();
$updates['id'] = $_POST['id'];
if (array_key_exists('file_comment', $_POST)) {
$updates['file_comment'] = "s:{$_POST['file_comment']}";
} else {
$updates['content'] = "s:{$_POST['content']}";
}
update_content($kind, $updates);
echo "{\"success\":true}";
} else {
page_fail(BAD_REQUEST);
}
function delete_competency($id)
{
// 'id' is competency id
// check access to entity
if (!abet_is_admin_authenticated() && !check_competency_result_access($_SESSION['id'], $id, $found)) {
if (!$found) {
page_fail(NOT_FOUND);
}
page_fail(UNAUTHORIZED);
}
// delete element
$query = new Query(new QueryBuilder(DELETE_QUERY, array('tables' => 'competency_results', 'where' => "competency_results.id = ?", 'where-params' => array("i:{$id}"), 'limit' => 1)));
return "{\"success\":true}";
}
a file_upload entity as the GET argument. The script checks access to the
file before allowing it to be downloaded.
*/
// check general authentication mode
if (!abet_is_authenticated()) {
http_response_code(UNAUTHORIZED);
header('Content-Type: text/html');
echo "<h1>Access to the specified object is unauthorized.</h1>";
exit;
}
// check for correct GET variables
if (!array_key_exists('id', $_GET)) {
http_response_code(BAD_REQUEST);
header('Content-Type: text/html');
echo "<h1>Bad request: try again...";
exit;
}
// check access to specific file resource
if (!abet_is_admin_authenticated() && !abet_is_observer() && !check_general_content_item_access($_SESSION['id'], $_GET['id'], 'file_upload', $found)) {
header('Content-Type: text/html');
if ($found) {
http_response_code(UNAUTHORIZED);
echo "<h1>Access to the specified object is unauthorized or it has been removed.</h1>";
} else {
http_response_code(NOT_FOUND);
echo "<h1>The specified object was not found. It's possible it was removed.</h1>";
}
exit;
}
// call routine to output file
file_download($_GET['id']);
