Block page for unauthorized users.

chamilo · Apr 18, 2018 · 76fbb2b · 76fbb2b
1 parent fdc6933
commit 76fbb2b
Show file tree

Hide file tree

Showing 5 changed files with 26 additions and 5 deletions.
diff --git a/main/inc/ajax/myspace.ajax.php b/main/inc/ajax/myspace.ajax.php
@@ -7,6 +7,14 @@
 require_once __DIR__.'/../global.inc.php';
 $action = $_GET['a'];
 
+// Access restrictions.
+$is_allowedToTrack = api_is_platform_admin(true, true) ||
+    api_is_allowed_to_create_course() || api_is_course_tutor();
+
+if (!$is_allowedToTrack) {
+    exit;
+}
+
 switch ($action) {
     // At this date : 23/02/2017, a minor review can't determine where is used this case 'access_detail'
     case 'access_detail':

diff --git a/main/mySpace/access_details.php b/main/mySpace/access_details.php
@@ -18,6 +18,17 @@
 
 api_block_anonymous_users();
 
+
+// Access restrictions.
+$is_allowedToTrack = api_is_platform_admin(true, true) ||
+    api_is_allowed_to_create_course() || api_is_course_tutor();
+
+if (!$is_allowedToTrack) {
+    api_not_allowed(true);
+    exit;
+}
+
+
 // the section (for the tabs)
 $this_section = SECTION_TRACKING;
 

diff --git a/main/social/vcard_export.php b/main/social/vcard_export.php
@@ -14,6 +14,8 @@
 
 api_block_anonymous_users();
 
+api_protect_admin_script();
+
 if (isset($_REQUEST['userId'])) {
     $userId = intval($_REQUEST['userId']);
 } else {

diff --git a/main/tracking/courseLog.php b/main/tracking/courseLog.php
@@ -380,7 +380,6 @@ function(index) {
 
     $all_datas = [];
     $course_code = $_course['id'];
-
     $user_ids = array_keys($a_students);
 
     $table = new SortableTable(
@@ -390,7 +389,7 @@ function(index) {
         (api_is_western_name_order() xor api_sort_by_first_name()) ? 3 : 2
     );
 
-    $parameters['cidReq'] = Security::remove_XSS($_GET['cidReq']);
+    $parameters['cidReq'] = isset($_GET['cidReq']) ? Security::remove_XSS($_GET['cidReq']) : '';
     $parameters['id_session'] = $session_id;
     $parameters['from'] = isset($_GET['myspace']) ? Security::remove_XSS($_GET['myspace']) : null;
 

diff --git a/main/tracking/course_log_tools.php b/main/tracking/course_log_tools.php
@@ -22,11 +22,12 @@
 }
 
 // Access restrictions.
-$is_allowedToTrack = api_is_platform_admin() || api_is_allowed_to_create_course() ||
-    api_is_session_admin() || api_is_drh() || api_is_course_tutor();
+$is_allowedToTrack = api_is_platform_admin(true, true) ||
+    api_is_allowed_to_create_course() ||
+    api_is_course_tutor();
 
 if (!$is_allowedToTrack) {
-    api_not_allowed();
+    api_not_allowed(true);
     exit;
 }