Exemplo n.º 1
0
}
//************* SESSION active past here **************************
$student_id = "";
if (isset($_GET['student_id'])) {
    $student_id = $_GET['student_id'];
}
if (isset($_POST['student_id'])) {
    $student_id = $_POST['student_id'];
}
if ($student_id == "") {
    //we shouldn't be here without a student id.
    echo "You've entered this page without supplying a valid student id. Fatal, quitting";
    exit;
}
//check permission levels
$permission_level = getPermissionLevel($_SESSION['egps_username']);
if ($permission_level > $MINIMUM_AUTHORIZATION_LEVEL || $permission_level == NULL) {
    $system_message = $system_message . "You do not have permission to view this page (IP: " . $_SERVER['REMOTE_ADDR'] . ")";
    IPP_LOG($system_message, $_SESSION['egps_username'], 'ERROR');
    require IPP_PATH . 'security_error.php';
    exit;
}
$our_permission = getStudentPermission($student_id);
if ($our_permission == "WRITE" || $our_permission == "ASSIGN" || $our_permission == "ALL") {
    //we have write permission.
    $have_write_permission = true;
} else {
    $have_write_permission = false;
}
//************** validated past here SESSION ACTIVE WRITE PERMISSION CONFIRMED****************
$student_query = "SELECT * FROM student WHERE student_id = " . mysql_real_escape_string($student_id);
Exemplo n.º 2
0
/** @fn 		getStudentPermission($student_id='')
 *  @brief		Determines user's access to specific student's records
 *  @detail
 *  1. Returns error or null under some circumstances.
 *  2. Otherwise, may return NONE,ERROR,READ,WRITE(READ,WRITE),ASSIGN(READ,WRITE,ASSIGN),ALL(READ,WRITE,ASSIGN,DELETE), or support_list['permission'] or NONE for no permissions.		
 * @param string $student_id
 * @return string|NULL|Ambigous
 * @todo	
 * 1. Rename function because it is a confusing name
 * 2. It can start with get_. Separate words with underscores. Perhaps get_access_to_student_record().
 */
function getStudentPermission($student_id = '')
{
    //returns NONE,ERROR,READ,WRITE(READ,WRITE),ASSIGN(READ,WRITE,ASSIGN),ALL(READ,WRITE,ASSIGN,DELETE),
    //or support_list['permission'] or NONE for no permissions.
    global $error_message, $mysql_user_select_login, $mysql_user_select_password, $mysql_user_table, $mysql_user_append_to_login;
    $error_message = "";
    $permission_level = getPermissionLevel($_SESSION['egps_username']);
    if ($permission_level == NULL) {
        return "ERROR";
    }
    //find the currently logged in persons school code...
    if (!connectUserDB()) {
        $error_message = $error_message;
        //just to remember we need this
        return "ERROR";
    }
    $query = "SELECT * FROM {$mysql_user_table} WHERE (" . $mysql_user_select_login . "='" . $_SESSION['egps_username'] . $mysql_user_append_to_login . "' or " . $mysql_user_select_login . "='" . $_SESSION['egps_username'] . "') and " . $mysql_user_select_password . "='" . $_SESSION['password'] . "' AND aliased_name IS NULL";
    $result = mysql_query($query);
    if (!$result) {
        $error_message = "Database query failed (" . __FILE__ . ":" . __LINE__ . "): " . mysql_error() . "<BR>Query: '{$query}'<BR>";
        return "ERROR";
    }
    $user_row = mysql_fetch_array($result);
    $school_code = $user_row['school_code'];
    if (!connectIPPDB()) {
        $error_message = $error_message;
        //just to remember we need this
        return "ERROR";
    }
    //check if this staff member is local to this student...
    $local_query = "SELECT * FROM school_history WHERE student_id={$student_id} AND school_code='{$school_code}' AND end_date IS NULL";
    $local_result = mysql_query($local_query);
    //ignore errors...
    $is_local_student = FALSE;
    if ($local_result && mysql_num_rows($local_result) > 0) {
        $is_local_student = TRUE;
    }
    //Special case we are the school-based IPP administrator
    //get our school code
    $error_message = "";
    if (!connectIPPDB()) {
        $error_message = $error_message;
        //just to remember we need this
        return NULL;
    }
    $system_query = "SELECT * from support_member WHERE egps_username='******'egps_username'] . "'";
    $system_result = mysql_query($system_query);
    if (!$system_result) {
        $error_message = "Database query failed (" . __FILE__ . ":" . __LINE__ . "): " . mysql_error() . "<BR>Query: '{$system_query}'<BR>";
        return "ERROR";
    } else {
        $system_row = mysql_fetch_array($system_result);
        if ($is_local_student && $system_row['is_local_ipp_administrator'] == 'Y') {
            return "ASSIGN";
        }
    }
    //base our permission on the level we're assigned.
    switch ($permission_level) {
        case 0:
            //Super Admin
        //Super Admin
        case 10:
            //Administrator
            return "ALL";
        case 30:
            //Principal (assign local) special case
            //fall through and return ALL for local students.
        //Principal (assign local) special case
        //fall through and return ALL for local students.
        case 20:
            //Assistant Admin. (view all) special case
            //fall through and return at least read...
        //Assistant Admin. (view all) special case
        //fall through and return at least read...
        case 40:
            //Vice Principal (view local)
        //Vice Principal (view local)
        default:
            //we need to find the permissions from the support list
            //as this user has no inherent permissions...
            $support_query = "SELECT * FROM support_list WHERE egps_username='******'egps_username'] . "' AND student_id={$student_id}";
            $support_result = mysql_query($support_query);
            //if(mysql_num_rows($support_result) <= 0) {
            switch ($permission_level) {
                case 30:
                case 40:
                    //changed as per s. chomistek (2006-03-23)
                    if ($is_local_student) {
                        return "ASSIGN";
                    } else {
                        return "NONE";
                    }
                case 20:
                    //Asst admin special case of read for all
                    if ($is_local_student) {
                        return "ASSIGN";
                    } else {
                        return "READ";
                    }
                    //case 40: //vp special case read local
                    //   if($is_local_student) return "READ";
                    //else return "NONE";
                //case 40: //vp special case read local
                //   if($is_local_student) return "READ";
                //else return "NONE";
                default:
                    //return "NONE";
            }
            //} //else {
            $row = mysql_fetch_array($support_result);
            if ($row['permission'] != '') {
                return $row['permission'];
            }
            return "NONE";
            //}
    }
}
Exemplo n.º 3
0
        $system_message = $system_message . $error_message;
        IPP_LOG($system_message, $_SESSION['egps_username'], 'ERROR');
        require IPP_PATH . 'index.php';
        exit;
    }
} else {
    if (!validate()) {
        $system_message = $system_message . $error_message;
        IPP_LOG($system_message, $_SESSION['egps_username'], 'ERROR');
        require IPP_PATH . 'index.php';
        exit;
    }
}
//************* SESSION active past here **************************
//check permission levels
if (getPermissionLevel($_SESSION['egps_username']) > $MINIMUM_AUTHORIZATION_LEVEL && !isLocalAdministrator($_SESSION['egps_username'])) {
    $system_message = $system_message . "You do not have permission to view this page (IP: " . $_SERVER['REMOTE_ADDR'] . ")";
    IPP_LOG($system_message, $_SESSION['egps_username'], 'ERROR');
    require IPP_PATH . 'security_error.php';
    exit;
}
//************** validated past here SESSION ACTIVE****************
$szBackGetVars = "";
foreach ($_GET as $key => $value) {
    $szBackGetVars = $szBackGetVars . $key . "=" . $value . "&";
}
//strip trailing '&'
$szBackGetVars = substr($szBackGetVars, 0, -1);
?>
 
<!DOCTYPE HTML>
Exemplo n.º 4
0
    $smarty->assign('showInactiveJobs', $_SESSION['showInactiveJobs']);
    $smarty->assign('result', $result);
} catch (Exception $e) {
    error_log("[WPTMonitor] Failed while Listing jobs: " . $wptResultId . " message: " . $e->getMessage());
    print 'Exception : ' . $e->getMessage();
}
$q->free(true);
unset($result);
unset($pager);
unset($share);
$hasReadPermission = false;
$hasUpdatePermission = false;
$hasCreateDeletePermission = false;
$hasExecutePermission = false;
$hasOwnerPermission = false;
$folderPermissionLevel = getPermissionLevel('WPTJob', $folderId);
if ($folderPermissionLevel >= 0) {
    $hasReadPermission = true;
}
if ($folderPermissionLevel >= 1) {
    $hasUpdatePermission = true;
}
if ($folderPermissionLevel >= 2) {
    $hasCreateDeletePermission = true;
}
if ($folderPermissionLevel >= 4) {
    $hasExecutePermission = true;
}
if ($folderPermissionLevel >= -9) {
    $hasOwnerPermission = true;
}