}
//************* SESSION active past here **************************
$student_id = "";
if (isset($_GET['student_id'])) {
$student_id = $_GET['student_id'];
}
if (isset($_POST['student_id'])) {
$student_id = $_POST['student_id'];
}
if ($student_id == "") {
//we shouldn't be here without a student id.
echo "You've entered this page without supplying a valid student id. Fatal, quitting";
exit;
}
//check permission levels
$permission_level = getPermissionLevel($_SESSION['egps_username']);
if ($permission_level > $MINIMUM_AUTHORIZATION_LEVEL || $permission_level == NULL) {
$system_message = $system_message . "You do not have permission to view this page (IP: " . $_SERVER['REMOTE_ADDR'] . ")";
IPP_LOG($system_message, $_SESSION['egps_username'], 'ERROR');
require IPP_PATH . 'security_error.php';
exit;
}
$our_permission = getStudentPermission($student_id);
if ($our_permission == "WRITE" || $our_permission == "ASSIGN" || $our_permission == "ALL") {
//we have write permission.
$have_write_permission = true;
} else {
$have_write_permission = false;
}
//************** validated past here SESSION ACTIVE WRITE PERMISSION CONFIRMED****************
$student_query = "SELECT * FROM student WHERE student_id = " . mysql_real_escape_string($student_id);
/** @fn getStudentPermission($student_id='')
* @brief Determines user's access to specific student's records
* @detail
* 1. Returns error or null under some circumstances.
* 2. Otherwise, may return NONE,ERROR,READ,WRITE(READ,WRITE),ASSIGN(READ,WRITE,ASSIGN),ALL(READ,WRITE,ASSIGN,DELETE), or support_list['permission'] or NONE for no permissions.
* @param string $student_id
* @return string|NULL|Ambigous
* @todo
* 1. Rename function because it is a confusing name
* 2. It can start with get_. Separate words with underscores. Perhaps get_access_to_student_record().
*/
function getStudentPermission($student_id = '')
{
//returns NONE,ERROR,READ,WRITE(READ,WRITE),ASSIGN(READ,WRITE,ASSIGN),ALL(READ,WRITE,ASSIGN,DELETE),
//or support_list['permission'] or NONE for no permissions.
global $error_message, $mysql_user_select_login, $mysql_user_select_password, $mysql_user_table, $mysql_user_append_to_login;
$error_message = "";
$permission_level = getPermissionLevel($_SESSION['egps_username']);
if ($permission_level == NULL) {
return "ERROR";
}
//find the currently logged in persons school code...
if (!connectUserDB()) {
$error_message = $error_message;
//just to remember we need this
return "ERROR";
}
$query = "SELECT * FROM {$mysql_user_table} WHERE (" . $mysql_user_select_login . "='" . $_SESSION['egps_username'] . $mysql_user_append_to_login . "' or " . $mysql_user_select_login . "='" . $_SESSION['egps_username'] . "') and " . $mysql_user_select_password . "='" . $_SESSION['password'] . "' AND aliased_name IS NULL";
$result = mysql_query($query);
if (!$result) {
$error_message = "Database query failed (" . __FILE__ . ":" . __LINE__ . "): " . mysql_error() . "<BR>Query: '{$query}'<BR>";
return "ERROR";
}
$user_row = mysql_fetch_array($result);
$school_code = $user_row['school_code'];
if (!connectIPPDB()) {
$error_message = $error_message;
//just to remember we need this
return "ERROR";
}
//check if this staff member is local to this student...
$local_query = "SELECT * FROM school_history WHERE student_id={$student_id} AND school_code='{$school_code}' AND end_date IS NULL";
$local_result = mysql_query($local_query);
//ignore errors...
$is_local_student = FALSE;
if ($local_result && mysql_num_rows($local_result) > 0) {
$is_local_student = TRUE;
}
//Special case we are the school-based IPP administrator
//get our school code
$error_message = "";
if (!connectIPPDB()) {
$error_message = $error_message;
//just to remember we need this
return NULL;
}
$system_query = "SELECT * from support_member WHERE egps_username='******'egps_username'] . "'";
$system_result = mysql_query($system_query);
if (!$system_result) {
$error_message = "Database query failed (" . __FILE__ . ":" . __LINE__ . "): " . mysql_error() . "<BR>Query: '{$system_query}'<BR>";
return "ERROR";
} else {
$system_row = mysql_fetch_array($system_result);
if ($is_local_student && $system_row['is_local_ipp_administrator'] == 'Y') {
return "ASSIGN";
}
}
//base our permission on the level we're assigned.
switch ($permission_level) {
case 0:
//Super Admin
//Super Admin
case 10:
//Administrator
return "ALL";
case 30:
//Principal (assign local) special case
//fall through and return ALL for local students.
//Principal (assign local) special case
//fall through and return ALL for local students.
case 20:
//Assistant Admin. (view all) special case
//fall through and return at least read...
//Assistant Admin. (view all) special case
//fall through and return at least read...
case 40:
//Vice Principal (view local)
//Vice Principal (view local)
default:
//we need to find the permissions from the support list
//as this user has no inherent permissions...
$support_query = "SELECT * FROM support_list WHERE egps_username='******'egps_username'] . "' AND student_id={$student_id}";
$support_result = mysql_query($support_query);
//if(mysql_num_rows($support_result) <= 0) {
switch ($permission_level) {
case 30:
case 40:
//changed as per s. chomistek (2006-03-23)
if ($is_local_student) {
return "ASSIGN";
} else {
return "NONE";
}
case 20:
//Asst admin special case of read for all
if ($is_local_student) {
return "ASSIGN";
} else {
return "READ";
}
//case 40: //vp special case read local
// if($is_local_student) return "READ";
//else return "NONE";
//case 40: //vp special case read local
// if($is_local_student) return "READ";
//else return "NONE";
default:
//return "NONE";
}
//} //else {
$row = mysql_fetch_array($support_result);
if ($row['permission'] != '') {
return $row['permission'];
}
return "NONE";
//}
}
}
$system_message = $system_message . $error_message;
IPP_LOG($system_message, $_SESSION['egps_username'], 'ERROR');
require IPP_PATH . 'index.php';
exit;
}
} else {
if (!validate()) {
$system_message = $system_message . $error_message;
IPP_LOG($system_message, $_SESSION['egps_username'], 'ERROR');
require IPP_PATH . 'index.php';
exit;
}
}
//************* SESSION active past here **************************
//check permission levels
if (getPermissionLevel($_SESSION['egps_username']) > $MINIMUM_AUTHORIZATION_LEVEL && !isLocalAdministrator($_SESSION['egps_username'])) {
$system_message = $system_message . "You do not have permission to view this page (IP: " . $_SERVER['REMOTE_ADDR'] . ")";
IPP_LOG($system_message, $_SESSION['egps_username'], 'ERROR');
require IPP_PATH . 'security_error.php';
exit;
}
//************** validated past here SESSION ACTIVE****************
$szBackGetVars = "";
foreach ($_GET as $key => $value) {
$szBackGetVars = $szBackGetVars . $key . "=" . $value . "&";
}
//strip trailing '&'
$szBackGetVars = substr($szBackGetVars, 0, -1);
?>
<!DOCTYPE HTML>
$smarty->assign('showInactiveJobs', $_SESSION['showInactiveJobs']);
$smarty->assign('result', $result);
} catch (Exception $e) {
error_log("[WPTMonitor] Failed while Listing jobs: " . $wptResultId . " message: " . $e->getMessage());
print 'Exception : ' . $e->getMessage();
}
$q->free(true);
unset($result);
unset($pager);
unset($share);
$hasReadPermission = false;
$hasUpdatePermission = false;
$hasCreateDeletePermission = false;
$hasExecutePermission = false;
$hasOwnerPermission = false;
$folderPermissionLevel = getPermissionLevel('WPTJob', $folderId);
if ($folderPermissionLevel >= 0) {
$hasReadPermission = true;
}
if ($folderPermissionLevel >= 1) {
$hasUpdatePermission = true;
}
if ($folderPermissionLevel >= 2) {
$hasCreateDeletePermission = true;
}
if ($folderPermissionLevel >= 4) {
$hasExecutePermission = true;
}
if ($folderPermissionLevel >= -9) {
$hasOwnerPermission = true;
}
