function update_wkst($id, $objec, $instr, $coa) { // verify access to worksheet if (!abet_is_admin_authenticated() && !check_assessment_access($_SESSION['id'], $id, 'assessment_worksheet')) { page_fail(UNAUTHORIZED); } // prepare fields $us = array(); if (!is_null($objec)) { $us['objective'] = "s:{$objec}"; } if (!is_null($instr)) { $us['instrument'] = "s:{$instr}"; } if (!is_null($coa)) { $us['course_of_action'] = "s:{$coa}"; } if (count($us) > 0) { // update the three fields of importance $query = new Query(new QueryBuilder(UPDATE_QUERY, array('table' => 'assessment_worksheet', 'updates' => $us, 'where' => 'id = ?', 'where-params' => array("i:{$id}"), 'limit' => 1))); } echo "{\"success\":true}"; }
<head> <title>ABET</title> <script src="scripts/jquery.min.js" type="text/javascript"></script> <script src="scripts/jquery-ui.min.js" type="text/javascript"></script> <script src="scripts/abet.js" type="text/javascript"></script> <script src="scripts/home.js" type="text/javascript"></script> <script src="scripts/profile.js" type="text/javascript"></script> <script src="scripts/navigation.js" type="text/javascript"></script> <script src="scripts/content.js" type="text/javascript"></script> <script src="scripts/rubric.js" type="text/javascript"></script> <script src="scripts/worksheet.js" type="text/javascript"></script> <script src="scripts/search.js" type="text/javascript"></script> <script src="scripts/tree.js" type="text/javascript"></script> <script src="scripts/confirm.js" type="text/javascript"></script> <?php if (abet_is_admin_authenticated()) { ?> <!-- Admin only scripts go here --> <script src="scripts/usercreate.js" type="text/javascript"></script> <script src="scripts/program.js" type="text/javascript"></script> <script src="scripts/assessment.js" type="text/javascript"></script> <script src="scripts/characteristics.js" type="text/javascript"></script> <script src="scripts/course.js" type="text/javascript"></script> <?php } ?> <link rel="stylesheet" href="stylesheets/abet.css" /> <link rel="stylesheet" href="stylesheets/tree.css" /> <link rel="stylesheet" href="stylesheets/confirm.css" /> <script type="text/javascript"> user = "<?php
create_unique_id($editAssessment, 'edit-assessment'); $assessment->children[] = $editAssessment; } $parent->children[] = $assessment; return $assessment; } header('Content-Type: application/json'); if (!abet_is_authenticated()) { page_fail(UNAUTHORIZED); } if ($_SERVER['REQUEST_METHOD'] != 'GET') { page_fail(BAD_REQUEST); } // output is array of navigation trees $navTrees = array(); $isAdmin = abet_is_admin_authenticated(); // design query to select all navigation for current user $qbInfo = array('tables' => array('abet_assessment' => array('id', 'name'), 'program' => array('id', 'name', 'semester', 'year'), 'abet_criterion' => array('id', 'rank', 'description'), 'abet_characteristic' => array('id', 'level', 'program_specifier', 'short_name'), 'assessment_worksheet' => array('id', 'activity'), 'general_content' => 'id', 'rubric' => 'id', 'course' => 'course_number'), 'joins' => array("INNER JOIN program ON abet_assessment.fk_program = program.id", ($isAdmin ? "RIGHT OUTER" : "INNER") . " JOIN abet_criterion ON abet_assessment.fk_criterion = abet_criterion.id", "LEFT OUTER JOIN abet_characteristic ON abet_assessment.fk_characteristic = abet_characteristic.id", "LEFT OUTER JOIN assessment_worksheet ON abet_assessment.id = assessment_worksheet.fk_assessment", "LEFT OUTER JOIN general_content ON abet_assessment.id = general_content.fk_assessment", "LEFT OUTER JOIN rubric ON assessment_worksheet.fk_rubric = rubric.id", "LEFT OUTER JOIN course ON assessment_worksheet.fk_course = course.id"), 'orderby' => "program.year, program.semester, program.name, abet_criterion.rank, abet_characteristic.level, course.course_number"); // is the user is not an admin and not an observer, restrict their access // according to the ACLs for the given assessments if (!$isAdmin && !abet_is_observer()) { // join on the acl tables to restrict access $qbInfo['joins'][] = "INNER JOIN acl ON abet_assessment.fk_acl = acl.id"; $qbInfo['joins'][] = "INNER JOIN acl_entry ON acl_entry.fk_acl = acl.id AND acl_entry.fk_profile = '{$_SESSION['id']}'"; } // grab all assessments that the user can access, along with their keys $query = new Query(new QueryBuilder(SELECT_QUERY, $qbInfo)); // structure the navigation tree around the heirarchy of assessments to which the // user has access; we present the same navigation structure to all kinds of users $userTools = new stdClass(); $userTools->label = 'Content';
// delete the specified entity echo delete_content($_POST['delete'], $kind); } else { if (array_key_exists('id', $_POST)) { // update content (single entity) if (array_key_exists('file_comment', $_POST)) { $kind = 'file_upload'; } else { if (array_key_exists('content', $_POST)) { $kind = 'user_comment'; } else { page_fail(BAD_REQUEST); } } // verify that the user can access the entity if (!abet_is_admin_authenticated() && !check_general_content_item_access($_SESSION['id'], $_POST['id'], $kind, $found)) { page_fail($found ? UNAUTHORIZED : NOT_FOUND); } // for security's sake I create these manually $updates = array(); $updates['id'] = $_POST['id']; if (array_key_exists('file_comment', $_POST)) { $updates['file_comment'] = "s:{$_POST['file_comment']}"; } else { $updates['content'] = "s:{$_POST['content']}"; } update_content($kind, $updates); echo "{\"success\":true}"; } else { page_fail(BAD_REQUEST); }
function delete_competency($id) { // 'id' is competency id // check access to entity if (!abet_is_admin_authenticated() && !check_competency_result_access($_SESSION['id'], $id, $found)) { if (!$found) { page_fail(NOT_FOUND); } page_fail(UNAUTHORIZED); } // delete element $query = new Query(new QueryBuilder(DELETE_QUERY, array('tables' => 'competency_results', 'where' => "competency_results.id = ?", 'where-params' => array("i:{$id}"), 'limit' => 1))); return "{\"success\":true}"; }
a file_upload entity as the GET argument. The script checks access to the file before allowing it to be downloaded. */ // check general authentication mode if (!abet_is_authenticated()) { http_response_code(UNAUTHORIZED); header('Content-Type: text/html'); echo "<h1>Access to the specified object is unauthorized.</h1>"; exit; } // check for correct GET variables if (!array_key_exists('id', $_GET)) { http_response_code(BAD_REQUEST); header('Content-Type: text/html'); echo "<h1>Bad request: try again..."; exit; } // check access to specific file resource if (!abet_is_admin_authenticated() && !abet_is_observer() && !check_general_content_item_access($_SESSION['id'], $_GET['id'], 'file_upload', $found)) { header('Content-Type: text/html'); if ($found) { http_response_code(UNAUTHORIZED); echo "<h1>Access to the specified object is unauthorized or it has been removed.</h1>"; } else { http_response_code(NOT_FOUND); echo "<h1>The specified object was not found. It's possible it was removed.</h1>"; } exit; } // call routine to output file file_download($_GET['id']);