function check_competency_result_access($userId, $crId, &$found) { // select the first assessment_worksheet which (through several layers of // indirection) is referenced by the competency item $query = new Query(new QueryBuilder(SELECT_QUERY, array('tables' => array('assessment_worksheet' => 'id'), 'joins' => array("INNER JOIN rubric_results ON rubric_results.id = assessment_worksheet.fk_rubric_results", "INNER JOIN competency_results ON competency_results.fk_rubric_results = rubric_results.id"), 'where' => "competency_results.id = ?", 'where-params' => array("i:{$crId}")))); if ($query->is_empty()) { $found = false; return false; } $found = true; // then verify that we have access to the worksheet for some assessment $wkstId = $query->get_row_ordered()[0]; return check_assessment_access($userId, $wkstId, 'assessment_worksheet'); }
function update_wkst($id, $objec, $instr, $coa) { // verify access to worksheet if (!abet_is_admin_authenticated() && !check_assessment_access($_SESSION['id'], $id, 'assessment_worksheet')) { page_fail(UNAUTHORIZED); } // prepare fields $us = array(); if (!is_null($objec)) { $us['objective'] = "s:{$objec}"; } if (!is_null($instr)) { $us['instrument'] = "s:{$instr}"; } if (!is_null($coa)) { $us['course_of_action'] = "s:{$coa}"; } if (count($us) > 0) { // update the three fields of importance $query = new Query(new QueryBuilder(UPDATE_QUERY, array('table' => 'assessment_worksheet', 'updates' => $us, 'where' => 'id = ?', 'where-params' => array("i:{$id}"), 'limit' => 1))); } echo "{\"success\":true}"; }
page_fail(BAD_REQUEST); } // double check access to content if (!abet_is_admin_authenticated() && !abet_is_observer() && !check_assessment_access($_SESSION['id'], $_GET['id'], 'general_content')) { page_fail(UNAUTHORIZED); } echo get_content($_GET['id']); } else { if ($_SERVER['REQUEST_METHOD'] == 'POST') { if (abet_is_observer()) { // observers can't post data page_fail(UNAUTHORIZED); } if (array_key_exists('id', $_POST) && array_key_exists('type', $_POST)) { // make sure user can access general_content entity if (!abet_is_admin_authenticated() && !check_assessment_access($_SESSION['id'], $_POST['id'], 'general_content')) { page_fail(UNAUTHORIZED); } // create new content (single entity) if ($_POST['type'] == 'file' && array_key_exists('file', $_FILES)) { // make sure file data was uploaded correctly if (!is_uploaded_file($_FILES['file']['tmp_name'])) { page_fail_with_reason(SERVER_ERROR, "file upload was unsuccessful"); } echo create_file($_POST['id']); } else { if ($_POST['type'] == 'comment') { echo create_comment($_POST['id']); } else { page_fail(BAD_REQUEST); }
function update_rubric($obj) { global $RUBRIC; global $RUBRIC_DESCRIPTION; global $RUBRIC_RESULTS; global $COMPETENCY; if (!array_key_exists('id', $obj)) { page_fail(BAD_REQUEST); } $id = $obj['id']; // verify access to object if (!abet_is_admin_authenticated() && !check_assessment_access($_SESSION[id], $id, 'assessment_worksheet')) { page_fail(UNAUTHORIZED); } list($rId, $rdId, $rrId) = grab_rubric_ids($id); // update 'rubric' $updates = array(); if (array_key_exists('name', $obj)) { $updates['name'] = "s:{$obj['name']}"; } if (array_key_exists('threshold', $obj)) { $updates['threshold'] = "d:{$obj['threshold']}"; } if (array_key_exists('threshold_desc', $obj)) { $updates['threshold_desc'] = "s:{$obj['threshold_desc']}"; } generic_update('rubric', $rId, $updates); // update 'rubric_description' $updates = array(); if (array_key_exists('outstanding_desc', $obj)) { $updates['outstanding_desc'] = "s:{$obj['outstanding_desc']}"; } if (array_key_exists('expected_desc', $obj)) { $updates['expected_desc'] = "s:{$obj['expected_desc']}"; } if (array_key_exists('marginal_desc', $obj)) { $updates['marginal_desc'] = "s:{$obj['marginal_desc']}"; } if (array_key_exists('unacceptable_desc', $obj)) { $updates['unacceptable_desc'] = "s:{$obj['unacceptable_desc']}"; } generic_update('rubric_description', $rdId, $updates); // update 'rubric_results' $updates = array(); if (array_key_exists('total_students', $obj)) { $updates['total_students'] = "i:{$obj['total_students']}"; } generic_update('rubric_results', $rrId, $updates); // update each competency if (array_key_exists('competency', $obj)) { foreach ($obj['competency'] as $comp) { if (!array_key_exists('id', $comp)) { continue; } $id = $comp['id']; // check access to competency result entity (silently fail if denied) if (!abet_is_admin_authenticated() && !check_competency_result_access($_SESSION['id'], $id, $found)) { continue; } $updates = array(); if (array_key_exists('description', $comp)) { $updates['competency_desc'] = "s:{$comp['description']}"; } if (array_key_exists('outstanding_tally', $comp)) { $updates['outstanding_tally'] = "s:{$comp['outstanding_tally']}"; } if (array_key_exists('expected_tally', $comp)) { $updates['expected_tally'] = "s:{$comp['expected_tally']}"; } if (array_key_exists('marginal_tally', $comp)) { $updates['marginal_tally'] = "s:{$comp['marginal_tally']}"; } if (array_key_exists('unacceptable_tally', $comp)) { $updates['unacceptable_tally'] = "s:{$comp['unacceptable_tally']}"; } if (array_key_exists('pass_fail_type', $comp)) { $updates['pass_fail_type'] = $comp['pass_fail_type'] ? "l:1" : "l:0"; } if (array_key_exists('comment', $comp)) { $updates['comment'] = "s:{$comp['comment']}"; } generic_update('competency_results', $id, $updates); } } return "{\"success\":true}"; }