} //************* SESSION active past here ************************** $student_id = ""; if (isset($_GET['student_id'])) { $student_id = $_GET['student_id']; } if (isset($_POST['student_id'])) { $student_id = $_POST['student_id']; } if ($student_id == "") { //we shouldn't be here without a student id. echo "You've entered this page without supplying a valid student id. Fatal, quitting"; exit; } //check permission levels $permission_level = getPermissionLevel($_SESSION['egps_username']); if ($permission_level > $MINIMUM_AUTHORIZATION_LEVEL || $permission_level == NULL) { $system_message = $system_message . "You do not have permission to view this page (IP: " . $_SERVER['REMOTE_ADDR'] . ")"; IPP_LOG($system_message, $_SESSION['egps_username'], 'ERROR'); require IPP_PATH . 'security_error.php'; exit; } $our_permission = getStudentPermission($student_id); if ($our_permission == "WRITE" || $our_permission == "ASSIGN" || $our_permission == "ALL") { //we have write permission. $have_write_permission = true; } else { $have_write_permission = false; } //************** validated past here SESSION ACTIVE WRITE PERMISSION CONFIRMED**************** $student_query = "SELECT * FROM student WHERE student_id = " . mysql_real_escape_string($student_id);
/** @fn getStudentPermission($student_id='') * @brief Determines user's access to specific student's records * @detail * 1. Returns error or null under some circumstances. * 2. Otherwise, may return NONE,ERROR,READ,WRITE(READ,WRITE),ASSIGN(READ,WRITE,ASSIGN),ALL(READ,WRITE,ASSIGN,DELETE), or support_list['permission'] or NONE for no permissions. * @param string $student_id * @return string|NULL|Ambigous * @todo * 1. Rename function because it is a confusing name * 2. It can start with get_. Separate words with underscores. Perhaps get_access_to_student_record(). */ function getStudentPermission($student_id = '') { //returns NONE,ERROR,READ,WRITE(READ,WRITE),ASSIGN(READ,WRITE,ASSIGN),ALL(READ,WRITE,ASSIGN,DELETE), //or support_list['permission'] or NONE for no permissions. global $error_message, $mysql_user_select_login, $mysql_user_select_password, $mysql_user_table, $mysql_user_append_to_login; $error_message = ""; $permission_level = getPermissionLevel($_SESSION['egps_username']); if ($permission_level == NULL) { return "ERROR"; } //find the currently logged in persons school code... if (!connectUserDB()) { $error_message = $error_message; //just to remember we need this return "ERROR"; } $query = "SELECT * FROM {$mysql_user_table} WHERE (" . $mysql_user_select_login . "='" . $_SESSION['egps_username'] . $mysql_user_append_to_login . "' or " . $mysql_user_select_login . "='" . $_SESSION['egps_username'] . "') and " . $mysql_user_select_password . "='" . $_SESSION['password'] . "' AND aliased_name IS NULL"; $result = mysql_query($query); if (!$result) { $error_message = "Database query failed (" . __FILE__ . ":" . __LINE__ . "): " . mysql_error() . "<BR>Query: '{$query}'<BR>"; return "ERROR"; } $user_row = mysql_fetch_array($result); $school_code = $user_row['school_code']; if (!connectIPPDB()) { $error_message = $error_message; //just to remember we need this return "ERROR"; } //check if this staff member is local to this student... $local_query = "SELECT * FROM school_history WHERE student_id={$student_id} AND school_code='{$school_code}' AND end_date IS NULL"; $local_result = mysql_query($local_query); //ignore errors... $is_local_student = FALSE; if ($local_result && mysql_num_rows($local_result) > 0) { $is_local_student = TRUE; } //Special case we are the school-based IPP administrator //get our school code $error_message = ""; if (!connectIPPDB()) { $error_message = $error_message; //just to remember we need this return NULL; } $system_query = "SELECT * from support_member WHERE egps_username='******'egps_username'] . "'"; $system_result = mysql_query($system_query); if (!$system_result) { $error_message = "Database query failed (" . __FILE__ . ":" . __LINE__ . "): " . mysql_error() . "<BR>Query: '{$system_query}'<BR>"; return "ERROR"; } else { $system_row = mysql_fetch_array($system_result); if ($is_local_student && $system_row['is_local_ipp_administrator'] == 'Y') { return "ASSIGN"; } } //base our permission on the level we're assigned. switch ($permission_level) { case 0: //Super Admin //Super Admin case 10: //Administrator return "ALL"; case 30: //Principal (assign local) special case //fall through and return ALL for local students. //Principal (assign local) special case //fall through and return ALL for local students. case 20: //Assistant Admin. (view all) special case //fall through and return at least read... //Assistant Admin. (view all) special case //fall through and return at least read... case 40: //Vice Principal (view local) //Vice Principal (view local) default: //we need to find the permissions from the support list //as this user has no inherent permissions... $support_query = "SELECT * FROM support_list WHERE egps_username='******'egps_username'] . "' AND student_id={$student_id}"; $support_result = mysql_query($support_query); //if(mysql_num_rows($support_result) <= 0) { switch ($permission_level) { case 30: case 40: //changed as per s. chomistek (2006-03-23) if ($is_local_student) { return "ASSIGN"; } else { return "NONE"; } case 20: //Asst admin special case of read for all if ($is_local_student) { return "ASSIGN"; } else { return "READ"; } //case 40: //vp special case read local // if($is_local_student) return "READ"; //else return "NONE"; //case 40: //vp special case read local // if($is_local_student) return "READ"; //else return "NONE"; default: //return "NONE"; } //} //else { $row = mysql_fetch_array($support_result); if ($row['permission'] != '') { return $row['permission']; } return "NONE"; //} } }
$system_message = $system_message . $error_message; IPP_LOG($system_message, $_SESSION['egps_username'], 'ERROR'); require IPP_PATH . 'index.php'; exit; } } else { if (!validate()) { $system_message = $system_message . $error_message; IPP_LOG($system_message, $_SESSION['egps_username'], 'ERROR'); require IPP_PATH . 'index.php'; exit; } } //************* SESSION active past here ************************** //check permission levels if (getPermissionLevel($_SESSION['egps_username']) > $MINIMUM_AUTHORIZATION_LEVEL && !isLocalAdministrator($_SESSION['egps_username'])) { $system_message = $system_message . "You do not have permission to view this page (IP: " . $_SERVER['REMOTE_ADDR'] . ")"; IPP_LOG($system_message, $_SESSION['egps_username'], 'ERROR'); require IPP_PATH . 'security_error.php'; exit; } //************** validated past here SESSION ACTIVE**************** $szBackGetVars = ""; foreach ($_GET as $key => $value) { $szBackGetVars = $szBackGetVars . $key . "=" . $value . "&"; } //strip trailing '&' $szBackGetVars = substr($szBackGetVars, 0, -1); ?> <!DOCTYPE HTML>
$smarty->assign('showInactiveJobs', $_SESSION['showInactiveJobs']); $smarty->assign('result', $result); } catch (Exception $e) { error_log("[WPTMonitor] Failed while Listing jobs: " . $wptResultId . " message: " . $e->getMessage()); print 'Exception : ' . $e->getMessage(); } $q->free(true); unset($result); unset($pager); unset($share); $hasReadPermission = false; $hasUpdatePermission = false; $hasCreateDeletePermission = false; $hasExecutePermission = false; $hasOwnerPermission = false; $folderPermissionLevel = getPermissionLevel('WPTJob', $folderId); if ($folderPermissionLevel >= 0) { $hasReadPermission = true; } if ($folderPermissionLevel >= 1) { $hasUpdatePermission = true; } if ($folderPermissionLevel >= 2) { $hasCreateDeletePermission = true; } if ($folderPermissionLevel >= 4) { $hasExecutePermission = true; } if ($folderPermissionLevel >= -9) { $hasOwnerPermission = true; }