function admin_authenticate($privilege = 0, $check = false)
{
if (!isset($_SESSION['valid_user']) || !$_SESSION['valid_user'] || $_SESSION['course_id'] != -1) {
if ($check) {
return false;
}
header('Location: ' . AT_BASE_HREF . 'login.php');
exit;
}
if ($_SESSION['privileges'] == AT_ADMIN_PRIV_ADMIN) {
return true;
}
if ($privilege) {
$auth = query_bit($_SESSION['privileges'], $privilege);
if (!$auth) {
if ($check) {
return false;
}
global $msg;
$msg->addError('ACCESS_DENIED');
require AT_INCLUDE_PATH . 'header.inc.php';
require AT_INCLUDE_PATH . 'footer.inc.php';
exit;
}
}
return true;
}
/* Copyright (c) 2002-2010 */
/* Inclusive Design Institute */
/* http://atutor.ca */
/* */
/* This program is free software. You can redistribute it and/or*/
/* modify it under the terms of the GNU General Public License */
/* as published by the Free Software Foundation. */
/****************************************************************/
// $Id$
define('AT_INCLUDE_PATH', '../../../include/');
require AT_INCLUDE_PATH . 'vitals.inc.php';
require AT_INCLUDE_PATH . '../mods/_standard/file_storage/file_storage.inc.php';
$owner_type = abs($_REQUEST['ot']);
$owner_id = abs($_REQUEST['oid']);
$owner_arg_prefix = '?ot=' . $owner_type . SEP . 'oid=' . $owner_id . SEP;
if (!($owner_status = fs_authenticate($owner_type, $owner_id)) || !query_bit($owner_status, WORKSPACE_AUTH_WRITE)) {
$msg->addError('ACCESS_DENIED');
header('Location: ' . url_rewrite('mods/_standard/file_storage/index.php', AT_PRETTY_URL_IS_HEADER));
exit;
}
if (isset($_POST['cancel'])) {
$msg->addFeedback('CANCELLED');
header('Location: ' . url_rewrite('mods/_standard/file_storage/index.php' . $owner_arg_prefix . 'folder=' . abs($_POST['folder']), AT_PRETTY_URL_IS_HEADER));
exit;
} else {
if (isset($_POST['submit'])) {
$_POST['id'] = abs($_POST['id']);
if (!$_POST['name']) {
$msg->addError('MISSING_FILENAME');
}
if (!$msg->containsErrors()) {
/* Copyright (c) 2002-2010 */
/* Inclusive Design Institute */
/* http://atutor.ca */
/* */
/* This program is free software. You can redistribute it and/or*/
/* modify it under the terms of the GNU General Public License */
/* as published by the Free Software Foundation. */
/****************************************************************/
// $Id$
define('AT_INCLUDE_PATH', '../../../include/');
require (AT_INCLUDE_PATH.'vitals.inc.php');
// authenticate ot+oid ....
$owner_type = abs($_REQUEST['ot']);
$owner_id = abs($_REQUEST['oid']);
if (!($owner_status = blogs_authenticate($owner_type, $owner_id)) || !query_bit($owner_status, BLOGS_AUTH_WRITE)) {
$msg->addError('ACCESS_DENIED');
header('Location: index.php');
exit;
}
if (isset($_POST['cancel'])) {
$msg->addFeedback('CANCELLED');
header('Location: '.url_rewrite('mods/_standard/blogs/view.php?ot='.BLOGS_GROUP.SEP.'oid='.$_POST['oid'], AT_PRETTY_URL_IS_HEADER));
exit;
} else if (isset($_POST['submit'])) {
$_POST['title'] = $addslashes(trim($_POST['title']));
$_POST['body'] = $addslashes(trim($_POST['body']));
$id = abs($_POST['id']);
if ($_POST['body'] == '') {
}
$_POST['login'] = $stripslashes($_POST['login']);
}
}
$_GET['login'] = $addslashes($_REQUEST['login']);
$sql = "SELECT login FROM " . TABLE_PREFIX . "admins WHERE login='******'login']}'";
$result = mysql_query($sql, $db);
if (!($row = mysql_fetch_assoc($result))) {
$msg->addError('USER_NOT_FOUND');
$msg->printErrors();
require AT_INCLUDE_PATH . 'footer.inc.php';
exit;
}
if (!isset($_POST['submit'])) {
$_POST = $row;
if (query_bit($row['privileges'], AT_ADMIN_PRIV_ADMIN)) {
$_POST['priv_admin'] = 1;
}
$_POST['privs'] = intval($row['privileges']);
}
$onload = 'document.form.password1.focus();';
require AT_INCLUDE_PATH . 'header.inc.php';
?>
<script language="JavaScript" src="sha-1factory.js" type="text/javascript"></script>
<script type="text/javascript">
function encrypt_password()
{
document.form.password_error.value = "";
err = verify_password(document.form.password1.value, document.form.confirm_password.value);
<?php
$module =& $this->module_list[$module_name];
?>
<?php
if (!($module->getAdminPrivilege() > 1)) {
continue;
}
?>
<input type="checkbox" name="privs[]" value="<?php
echo $module->getAdminPrivilege();
?>
" id="priv_<?php
echo $module->getAdminPrivilege();
?>
" <?php
if (query_bit($_POST['privs'], $module->getAdminPrivilege())) {
echo 'checked="checked"';
}
?>
/><label for="priv_<?php
echo $module->getAdminPrivilege();
?>
"><?php
echo $module->getName();
?>
</label><br />
<?php
}
?>
</div>
<div class="row">
<h4 class="date"><?php
echo get_display_name($row['member_id']);
?>
- <?php
echo AT_date(_AT('forum_date_format'), $row['date'], AT_DATE_MYSQL_DATETIME);
?>
</h4>
<p><?php
echo AT_print($row['comment'], 'blog_posts_comments.comment');
?>
</p>
<?php
if (query_bit($owner_status, BLOGS_AUTH_WRITE)) {
?>
<div style="text-align: right; font-size: smaller;">
<a href="mods/_standard/blogs/delete_comment.php?ot=<?php
echo $owner_type . SEP . 'oid=' . $owner_id . SEP . 'id=' . $id . SEP . 'delete_id=' . $row['comment_id'];
?>
"><?php
echo _AT('delete');
?>
</a>
</div>
<?php
}
?>
</div>
</div>
$course_info = mysql_fetch_assoc($result);
if ($_POST['submit']) {
$_SESSION['enroll'] = AT_ENROLL_YES;
if ($course_info['access'] == 'private') {
$sql = "INSERT INTO " . TABLE_PREFIX . "course_enrollment VALUES ({$_SESSION['member_id']}, {$course}, 'n', 0, '" . _AT('student') . "', 0)";
$result = mysql_query($sql, $db);
// send the email - if needed
if ($system_courses[$course]['notify'] == 1) {
$mail_list = array();
//initialize an array to store all the pending emails
//Get the list of students with enrollment privilege
$module =& $moduleFactory->getModule('_core/enrolment');
$sql = "SELECT email, first_name, last_name, `privileges` FROM " . TABLE_PREFIX . "members m INNER JOIN " . TABLE_PREFIX . "course_enrollment ce ON m.member_id=ce.member_id WHERE ce.privileges > 0 AND ce.course_id={$course}";
$result = mysql_query($sql, $db);
while ($row = mysql_fetch_assoc($result)) {
if (query_bit($row['privileges'], $module->getPrivilege())) {
unset($row['privileges']);
//we don't need the privilege to flow around
$mail_list[] = $row;
}
}
//Get instructor information
$ins_id = $system_courses[$course]['member_id'];
$sql = "SELECT email, first_name, last_name FROM " . TABLE_PREFIX . "members WHERE member_id={$ins_id}";
$result = mysql_query($sql, $db);
$row = mysql_fetch_assoc($result);
$mail_list[] = $row;
//Send email notification to both assistants with privileges & Instructor
foreach ($mail_list as $row) {
$to_email = $row['email'];
$tmp_message = $row['first_name'] . ' ' . $row['last_name'] . "\n\n";
/**
* Updates the Role & Priviliges of users
* @access private
* @param int $member The member_id of the user whose values are to be updated
* @param int $privs value of the privileges of the user
* @author Joel Kronenberg
*/
function change_privs($member, $privs)
{
global $db, $course_id;
//calculate privileges
$privilege = 0;
if (!empty($privs)) {
foreach ($privs as $priv) {
$privilege += intval($priv);
}
}
/*
* if we're making a student a GROUP TA then we have to remove them
* from all the groups they may belong to.
*/
if (query_bit($privilege, AT_PRIV_GROUPS)) {
$group_list = implode(',', $_SESSION['groups']);
if ($group_list) {
$sql = "DELETE FROM " . TABLE_PREFIX . "groups_members WHERE group_id IN ({$group_list}) AND member_id={$member}";
$result = mysql_query($sql, $db);
}
}
$sql = "UPDATE " . TABLE_PREFIX . "course_enrollment SET `privileges`={$privilege} WHERE member_id={$member} AND course_id={$course_id} AND `approved`='y'";
$result = mysql_query($sql, $db);
//print error or confirm change
if (!$result) {
$msg->printErrors('DB_NOT_UPDATED');
exit;
}
}
/**
* Transforms text based on formatting preferences. Original $input is also changed (passed by reference).
* Can be called as:
* 1) $output = AT_print($input, $name);
* echo $output;
*
* 2) echo AT_print($input, $name); // prefered method
*
* @access public
* @param string $input text being transformed
* @param string $name the unique name of this field (convension: table_name.field_name)
* @param boolean $runtime_html forcefully disables html formatting for $input (only used by fields that
* have the 'formatting' option
* @return string transformed $input
* @see AT_FORMAT constants in include/lib/constants.inc.php
* @see query_bit() in include/vitals.inc.php
* @author Joel Kronenberg
*/
function AT_print($input, $name, $runtime_html = true) {
global $_field_formatting, $_config;
if (!isset($_field_formatting[$name])) {
/* field not set, check if there's a global setting */
$parts = explode('.', $name);
/* check if wildcard is set: */
if (isset($_field_formatting[$parts[0].'.*'])) {
$name = $parts[0].'.*';
} else {
/* field not set, and there's no global setting */
/* same as AT_FORMAT_NONE */
return $input;
}
}
if (query_bit($_field_formatting[$name], AT_FORMAT_QUOTES)) {
$input = str_replace('"', '"', $input);
$input = str_replace('\'', ''', $input);
}
if (query_bit($_field_formatting[$name], AT_FORMAT_CONTENT_DIR)) {
$input = str_replace('CONTENT_DIR/', '', $input);
}
if (query_bit($_field_formatting[$name], AT_FORMAT_HTML) && $runtime_html) {
/* what special things do we have to do if this is HTML ? remove unwanted HTML? validate? */
} else {
$input = str_replace('<', '<', $input);
$input = nl2br($input);
}
if (isset($_config['latex_server']) && $_config['latex_server']) {
$input = preg_replace('/\[tex\](.*?)\[\/tex\]/sie', "'<img src=\"'.\$_config['latex_server'].rawurlencode('$1').'\" align=\"middle\" alt=\"'.'$1'.'\" title=\"'.'$1'.'\">'", $input);
}
/* this has to be here, only because AT_FORMAT_HTML is the only check that has an else-block */
if ($_field_formatting[$name] === AT_FORMAT_NONE) {
return $input;
}
if (query_bit($_field_formatting[$name], AT_FORMAT_EMOTICONS)) {
$input = smile_replace($input);
}
if (query_bit($_field_formatting[$name], AT_FORMAT_ATCODES)) {
$input = trim(myCodes(' ' . $input . ' '));
}
if (query_bit($_field_formatting[$name], AT_FORMAT_LINKS)) {
$input = trim(make_clickable(' ' . $input . ' '));
}
if (query_bit($_field_formatting[$name], AT_FORMAT_IMAGES)) {
$input = trim(image_replace(' ' . $input . ' '));
}
return $input;
}
"><?php
echo _AT('date');
?>
</a></th>
</tr>
</thead>
<tfoot>
<tr>
<td colspan="7">
<input type="submit" name="download" value="<?php
echo _AT('download');
?>
" class="button"/>
<?php
if (query_bit($owner_status, WORKSPACE_AUTH_WRITE)) {
?>
<?php
if ($owner_type != WORKSPACE_COURSE && !($owner_type == WORKSPACE_PERSONAL && ($_SESSION['is_admin'] || authenticate(AT_PRIV_GROUPS, true)))) {
?>
<input type="submit" name="assignment" value="<?php
echo _AT('hand_in');
?>
" class="button"/>
<?php
}
?>
<input type="submit" name="edit" value="<?php
echo _AT('edit');
?>
" class="button"/>
/**
* Updates the Role & Priviliges of users
* @access private
* @param int $member The member_id of the user whose values are to be updated
* @param int $privs value of the privileges of the user
* @author Joel Kronenberg
*/
function change_privs($member, $privs)
{
global $db, $course_id, $msg;
//calculate privileges
$privilege = 0;
if (!empty($privs)) {
foreach ($privs as $priv) {
$privilege += intval($priv);
}
}
/*
* if we're making a student a GROUP TA then we have to remove them
* from all the groups they may belong to.
*/
if (query_bit($privilege, AT_PRIV_GROUPS)) {
$group_list = implode(',', $_SESSION['groups']);
if ($group_list) {
$sql = "DELETE FROM %sgroups_members WHERE group_id IN (%s) AND member_id=%d";
$result = queryDB($sql, array(TABLE_PREFIX, $group_list, $member));
}
}
$sql = "UPDATE %scourse_enrollment SET privileges=%d WHERE member_id=%d AND course_id=%d AND `approved`='y'";
$result = queryDB($sql, array(TABLE_PREFIX, $privilege, $member, $course_id));
//print error or confirm change
if ($result == 0) {
$msg->addError('DB_NOT_UPDATED');
}
}
function authenticate_test($tid)
{
if (authenticate(AT_PRIV_ADMIN, AT_PRIV_RETURN)) {
return TRUE;
}
if (!$_SESSION['enroll']) {
return FALSE;
}
global $db;
$sql = "SELECT approved FROM " . TABLE_PREFIX . "course_enrollment WHERE member_id={$_SESSION['member_id']} AND course_id={$_SESSION['course_id']} AND approved='y'";
$result = mysql_query($sql, $db);
if (!($row = mysql_fetch_assoc($result))) {
return FALSE;
}
$sql = "SELECT group_id FROM " . TABLE_PREFIX . "tests_groups WHERE test_id={$tid}";
$result = mysql_query($sql, $db);
if (mysql_num_rows($result) == 0) {
// not limited to any group; everyone has access:
return TRUE;
}
while ($row = mysql_fetch_assoc($result)) {
$sql = "SELECT * FROM " . TABLE_PREFIX . "groups_members WHERE group_id={$row['group_id']} AND member_id={$_SESSION['member_id']}";
$result2 = mysql_query($sql, $db);
if ($row2 = mysql_fetch_assoc($result2)) {
return TRUE;
}
}
//Check assistants privileges
$sql = "SELECT privileges FROM at_course_enrollment a WHERE member_id={$_SESSION['member_id']} AND course_id={$_SESSION['course_id']}";
$result = mysql_query($sql, $db);
if ($result) {
list($privileges) = mysql_fetch_array($result);
if (query_bit($privileges, AT_PRIV_GROUPS) && query_bit($privileges, AT_PRIV_TESTS)) {
return TRUE;
}
}
return FALSE;
}
/**
* Transforms text based on formatting preferences. Original $input is also changed (passed by reference).
* Can be called as:
* 1) $output = AC_print($input, $name);
* echo $output;
*
* 2) echo AC_print($input, $name); // prefered method
*
* @access public
* @param string $input text being transformed
* @param string $name the unique name of this field (convension: table_name.field_name)
* @param boolean $runtime_html forcefully disables html formatting for $input (only used by fields that
* have the 'formatting' option
* @return string transformed $input
* @see AC_FORMAT constants in include/lib/constants.inc.php
* @see query_bit() in include/vitals.inc.php
* @author Joel Kronenberg
*/
function AC_print($input, $name, $runtime_html = true)
{
global $_field_formatting;
if (!isset($_field_formatting[$name])) {
/* field not set, check if there's a global setting */
$parts = explode('.', $name);
/* check if wildcard is set: */
if (isset($_field_formatting[$parts[0] . '.*'])) {
$name = $parts[0] . '.*';
} else {
/* field not set, and there's no global setting */
/* same as AC_FORMAT_NONE */
return $input;
}
}
if (query_bit($_field_formatting[$name], AC_FORMAT_QUOTES)) {
$input = str_replace('"', '"', $input);
}
if (query_bit($_field_formatting[$name], AC_FORMAT_HTML) && $runtime_html) {
/* what special things do we have to do if this is HTML ? remove unwanted HTML? validate? */
} else {
$input = str_replace('<', '<', $input);
$input = nl2br($input);
}
/* this has to be here, only because AC_FORMAT_HTML is the only check that has an else-block */
if ($_field_formatting[$name] === AC_FORMAT_NONE) {
return $input;
}
if (query_bit($_field_formatting[$name], AC_FORMAT_EMOTICONS)) {
$input = smile_replace($input);
}
if (query_bit($_field_formatting[$name], AC_FORMAT_ATCODES)) {
$input = trim(myCodes(' ' . $input . ' '));
}
if (query_bit($_field_formatting[$name], AC_FORMAT_LINKS)) {
$input = trim(make_clickable(' ' . $input . ' '));
}
if (query_bit($_field_formatting[$name], AC_FORMAT_IMAGES)) {
$input = trim(image_replace(' ' . $input . ' '));
}
return $input;
}
<br />
<table width="100%" border="0" cellspacing="5" cellpadding="0" summary="">
<tr>
<?php
$count = 0;
$this->student_row['privileges'] = intval($this->student_row['privileges']);
$module_list = $moduleFactory->getModules(AT_MODULE_STATUS_ENABLED, 0, TRUE);
$keys = array_keys($module_list);
foreach ($keys as $module_name) {
$module =& $module_list[$module_name];
if (!($module->getPrivilege() > 1)) {
continue;
}
$count++;
echo '<td><label><input type="checkbox" name="privs[' . $k . '][]" value="' . $module->getPrivilege() . '" ';
if (query_bit($this->student_row['privileges'], $module->getPrivilege())) {
echo 'checked="checked"';
}
echo ' />' . $module->getName() . '</label></td>';
if (!($count % $this->num_cols)) {
echo '</tr><tr>';
}
}
if ($count % $this->num_cols) {
echo '<td colspan="' . ($this->num_cols - $count % $this->num_cols) . '"> </td>';
} else {
echo '<td colspan="' . $this->num_cols . '"> </td>';
}
?>
</tr>
</table>
function authenticate_test($tid)
{
if (authenticate(AT_PRIV_ADMIN, AT_PRIV_RETURN)) {
return TRUE;
}
if (!$_SESSION['enroll']) {
return FALSE;
}
$sql = "SELECT approved FROM %scourse_enrollment WHERE member_id=%d AND course_id=%d AND approved='y'";
$result = queryDB($sql, array(TABLE_PREFIX, $_SESSION['member_id'], $_SESSION['course_id']), TRUE);
if (count($result) == 0) {
return FALSE;
}
$sql = "SELECT group_id FROM %stests_groups WHERE test_id=%d";
$rows_groups = queryDB($sql, array(TABLE_PREFIX, $tid));
if (count($rows_groups) == 0) {
// not limited to any group; everyone has access:
return TRUE;
}
foreach ($rows_groups as $row) {
$sql = "SELECT * FROM %sgroups_members WHERE group_id=%d AND member_id=%d";
$rows_members = queryDB($sql, array(TABLE_PREFIX, $row['group_id'], $_SESSION['member_id']));
if (count($rows_members) > 0) {
return TRUE;
}
}
//Check assistants privileges
$sql = "SELECT privileges FROM %scourse_enrollment a WHERE member_id=%d AND course_id=%d";
$row_privileges = queryDB($sql, array(TABLE_PREFIX, $_SESSION['member_id'], $_SESSION['course_id']), TRUE);
if (count($row_privileges) > 0) {
list($privileges) = $row_privileges;
if (query_bit($privileges, AT_PRIV_GROUPS) && query_bit($privileges, AT_PRIV_TESTS)) {
return TRUE;
}
}
return FALSE;
}