From a7f8999e4898823fbbf9613d6a761d53073f8c6e Mon Sep 17 00:00:00 2001
From: Tom Reijnders
Date: Thu, 25 Mar 2021 11:50:58 +0100
Subject: [PATCH] First round of fixes of several vulnarabilities
- The vulnarabilities would enable unauthorized persons to modify data
in your Xerte Toolkits installation
Many thanks to Bauke Gehem, System addin at Summa College, Eindhoven, The
Netherlands
---
feedback.php | 4 +-
languages/en-GB/modules/xerte/peer.inc | 4 +-
languages/en-GB/peer.inc | 4 +-
.../website_code/php/peer/peer_review.inc | 4 +-
peer.php | 14 +-
show_peer.php | 2 +-
website_code/php/folder_library.php | 12 +
.../folder_content_template.php | 6 +
.../folderproperties/folder_rss_template.php | 6 +
.../folderproperties_template.php | 6 +
.../rename_folder_template.php | 5 +
.../php/folders/copy_to_new_folder.php | 6 +
website_code/php/folders/delete_folder.php | 6 +
website_code/php/folders/make_new_folder.php | 6 +
website_code/php/peer/peer_review.php | 15 +-
.../php/properties/access_change_template.php | 33 ++-
.../php/properties/delete_file_template.php | 9 +-
.../php/properties/gift_this_template.php | 182 +++++++-------
website_code/php/properties/lti_update.php | 234 +++++++++---------
.../properties/name_select_gift_template.php | 47 ++--
.../php/properties/name_select_template.php | 49 ++--
.../php/properties/notes_change_template.php | 28 ++-
website_code/php/properties/peer_template.php | 20 +-
.../properties/properties_default_engine.php | 67 ++---
.../php/properties/properties_library.php | 95 ++++---
website_code/php/properties/publish.php | 13 +-
.../properties/remove_sharing_template.php | 26 +-
.../php/properties/rename_template.php | 39 +--
.../php/properties/screen_size_template.php | 21 +-
.../set_sharing_rights_template.php | 17 +-
.../php/properties/share_this_template.php | 47 ++--
.../php/properties/tsugi_template.php | 11 +-
website_code/php/publish/publish_template.php | 3 +-
.../php/templates/duplicate_folder.php | 130 +++++-----
.../php/templates/general_templates.php | 6 +
.../php/templates/get_template_info.php | 55 ++--
.../php/versioncontrol/template_close.php | 3 +
.../php/versioncontrol/update_file.php | 6 +
.../update_dashboard_display_properties.php | 5 +-
website_code/scripts/peer.js | 9 +-
40 files changed, 729 insertions(+), 526 deletions(-)
diff --git a/feedback.php b/feedback.php
index e5fa5f5c8b..3f30f2ddd4 100644
--- a/feedback.php
+++ b/feedback.php
@@ -55,7 +55,8 @@ function show_peer_form($row, $retouremail)
-
+
@@ -105,7 +112,7 @@ function show_peer_login_form($mesg="")
if(!empty($query_for_peer_response)) {
- $query_for_play_content = "select otd.template_name, otd.parent_template, ld.username, otd.template_framework, tr.user_id, tr.folder, tr.template_id, td.access_to_whom, td.extra_flags";
+ $query_for_play_content = "select otd.template_name, otd.parent_template, ld.username, ld.surname, ld.firstname, otd.template_framework, tr.user_id, tr.folder, tr.template_id, td.access_to_whom, td.extra_flags";
$query_for_play_content .= " from " . $xerte_toolkits_site->database_table_prefix . "originaltemplatesdetails otd, " . $xerte_toolkits_site->database_table_prefix . "templaterights tr, " . $xerte_toolkits_site->database_table_prefix . "templatedetails td, " . $xerte_toolkits_site->database_table_prefix . "logindetails ld";
$query_for_play_content .= " where td.template_type_id = otd.template_type_id and td.creator_id = ld.login_id and tr.template_id = td.template_id and tr.template_id=" . $template_id . " and (role='creator' or role='co-author')";
@@ -146,6 +153,7 @@ function show_peer_login_form($mesg="")
* Output the code
*/
$_SESSION['template_id'] = $template_id;
+ $_SESSION['retouremail'] = $retouremail;
show_peer_template_form($row_play, $retouremail);
}else{
show_peer_login_form(PEER_LOGON_FAIL);
diff --git a/show_peer.php b/show_peer.php
index ec34b22ae7..155d26b65e 100644
--- a/show_peer.php
+++ b/show_peer.php
@@ -53,7 +53,7 @@
if(!empty($query_for_peer_response)) {
- $query_for_play_content = "select otd.template_name, otd.parent_template, ld.username, otd.template_framework, tr.user_id, tr.folder, tr.template_id, td.access_to_whom, td.extra_flags";
+ $query_for_play_content = "select otd.template_name, otd.parent_template, ld.username, otd.template_framework, tr.user_id, tr.folder, tr.template_id, td.access_to_whom, td.date_modified, td.extra_flags";
$query_for_play_content .= " from " . $xerte_toolkits_site->database_table_prefix . "originaltemplatesdetails otd, " . $xerte_toolkits_site->database_table_prefix . "templaterights tr, " . $xerte_toolkits_site->database_table_prefix . "templatedetails td, " . $xerte_toolkits_site->database_table_prefix . "logindetails ld";
$query_for_play_content .= " where td.template_type_id = otd.template_type_id and td.creator_id = ld.login_id and tr.template_id = td.template_id and tr.template_id=" . $template_id . " and (role='creator' or role='co-author')";
diff --git a/website_code/php/folder_library.php b/website_code/php/folder_library.php
index cbc8f1ffa8..ee3cfd9b33 100644
--- a/website_code/php/folder_library.php
+++ b/website_code/php/folder_library.php
@@ -196,3 +196,15 @@ function move_folder($folder_id,$destination)
}
}
+function has_rights_to_this_folder($folder_id, $user_id){
+ global $xerte_toolkits_site;
+ $query = "select * from {$xerte_toolkits_site->database_table_prefix}folderdetails where login_id=? AND folder_id = ?";
+ $result = db_query_one($query, array($user_id, $folder_id));
+
+ if(!empty($result)) {
+ return true;
+ }
+ return false;
+}
+
+
diff --git a/website_code/php/folderproperties/folder_content_template.php b/website_code/php/folderproperties/folder_content_template.php
index d54756d63c..f82407dbaf 100644
--- a/website_code/php/folderproperties/folder_content_template.php
+++ b/website_code/php/folderproperties/folder_content_template.php
@@ -35,6 +35,12 @@
include "../display_library.php";
+if (!isset($_SESSION['toolkits_logon_username']))
+{
+ _debug("Session is invalid or expired");
+ die("Session is invalid or expired");
+}
+
/**
* connect to the database
*/
diff --git a/website_code/php/folderproperties/folder_rss_template.php b/website_code/php/folderproperties/folder_rss_template.php
index c5424ecf11..944e7904e9 100644
--- a/website_code/php/folderproperties/folder_rss_template.php
+++ b/website_code/php/folderproperties/folder_rss_template.php
@@ -33,6 +33,12 @@
include "../url_library.php";
+if (!isset($_SESSION['toolkits_logon_username']))
+{
+ _debug("Session is invalid or expired");
+ die("Session is invalid or expired");
+}
+
//connect to the database
$parameters = explode("_", $_POST['folder_id']);
diff --git a/website_code/php/folderproperties/folderproperties_template.php b/website_code/php/folderproperties/folderproperties_template.php
index 8141658e35..71006b9318 100644
--- a/website_code/php/folderproperties/folderproperties_template.php
+++ b/website_code/php/folderproperties/folderproperties_template.php
@@ -33,6 +33,12 @@
include "../url_library.php";
+if (!isset($_SESSION['toolkits_logon_username']))
+{
+ _debug("Session is invalid or expired");
+ die("Session is invalid or expired");
+}
+
//connect to the database
if(is_numeric($_POST['folder_id'])){
diff --git a/website_code/php/folderproperties/rename_folder_template.php b/website_code/php/folderproperties/rename_folder_template.php
index dc525ff68d..a372a117e1 100644
--- a/website_code/php/folderproperties/rename_folder_template.php
+++ b/website_code/php/folderproperties/rename_folder_template.php
@@ -32,6 +32,11 @@
_load_language_file("/website_code/php/folderproperties/folderproperties_template.inc");
_load_language_file("/website_code/php/folderproperties/rename_folder_template.inc");
+if (!isset($_SESSION['toolkits_logon_username']))
+{
+ _debug("Session is invalid or expired");
+ die("Session is invalid or expired");
+}
if(is_numeric($_POST['folder_id'])&&is_string($_POST['folder_name'])){
diff --git a/website_code/php/folders/copy_to_new_folder.php b/website_code/php/folders/copy_to_new_folder.php
index b31facf459..8946305c24 100644
--- a/website_code/php/folders/copy_to_new_folder.php
+++ b/website_code/php/folders/copy_to_new_folder.php
@@ -30,6 +30,12 @@
require_once('../../../config.php');
include '../folder_library.php';
+if (!isset($_SESSION['toolkits_logon_username']))
+{
+ _debug("Session is invalid or expired");
+ die("Session is invalid or expired");
+}
+
if (isset($_POST['folder_id']))
{
move_folder($_POST['folder_id'], $_POST['destination']);
diff --git a/website_code/php/folders/delete_folder.php b/website_code/php/folders/delete_folder.php
index ac200535d7..28b6fed702 100644
--- a/website_code/php/folders/delete_folder.php
+++ b/website_code/php/folders/delete_folder.php
@@ -30,6 +30,12 @@
require_once('../../../config.php');
include "../folder_library.php";
+if (!isset($_SESSION['toolkits_logon_username']))
+{
+ _debug("Session is invalid or expired");
+ die("Session is invalid or expired");
+}
+
delete_folder($_POST['folder_id']);
?>
diff --git a/website_code/php/folders/make_new_folder.php b/website_code/php/folders/make_new_folder.php
index a17622c246..721cbe75e1 100644
--- a/website_code/php/folders/make_new_folder.php
+++ b/website_code/php/folders/make_new_folder.php
@@ -30,4 +30,10 @@
require_once("../../../config.php");
include '../folder_library.php';
+if (!isset($_SESSION['toolkits_logon_username']))
+{
+ _debug("Session is invalid or expired");
+ die("Session is invalid or expired");
+}
+
make_new_folder($_POST['folder_id'],$_POST['folder_name']);
diff --git a/website_code/php/peer/peer_review.php b/website_code/php/peer/peer_review.php
index a74f6735f6..f1c078b33d 100644
--- a/website_code/php/peer/peer_review.php
+++ b/website_code/php/peer/peer_review.php
@@ -30,22 +30,22 @@
_load_language_file("/website_code/php/peer/peer_review.inc");
-if(empty($_POST['template_id'])) {
+if(empty($_SESSION['template_id'])) {
die("invalid form submission");
}
$query_for_file_name = "select template_name from {$xerte_toolkits_site->database_table_prefix}templatedetails where template_id =?";
-$row_template_name = db_query_one($query_for_file_name, array($_POST['template_id']));
+$row_template_name = db_query_one($query_for_file_name, array($_SESSION['template_id']));
$query_for_access_to_whom = "select access_to_whom from {$xerte_toolkits_site->database_table_prefix}templatedetails where template_id =?";
-$row_access_to_whom = db_query_one($query_for_access_to_whom, array($_POST['template_id']));
+$row_access_to_whom = db_query_one($query_for_access_to_whom, array($_SESSION['template_id']));
$access=$row_access_to_whom["access_to_whom"];
$headers = get_email_headers();
-if(isset($_POST['retouremail'])){
+if(isset($_SESSION['retouremail'])){
if($xerte_toolkits_site->apache=="true") {
$playstring = "peerreview_";
@@ -59,12 +59,15 @@
}
}
+ $identification = PEER_REVIEW_IDENTIFICATION;
+ $identification = str_replace("{template_id}", $_SESSION['template_id'], $identification);
+ $identification = str_replace("{url}", $xerte_toolkits_site->site_url, $identification);
$subject = PEER_REVIEW_FEEDBACK . " - \"" . str_replace("_"," ",$row_template_name['template_name']) ."\"";
- $message = PEER_REVIEW_EMAIL_GREETING . "
" . PEER_REVIEW_EMAIL_INTRO . " ". str_replace("_"," ",$row_template_name['template_name']) ."."."
" . $xerte_toolkits_site->site_url . $playstring . $_POST['template_id'] . " " . str_replace("\n", "
\n", $_POST['feedback']) . "
" . PEER_REVIEW_EMAIL_YOURS . "
" . PEER_REVIEW_EMAIL_SIGNATURE;
+ $message = PEER_REVIEW_EMAIL_GREETING . "
" . PEER_REVIEW_EMAIL_INTRO . " ". str_replace("_"," ",$row_template_name['template_name']) ."."."
" . $xerte_toolkits_site->site_url . $playstring . $_SESSION['template_id'] . " " . str_replace("\n", "
\n", $_POST['feedback']) . "
" . PEER_REVIEW_EMAIL_YOURS . "
" . PEER_REVIEW_EMAIL_SIGNATURE . "
" . $identification;
- if(mail( $_POST['retouremail'], $subject, $message, $headers)){
+ if(mail( $_SESSION['retouremail'], $subject, $message, $headers)){
echo "
" . PEER_REVIEW_USER_FEEDBACK . " ";
diff --git a/website_code/php/properties/access_change_template.php b/website_code/php/properties/access_change_template.php
index f618a49230..3d136580f8 100644
--- a/website_code/php/properties/access_change_template.php
+++ b/website_code/php/properties/access_change_template.php
@@ -34,6 +34,12 @@
include "properties_library.php";
+if (!isset($_SESSION['toolkits_logon_username']))
+{
+ _debug("Session is invalid or expired");
+ die("Session is invalid or expired");
+}
+
/**
*
* Function template share status
@@ -64,21 +70,22 @@ function template_share_status($string){
* Update the database setting
*/
$prefix = $xerte_toolkits_site->database_table_prefix;
+if(is_user_creator_or_coauthor($_POST['template_id'])||is_user_admin()) {
+ $query = "UPDATE {$prefix}templatedetails SET access_to_whom = ? WHERE template_id = ?";
+ if (isset($_POST['server_string'])) {
+ $access_to_whom = $_POST['access'] . '-' . $_POST['server_string'];
+ } else {
+ $access_to_whom = $_POST['access'];
+ }
- $query = "UPDATE {$prefix}templatedetails SET access_to_whom = ? WHERE template_id = ?";
-if(isset($_POST['server_string'])){
- $access_to_whom = $_POST['access'] . '-' . $_POST['server_string'];
-}else{
- $access_to_whom = $_POST['access'];
-}
-
-$params = array($access_to_whom, $_POST['template_id']);
-$ok = db_query($query, $params);
+ $params = array($access_to_whom, $_POST['template_id']);
+ $ok = db_query($query, $params);
-if($ok === false) {
- access_display_fail();
+ if ($ok === false) {
+ access_display_fail();
-}else {
+ } else {
- access_display($xerte_toolkits_site, true);
+ access_display($xerte_toolkits_site, true);
+ }
}
diff --git a/website_code/php/properties/delete_file_template.php b/website_code/php/properties/delete_file_template.php
index c6ab44f24c..5ac42a692d 100644
--- a/website_code/php/properties/delete_file_template.php
+++ b/website_code/php/properties/delete_file_template.php
@@ -31,12 +31,11 @@
include "../error_library.php";
include "../../../config.php";
-/** XXX/ TODO SECURITY HOLE - NEED TO CHECK $_POST['file'] IS VALID */
-
-if(!isset($_SESSION['toolkits_logon_username'])) {
- die("Sorry; you can't delete this without being logged in.");
+if (!isset($_SESSION['toolkits_logon_username']))
+{
+ _debug("Session is invalid or expired");
+ die("Session is invalid or expired");
}
-
if(unlink(urldecode($_POST['file']))){
receive_message($_SESSION['toolkits_logon_username'], "FILE", "SUCCESS", "The file " . $_POST['file'] . "has been deleted", "User " . $_SESSION['toolkits_logon_username'] . " has deleted " . $_POST['file']);
}else{
diff --git a/website_code/php/properties/gift_this_template.php b/website_code/php/properties/gift_this_template.php
index b988a17067..e5b06819cd 100644
--- a/website_code/php/properties/gift_this_template.php
+++ b/website_code/php/properties/gift_this_template.php
@@ -80,6 +80,14 @@ function copy_loop($start_path, $final_path){
_load_language_file("/website_code/php/properties/gift_this_template.inc");
include "../template_library.php";
+include "../template_status.php";
+
+
+if (!isset($_SESSION['toolkits_logon_username']))
+{
+ _debug("Session is invalid or expired");
+ die("Session is invalid or expired");
+}
/**
* Check id is numeric
@@ -87,131 +95,133 @@ function copy_loop($start_path, $final_path){
if(is_numeric($_POST['tutorial_id'])){
- $tutorial_id = (int) $_POST['tutorial_id'];
-
- $user_id = (int) $_POST['user_id'];
+ if(is_user_creator_or_coauthor($_POST['template_id'])||is_user_admin()){
+ $tutorial_id = (int)$_POST['tutorial_id'];
- /**
- * Giving a copy, or giving it away
- */
-
- if($_POST['action']=="give"){
+ $user_id = (int)$_POST['user_id'];
/**
- * Giving it away
+ * Giving a copy, or giving it away
*/
- $database_id=database_connect("gift sharing database connect success","gift sharing database connect failed");
+ if ($_POST['action'] == "give") {
- $prefix = $xerte_toolkits_site->database_table_prefix;
-
- $query_for_rename = "select * from {$prefix}logindetails, {$prefix}templatedetails, {$prefix}originaltemplatesdetails "
- . "where {$prefix}templatedetails.template_type_id = {$prefix}originaltemplatesdetails.template_type_id and"
- . " template_id = ? and "
- . " login_id = creator_id";
-
- $row_rename = db_query_one($query_for_rename, array($tutorial_id));
-
+ /**
+ * Giving it away
+ */
- /**
- * Update the database
- */
+ $database_id = database_connect("gift sharing database connect success", "gift sharing database connect failed");
- $query_to_gift = "update {$prefix}templatedetails set creator_id = ? WHERE template_id = ?";
- $params = array($user_id, $tutorial_id);
+ $prefix = $xerte_toolkits_site->database_table_prefix;
- $ok = db_query($query_to_gift, $params);
-
- $query_for_root_folder = "select folder_id from {prefix}folderdetails where login_id= ? and folder_name != ?";
- $params = array($user_id, 'recyclebin');
+ $query_for_rename = "select * from {$prefix}logindetails, {$prefix}templatedetails, {$prefix}originaltemplatesdetails "
+ . "where {$prefix}templatedetails.template_type_id = {$prefix}originaltemplatesdetails.template_type_id and"
+ . " template_id = ? and "
+ . " login_id = creator_id";
- $row_folder = db_query_one($query_for_root_folder, $params);
-
-
- $query_to_gift = "update {$prefix}templaterights set user_id = ?, folder = ? WHERE template_id = ?";
- $params = array($user_id, $row_folder['folder_id'], $tutorial_id);
-
- db_query($query_to_gift, $params);
+ $row_rename = db_query_one($query_for_rename, array($tutorial_id));
-
- $query_for_new_login = "select username from {$prefix}logindetails where login_id= ? ";
-
- $row_new_login = db_query_one($query_for_new_login, array($user_id));
+ /**
+ * Update the database
+ */
- $base_path = $xerte_toolkits_site->root_file_path . $xerte_toolkits_site->users_file_area_short;
+ $query_to_gift = "update {$prefix}templatedetails set creator_id = ? WHERE template_id = ?";
+ $params = array($user_id, $tutorial_id);
- /**
- * Rename the folder where the template is
- */
+ $ok = db_query($query_to_gift, $params);
- rename($base_path . $tutorial_id . "-" . $row_rename['username'] . "-" . $row_rename['template_name'] . "/", $base_path . $tutorial_id . "-" . $row_new_login['username'] . "-" . $row_rename['template_name'] . "/");
+ $query_for_root_folder = "select folder_id from {prefix}folderdetails where login_id= ? and folder_name != ?";
+ $params = array($user_id, 'recyclebin');
- echo "
" . GIFT_RESPONSE_FAIL . "
";
+ $row_folder = db_query_one($query_for_root_folder, $params);
- }else{
- /**
- * Giving away a duplicate
- */
- $prefix = $xerte_toolkits_site->database_table_prefix;
+ $query_to_gift = "update {$prefix}templaterights set user_id = ?, folder = ? WHERE template_id = ?";
+ $params = array($user_id, $row_folder['folder_id'], $tutorial_id);
+
+ db_query($query_to_gift, $params);
+
+
+ $query_for_new_login = "select username from {$prefix}logindetails where login_id= ? ";
- $database_id=database_connect("Template sharing rights database connect success","Template sharing rights database connect failed");
+ $row_new_login = db_query_one($query_for_new_login, array($user_id));
- $query_for_currentdetails = "select *,{$prefix}templatedetails.template_name AS actual_name FROM "
- . "{$prefix}templatedetails, {$prefix}originaltemplatesdetails where "
- . "template_id= ? AND {$prefix}originaltemplatesdetails.template_type_id = {$prefix}templatedetails.template_type_id";
- $params = array($tutorial_id);
-
- $row_currentdetails = db_query_one($query_for_currentdetails, $params);
+ $base_path = $xerte_toolkits_site->root_file_path . $xerte_toolkits_site->users_file_area_short;
- $creation_query = "INSERT INTO {$prefix}templatedetails "
- . "(creator_id, template_type_id,template_name,date_created,date_modified,date_accessed,number_of_uses,access_to_whom,extra_flags) "
- . " VALUES (?,?,?,?,?,?,?,?,?)";
- $params = array($user_id, $row_currentdetails['template_type_id'], $row_currentdetails['actual_name'], date('Y-m-d'), date('Y-m-d'), date('Y-m-d'),0,"Private",$row_currentdetails['extra_flags']);
+ /**
+ * Rename the folder where the template is
+ */
- $new_template_id = db_query($creation_query, $params);
-
- $query_for_currentrights = "select * from {$prefix}templaterights where template_id = ?";
- $params = array($tutorial_id);
+ rename($base_path . $tutorial_id . "-" . $row_rename['username'] . "-" . $row_rename['template_name'] . "/", $base_path . $tutorial_id . "-" . $row_new_login['username'] . "-" . $row_rename['template_name'] . "/");
- $row_currentrights = db_query_one($query_for_currentdetails, $params);
+ echo "
" . GIFT_RESPONSE_FAIL . "
";
- $query_for_root_folder = "select folder_id from {$prefix}folderdetails where login_id= ? AND folder_name != ? AND folder_parent=0";
- $params = array($user_id, 'recyclebin');
+ } else {
- $row_folder = db_query_one($query_for_root_folder, $params);
-
- $create_rights_query = "INSERT INTO {$prefix}templaterights (template_id, user_id, role,folder,notes) VALUES (?,?,?,?,?)";
- $params = array($new_template_id, $user_id, "creator", $row_folder['folder_id'], '');
+ /**
+ * Giving away a duplicate
+ */
+ $prefix = $xerte_toolkits_site->database_table_prefix;
- db_query($create_rights_query, $params);
-
+ $database_id = database_connect("Template sharing rights database connect success", "Template sharing rights database connect failed");
- $query_for_new_login = "select firstname, surname, username from {$prefix}logindetails where login_id= ?";
- $params = array($user_id);
+ $query_for_currentdetails = "select *,{$prefix}templatedetails.template_name AS actual_name FROM "
+ . "{$prefix}templatedetails, {$prefix}originaltemplatesdetails where "
+ . "template_id= ? AND {$prefix}originaltemplatesdetails.template_type_id = {$prefix}templatedetails.template_type_id";
-
- $row_new_login = db_query_one($query_for_new_login, $params);
+ $params = array($tutorial_id);
- $new_directory = $xerte_toolkits_site->root_file_path . $xerte_toolkits_site->users_file_area_short .
+ $row_currentdetails = db_query_one($query_for_currentdetails, $params);
+
+ $creation_query = "INSERT INTO {$prefix}templatedetails "
+ . "(creator_id, template_type_id,template_name,date_created,date_modified,date_accessed,number_of_uses,access_to_whom,extra_flags) "
+ . " VALUES (?,?,?,?,?,?,?,?,?)";
+ $params = array($user_id, $row_currentdetails['template_type_id'], $row_currentdetails['actual_name'], date('Y-m-d'), date('Y-m-d'), date('Y-m-d'), 0, "Private", $row_currentdetails['extra_flags']);
+
+ $new_template_id = db_query($creation_query, $params);
+
+ $query_for_currentrights = "select * from {$prefix}templaterights where template_id = ?";
+ $params = array($tutorial_id);
+
+ $row_currentrights = db_query_one($query_for_currentdetails, $params);
+
+ $query_for_root_folder = "select folder_id from {$prefix}folderdetails where login_id= ? AND folder_name != ? AND folder_parent=0";
+ $params = array($user_id, 'recyclebin');
+
+ $row_folder = db_query_one($query_for_root_folder, $params);
+
+ $create_rights_query = "INSERT INTO {$prefix}templaterights (template_id, user_id, role,folder,notes) VALUES (?,?,?,?,?)";
+ $params = array($new_template_id, $user_id, "creator", $row_folder['folder_id'], '');
+
+ db_query($create_rights_query, $params);
+
+
+ $query_for_new_login = "select firstname, surname, username from {$prefix}logindetails where login_id= ?";
+ $params = array($user_id);
+
+
+ $row_new_login = db_query_one($query_for_new_login, $params);
+
+ $new_directory = $xerte_toolkits_site->root_file_path . $xerte_toolkits_site->users_file_area_short .
$new_template_id . "-" . $row_new_login['username'] . "-" . $row_currentdetails['template_name'] . "/";
- mkdir($new_directory);
+ mkdir($new_directory);
- chmod($new_directory,0777);
+ chmod($new_directory, 0777);
- mkdir($new_directory . "media/");
+ mkdir($new_directory . "media/");
- chmod($new_directory . "media/" ,0777);
+ chmod($new_directory . "media/", 0777);
- $current_directory = $xerte_toolkits_site->root_file_path . $xerte_toolkits_site->users_file_area_short . $tutorial_id . "-" . $_SESSION['toolkits_logon_username'] . "-" . $row_currentdetails['template_name'] . "/";
+ $current_directory = $xerte_toolkits_site->root_file_path . $xerte_toolkits_site->users_file_area_short . $tutorial_id . "-" . $_SESSION['toolkits_logon_username'] . "-" . $row_currentdetails['template_name'] . "/";
- copy_loop($current_directory, $new_directory);
+ copy_loop($current_directory, $new_directory);
- echo "
" . GIFT_RESPONSE_SUCCESS . " " . $row_new_login['firstname'] . " " . $row_new_login['surname'] . " (" . $row_new_login['username'] . ")
" . GIFT_RESPONSE_NAMES . "
";
+ echo "
" . GIFT_RESPONSE_SUCCESS . " " . $row_new_login['firstname'] . " " . $row_new_login['surname'] . " (" . $row_new_login['username'] . ")
" . GIFT_RESPONSE_NAMES . "
";
+ }
}
}
diff --git a/website_code/php/properties/lti_update.php b/website_code/php/properties/lti_update.php
index e9404f9e4c..809378e0b2 100644
--- a/website_code/php/properties/lti_update.php
+++ b/website_code/php/properties/lti_update.php
@@ -3,8 +3,15 @@
require_once("../../../config.php");
require_once "properties_library.php";
+
global $xerte_toolkits_site;
+if (!isset($_SESSION['toolkits_logon_username']))
+{
+ _debug("Session is invalid or expired");
+ die("Session is invalid or expired");
+}
+
$tsugi_installed = false;
if (file_exists($xerte_toolkits_site->tsugi_dir)) {
if ($xerte_toolkits_site->authentication_method == "Moodle") {
@@ -26,140 +33,143 @@
{
tsugi_display_fail();
}
-if ($tsugi_installed) {
- $tsugi_publish = isset($_POST["tsugi_published"]) && $_POST["tsugi_published"] == "true";
-}
-$lti_def = new stdClass();
-$lti_def->tsugi_installed = $tsugi_installed;
-$lti_def->secret = (isset($_POST["tsugi_secret"]) ? htmlspecialchars($_POST["tsugi_secret"]) : "");
-$lti_def->key = (isset($_POST["tsugi_key"]) ? htmlspecialchars($_POST["tsugi_key"]) : "");
-$lti_def->title = (isset($_POST["tsugi_title"]) ? htmlspecialchars($_POST["tsugi_title"]) : "");
-$lti_def->xapi_enabled = isset($_POST["tsugi_xapi"]) && $_POST["tsugi_xapi"] == "true";
-$lti_def->published = isset($_POST["tsugi_published"]) && $_POST["tsugi_published"] == "true";
-$lti_def->tsugi_url = $xerte_toolkits_site->site_url . "lti_launch.php?template_id=" . $template_id;
-$lti_def->url = $xerte_toolkits_site->site_url . "lti_launch.php?template_id=" . $template_id;
-$lti_def->xapionly_url = $xerte_toolkits_site->site_url . "xapi_launch.php?template_id=" . $template_id . "&group=groupname";
-$lti_def->xapi_useglobal = isset($_POST["tsugi_xapi_useglobal"]) && $_POST["tsugi_xapi_useglobal"] == "true";
-$lti_def->xapi_endpoint = (isset($_POST["tsugi_xapi_endpoint"]) ? htmlspecialchars($_POST["tsugi_xapi_endpoint"]) : "");
-$lti_def->xapi_username = (isset($_POST["tsugi_xapi_username"]) ? htmlspecialchars($_POST["tsugi_xapi_username"]) : "");
-$lti_def->xapi_password = (isset($_POST["tsugi_xapi_password"]) ? htmlspecialchars($_POST["tsugi_xapi_password"]) : "");
-$lti_def->xapi_student_id_mode = (isset($_POST["tsugi_xapi_student_id_mode"]) ? $_POST["tsugi_xapi_student_id_mode"] : "");
-$lti_def->dashboard_urls = (isset($_POST["dashboard_urls"]) ? $_POST["dashboard_urls"] : "");
+if(is_user_creator_or_coauthor($_POST['template_id'])||is_user_admin()){
+ if ($tsugi_installed) {
+ $tsugi_publish = isset($_POST["tsugi_published"]) && $_POST["tsugi_published"] == "true";
+ }
+ $lti_def = new stdClass();
+ $lti_def->tsugi_installed = $tsugi_installed;
+ $lti_def->secret = (isset($_POST["tsugi_secret"]) ? htmlspecialchars($_POST["tsugi_secret"]) : "");
+ $lti_def->key = (isset($_POST["tsugi_key"]) ? htmlspecialchars($_POST["tsugi_key"]) : "");
+ $lti_def->title = (isset($_POST["tsugi_title"]) ? htmlspecialchars($_POST["tsugi_title"]) : "");
+ $lti_def->xapi_enabled = isset($_POST["tsugi_xapi"]) && $_POST["tsugi_xapi"] == "true";
+ $lti_def->published = isset($_POST["tsugi_published"]) && $_POST["tsugi_published"] == "true";
+ $lti_def->tsugi_useglobal = isset($_POST["tsugi_useglobal"]) && $_POST["tsugi_useglobal"] == "true";
+ $lti_def->tsugi_privateonly = isset($_POST["tsugi_useprivateonly"]) && $_POST["tsugi_useprivateonly"] == "true";
+ $lti_def->tsugi_url = $xerte_toolkits_site->site_url . "lti_launch.php?template_id=" . $template_id;
+ $lti_def->url = $xerte_toolkits_site->site_url . "lti_launch.php?template_id=" . $template_id;
+ $lti_def->xapionly_url = $xerte_toolkits_site->site_url . "xapi_launch.php?template_id=" . $template_id . "&group=groupname";
+ $lti_def->xapi_useglobal = isset($_POST["tsugi_xapi_useglobal"]) && $_POST["tsugi_xapi_useglobal"] == "true";
+ $lti_def->xapi_endpoint = (isset($_POST["tsugi_xapi_endpoint"]) ? htmlspecialchars($_POST["tsugi_xapi_endpoint"]) : "");
+ $lti_def->xapi_username = (isset($_POST["tsugi_xapi_username"]) ? htmlspecialchars($_POST["tsugi_xapi_username"]) : "");
+ $lti_def->xapi_password = (isset($_POST["tsugi_xapi_password"]) ? htmlspecialchars($_POST["tsugi_xapi_password"]) : "");
+ $lti_def->xapi_student_id_mode = (isset($_POST["tsugi_xapi_student_id_mode"]) ? $_POST["tsugi_xapi_student_id_mode"] : "");
+ $lti_def->dashboard_urls = (isset($_POST["dashboard_urls"]) ? $_POST["dashboard_urls"] : "");
// Force groupmode
-if (!$tsugi_installed)
-{
- $lti_def->xapi_student_id_mode = 3;
-}
+ if (!$tsugi_installed) {
+ $lti_def->xapi_student_id_mode = 3;
+ }
+
+ if ($lti_def->xapi_student_id_mode == 3) {
+ $lti_def->url .= "&group=groupname";
+ }
+
+ if ($tsugi_installed) {
+ $PDOX = LTIX::getConnection();
+ $p = $CFG->dbprefix;
+ $xp = $xerte_toolkits_site->database_table_prefix;
+ _debug("Data init " . print_r($_POST, true));
+ $url = $xerte_toolkits_site->site_url . "lti_launch.php?template_id=" . $template_id;
+ _debug("Detele " . $url);
-if ($lti_def->xapi_student_id_mode == 3)
-{
- $lti_def->url .= "&group=groupname";
-}
-if ($tsugi_installed) {
- $PDOX = LTIX::getConnection();
- $p = $CFG->dbprefix;
- $xp = $xerte_toolkits_site->database_table_prefix;
- _debug("Data init " . print_r($_POST, true));
- $url = $xerte_toolkits_site->site_url . "lti_launch.php?template_id=" . $template_id;
- _debug("Detele " . $url);
+ /*
+ if ($tsugi_publish) {
+ $rows = $PDOX->allRowsDie("SELECT * FROM {$p}lti_key k, {$p}lti_context c, {$p}lti_link l WHERE k.key_sha256 = :KEY and c.key_id = k.key_id and l.context_id=c.context_id and l.path != :URL", array(
+ ':KEY' => lti_sha256($lti_def->key),
+ ':URL' => $lti_def->tsugi_url));
+ if (count($rows) > 0) {
+ $mesg = "Key already in use, use another key.";
+ tsugi_display($template_id, $lti_def, $mesg);
+ exit;
+ }
- /*
- if ($tsugi_publish) {
+ }
+ */
- $rows = $PDOX->allRowsDie("SELECT * FROM {$p}lti_key k, {$p}lti_context c, {$p}lti_link l WHERE k.key_sha256 = :KEY and c.key_id = k.key_id and l.context_id=c.context_id and l.path != :URL", array(
- ':KEY' => lti_sha256($lti_def->key),
+ // Remove key from tsugi
+ $rows = $PDOX->allRowsDie("SELECT * FROM {$p}lti_key k, {$p}lti_context c, {$p}lti_link l WHERE c.key_id = k.key_id and l.context_id=c.context_id and l.path = :URL", array(
':URL' => $lti_def->tsugi_url));
if (count($rows) > 0) {
- $mesg = "Key already in use, use another key.";
- tsugi_display($template_id, $lti_def, $mesg);
- exit;
+ $sql = "delete from {$p}lti_key where key_id = ?";
+ $params = array($rows[0]['key_id']);
+ $res = $PDOX->queryDie($sql, $params);
}
- }
- */
-
- // Remove key from tsugi
- $rows = $PDOX->allRowsDie("SELECT * FROM {$p}lti_key k, {$p}lti_context c, {$p}lti_link l WHERE c.key_id = k.key_id and l.context_id=c.context_id and l.path = :URL", array(
- ':URL' => $lti_def->tsugi_url));
- if (count($rows) > 0) {
- $sql = "delete from {$p}lti_key where key_id = ?";
- $params = array($rows[0]['key_id']);
- $res = $PDOX->queryDie($sql, $params);
- }
-
- if (!$tsugi_publish) {
- $sql = "UPDATE {$xp}templatedetails SET tsugi_published = 0 WHERE template_id = ?";
- db_query($sql, array($template_id));
- $mesg = "Object is no longer published.";
- }
+ if (!$tsugi_publish) {
+ $sql = "UPDATE {$xp}templatedetails SET tsugi_published = 0 WHERE template_id = ?";
+ db_query($sql, array($template_id));
+ $mesg = "Object is no longer published.";
+ }
- if ($tsugi_publish) {
- $url = $xerte_toolkits_site->site_url . "lti_launch.php?template_id=" . $template_id;
- $PDOX = LTIX::getConnection();
- $p = $CFG->dbprefix;
- $context_row = $PDOX->rowDie("SELECT MAX(context_id) FROM {$p}lti_context;");
- $context_id = ($context_row["MAX(context_id)"]) + 1;
- $key_row = $PDOX->rowDie("SELECT MAX(key_id) FROM {$p}lti_key;");
- $key_id = ($key_row["MAX(key_id)"]) + 1;
- $link_row = $PDOX->rowDie("SELECT MAX(link_id) FROM {$p}lti_link;");
- $link_id = ($link_row["MAX(link_id)"]) + 1;
- $sql = "INSERT INTO {$p}lti_key
+ if ($tsugi_publish) {
+ $url = $xerte_toolkits_site->site_url . "lti_launch.php?template_id=" . $template_id;
+ $PDOX = LTIX::getConnection();
+ $p = $CFG->dbprefix;
+ $context_row = $PDOX->rowDie("SELECT MAX(context_id) FROM {$p}lti_context;");
+ $context_id = ($context_row["MAX(context_id)"]) + 1;
+ $key_row = $PDOX->rowDie("SELECT MAX(key_id) FROM {$p}lti_key;");
+ $key_id = ($key_row["MAX(key_id)"]) + 1;
+ $link_row = $PDOX->rowDie("SELECT MAX(link_id) FROM {$p}lti_link;");
+ $link_id = ($link_row["MAX(link_id)"]) + 1;
+ $sql = "INSERT INTO {$p}lti_key
( key_id, key_sha256, key_key, secret) VALUES
( :key_id, :key_sha256, :key_key, :secret);";
- $param = array(
- ':key_id' => $key_id,
- ':key_sha256' => lti_sha256($lti_def->key),
- ':key_key' => $lti_def->key,
- ':secret' => $lti_def->secret
- );
- $res = $PDOX->queryDie($sql, $param);
+ $param = array(
+ ':key_id' => $key_id,
+ ':key_sha256' => lti_sha256($lti_def->key),
+ ':key_key' => $lti_def->key,
+ ':secret' => $lti_def->secret
+ );
+ $res = $PDOX->queryDie($sql, $param);
- $sql = "INSERT INTO {$p}lti_context
+ $sql = "INSERT INTO {$p}lti_context
( context_id, context_sha256, context_key, title, key_id, created_at, updated_at ) VALUES
( :context_id, :context_sha256, :context_key, :title, :key_id, NOW(), NOW() );";
- $PDOX->queryDie($sql, array(
- ':context_id' => $context_id,
- ':context_sha256' => lti_sha256($context_id),
- ':context_key' => $context_id,
- ':title' => $lti_def->title,
- ':key_id' => $key_id));
- $sql = "INSERT INTO {$p}lti_link
+ $PDOX->queryDie($sql, array(
+ ':context_id' => $context_id,
+ ':context_sha256' => lti_sha256($context_id),
+ ':context_key' => $context_id,
+ ':title' => $lti_def->title,
+ ':key_id' => $key_id));
+ $sql = "INSERT INTO {$p}lti_link
( link_id, link_sha256, link_key, title, context_id, path, created_at, updated_at ) VALUES
( :link_id, :link_sha256, :link_key, :title, :context_id, :path, NOW(), NOW() );";
- $params = array(
- ':link_id' => $link_id,
- ':link_sha256' => lti_sha256($link_id),
- ':link_key' => $link_id,
- ':title' => $lti_def->title,
- ':context_id' => $context_id,
- ':path' => $lti_def->tsugi_url
- );
- $link = $PDOX->queryDie($sql, $params);
+ $params = array(
+ ':link_id' => $link_id,
+ ':link_sha256' => lti_sha256($link_id),
+ ':link_key' => $link_id,
+ ':title' => $lti_def->title,
+ ':context_id' => $context_id,
+ ':path' => $lti_def->tsugi_url
+ );
+ $link = $PDOX->queryDie($sql, $params);
+ }
}
-}
-$sql = "UPDATE {$xp}templatedetails SET tsugi_published = ?, tsugi_xapi_enabled = ?, tsugi_xapi_useglobal = ?, tsugi_xapi_endpoint = ?, tsugi_xapi_key = ?, tsugi_xapi_secret = ?, tsugi_xapi_student_id_mode = ?, dashboard_allowed_links = ? WHERE template_id = ?";
-db_query($sql,
- array(
- $lti_def->published ? "1" : "0",
- $lti_def->xapi_enabled ? "1" : "0",
- $lti_def->xapi_enabled ? ($lti_def->xapi_useglobal ? "1" : "0") : "1",
- $lti_def->xapi_enabled ? $lti_def->xapi_endpoint : "",
- $lti_def->xapi_enabled ? $lti_def->xapi_username : "",
- $lti_def->xapi_enabled ? $lti_def->xapi_password : "",
- $lti_def->xapi_enabled ? $lti_def->xapi_student_id_mode : "0",
- $lti_def->xapi_enabled ? $lti_def->dashboard_urls : "",
- $template_id
- )
-);
-tsugi_display($template_id, $lti_def, "Updated.");
-
-_debug("Done");
-
+ $sql = "UPDATE {$xp}templatedetails SET tsugi_published = ?, tsugi_usetsugikey = ?, tsugi_privatekeyonly = ?, tsugi_xapi_enabled = ?, tsugi_xapi_useglobal = ?, tsugi_xapi_endpoint = ?, tsugi_xapi_key = ?, tsugi_xapi_secret = ?, tsugi_xapi_student_id_mode = ?, dashboard_allowed_links = ? WHERE template_id = ?";
+ db_query($sql,
+ array(
+ $lti_def->published ? "1" : "0",
+ $lti_def->tsugi_useglobal ? "1" : "0",
+ $lti_def->tsugi_privateonly ? "1" : "0",
+ $lti_def->xapi_enabled ? "1" : "0",
+ $lti_def->xapi_enabled ? ($lti_def->xapi_useglobal ? "1" : "0") : "1",
+ $lti_def->xapi_enabled ? $lti_def->xapi_endpoint : "",
+ $lti_def->xapi_enabled ? $lti_def->xapi_username : "",
+ $lti_def->xapi_enabled ? $lti_def->xapi_password : "",
+ $lti_def->xapi_enabled ? $lti_def->xapi_student_id_mode : "0",
+ $lti_def->xapi_enabled ? $lti_def->dashboard_urls : "",
+ $template_id
+ )
+ );
+ tsugi_display($template_id, $lti_def, "Updated.");
+
+ _debug("Done");
+}
?>
\ No newline at end of file
diff --git a/website_code/php/properties/name_select_gift_template.php b/website_code/php/properties/name_select_gift_template.php
index 70b7f5311e..c703abd218 100644
--- a/website_code/php/properties/name_select_gift_template.php
+++ b/website_code/php/properties/name_select_gift_template.php
@@ -27,43 +27,52 @@
*/
require_once("../../../config.php");
+include "../template_status.php";
+
_load_language_file("/website_code/php/properties/name_select_gift_template.inc");
$search = $_POST['search_string'];
$prefix = $xerte_toolkits_site->database_table_prefix;
+if (!isset($_SESSION['toolkits_logon_username']))
+{
+ _debug("Session is invalid or expired");
+ die("Session is invalid or expired");
+}
+
if(is_numeric($_POST['template_id'])){
+ if(is_user_creator_or_coauthor($_POST['template_id'])||is_user_admin()){
+ $tutorial_id = (int)$_POST['template_id'];
- $tutorial_id = (int) $_POST['template_id'];
+ $database_id = database_connect("Template name select share access database connect success", "Template name select share database connect failed");
- $database_id=database_connect("Template name select share access database connect success","Template name select share database connect failed");
+ /**
+ * Search the list of user logins for user with that name
+ */
- /**
- * Search the list of user logins for user with that name
- */
+ if (strlen($search) != 0) {
- if(strlen($search)!=0){
-
- $query_for_names = "SELECT login_id, firstname, surname, username from {$prefix}logindetails WHERE "
- . "((firstname like ? ) or (surname like ?) or (username like ?) ) "
- . "AND login_id not in( SELECT creator_id from {$prefix}templatedetails where template_id= ? ) ORDER BY firstname ASC";
+ $query_for_names = "SELECT login_id, firstname, surname, username from {$prefix}logindetails WHERE "
+ . "((firstname like ? ) or (surname like ?) or (username like ?) ) "
+ . "AND login_id not in( SELECT creator_id from {$prefix}templatedetails where template_id= ? ) ORDER BY firstname ASC";
-$params = array("$search%", "$search%", "$search%", $tutorial_id);
- $rows = db_query($query_for_names, $params);
+ $params = array("$search%", "$search%", "$search%", $tutorial_id);
+ $rows = db_query($query_for_names, $params);
- if(sizeof($rows) > 0){
+ if (sizeof($rows) > 0) {
- foreach($rows as $row) {
- echo "
" . $row['firstname'] . " " . $row['surname'] . " (" . $row['username'] . ") - " . NAME_SELECT_GIFT_CLICK . " " . NAME_SELECT_GIFT_INSTRUCTION . "
";
+ foreach ($rows as $row) {
+ echo "
" . $row['firstname'] . " " . $row['surname'] . " (" . $row['username'] . ") - " . NAME_SELECT_GIFT_CLICK . " " . NAME_SELECT_GIFT_INSTRUCTION . "
";
- }
+ }
- }else{
+ } else {
- echo "
" . NAME_SELECT_GIFT_FIND_FAIL . "
";
+ echo "
" . NAME_SELECT_GIFT_FIND_FAIL . "
";
- }
+ }
+ }
}
}
diff --git a/website_code/php/properties/name_select_template.php b/website_code/php/properties/name_select_template.php
index 5037b0337b..951b08a02e 100644
--- a/website_code/php/properties/name_select_template.php
+++ b/website_code/php/properties/name_select_template.php
@@ -28,45 +28,54 @@
*/
require_once("../../../config.php");
+include "../template_status.php";
+
_load_language_file("/website_code/php/properties/name_select_template.inc");
$prefix = $xerte_toolkits_site->database_table_prefix;
+if (!isset($_SESSION['toolkits_logon_username']))
+{
+ _debug("Session is invalid or expired");
+ die("Session is invalid or expired");
+}
+
if(is_numeric($_POST['template_id'])){
+ if(is_user_creator_or_coauthor($_POST['template_id'])||is_user_admin()){
+ $search = $_POST['search_string'];
- $search = $_POST['search_string'];
+ $tutorial_id = (int)$_POST['template_id'];
- $tutorial_id = (int) $_POST['template_id'];
+ $database_id = database_connect("Template name select share access database connect success", "Template name select share database connect failed");
- $database_id=database_connect("Template name select share access database connect success","Template name select share database connect failed");
+ /**
+ * Search the list of user logins for user with that name
+ */
- /**
- * Search the list of user logins for user with that name
- */
+ if (strlen($search) != 0) {
- if(strlen($search)!=0){
+ $query_for_names = "select login_id, firstname, surname, username from {$prefix}logindetails WHERE "
+ . "((firstname like ?) or (surname like ?) or (username like ?)) AND login_id NOT IN ( "
+ . "SELECT user_id from {$prefix}templaterights where template_id = ? ) ORDER BY firstname ASC";
- $query_for_names = "select login_id, firstname, surname, username from {$prefix}logindetails WHERE "
- . "((firstname like ?) or (surname like ?) or (username like ?)) AND login_id NOT IN ( "
- . "SELECT user_id from {$prefix}templaterights where template_id = ? ) ORDER BY firstname ASC";
+ $params = array("$search%", "$search%", "$search%", $tutorial_id);
- $params = array("$search%", "$search%", "$search%", $tutorial_id);
-
- $query_names_response = db_query($query_for_names, $params);
+ $query_names_response = db_query($query_for_names, $params);
- if(sizeof($query_names_response)!=0){
+ if (sizeof($query_names_response) != 0) {
- foreach($query_names_response as $row){
+ foreach ($query_names_response as $row) {
- echo "
" . $row['firstname'] . " " . $row['surname'] . " (" . $row['username'] . ") - " . NAME_SELECT_CLICK . "
";
+ echo "
" . $row['firstname'] . " " . $row['surname'] . " (" . $row['username'] . ") - " . NAME_SELECT_CLICK . "
";
- }
+ }
- }else{
+ } else {
- echo "
" . NAME_SELECT_DETAILS_FAIL . "
";
+ echo "
" . NAME_SELECT_DETAILS_FAIL . "
";
- }
+ }
+ }
}
}
diff --git a/website_code/php/properties/notes_change_template.php b/website_code/php/properties/notes_change_template.php
index 27353e1ef2..30175e3f2d 100644
--- a/website_code/php/properties/notes_change_template.php
+++ b/website_code/php/properties/notes_change_template.php
@@ -32,22 +32,28 @@
include "../user_library.php";
include "properties_library.php";
+if (!isset($_SESSION['toolkits_logon_username']))
+{
+ _debug("Session is invalid or expired");
+ die("Session is invalid or expired");
+}
if(is_numeric($_POST['template_id'])){
- $database_id = database_connect("notes change template database connect success","notes change template database connect failed");
- $prefix = $xerte_toolkits_site->database_table_prefix;
- $query = "update {$prefix}templaterights SET notes = ? WHERE template_id = ?";
+ if(is_user_creator_or_coauthor($_POST['template_id'])||is_user_admin()){
+ $database_id = database_connect("notes change template database connect success", "notes change template database connect failed");
+ $prefix = $xerte_toolkits_site->database_table_prefix;
+ $query = "update {$prefix}templaterights SET notes = ? WHERE template_id = ?";
- $params = array($_POST['notes'], $_POST['template_id']);
-
-
- if(db_query($query, $params)){
+ $params = array($_POST['notes'], $_POST['template_id']);
- notes_display($_POST['notes'],true, $_POST['template_id']);
- }else{
- notes_display($_POST['notes'],false, $_POST['template_id']);
- }
+ if (db_query($query, $params)) {
+ notes_display($_POST['notes'], true, $_POST['template_id']);
+
+ } else {
+ notes_display($_POST['notes'], false, $_POST['template_id']);
+ }
+ }
}
diff --git a/website_code/php/properties/peer_template.php b/website_code/php/properties/peer_template.php
index 2f8a405b3e..f7ac1a298b 100644
--- a/website_code/php/properties/peer_template.php
+++ b/website_code/php/properties/peer_template.php
@@ -37,19 +37,25 @@
include "properties_library.php";
-if(is_numeric($_POST['template_id'])){
+if (!isset($_SESSION['toolkits_logon_username']))
+{
+ _debug("Session is invalid or expired");
+ die("Session is invalid or expired");
+}
- $database_id = database_connect("peer template database connect success","peer template change database connect failed");
+if(is_numeric($_POST['template_id'])){
+ if(is_user_creator_or_coauthor($_POST['template_id'])||is_user_admin()) {
+ $database_id = database_connect("peer template database connect success", "peer template change database connect failed");
- if(is_user_creator_or_coauthor($_POST['template_id'])||is_user_admin()){
+ if (is_user_creator_or_coauthor($_POST['template_id']) || is_user_admin()) {
- peer_display($xerte_toolkits_site,false, $_POST['template_id']);
+ peer_display($xerte_toolkits_site, false, $_POST['template_id']);
- }else{
+ } else {
- peer_display_fail();
+ peer_display_fail();
+ }
}
-
}
diff --git a/website_code/php/properties/properties_default_engine.php b/website_code/php/properties/properties_default_engine.php
index 9a84b6be51..6f04d6a131 100644
--- a/website_code/php/properties/properties_default_engine.php
+++ b/website_code/php/properties/properties_default_engine.php
@@ -35,45 +35,48 @@
include "../user_library.php";
include "properties_library.php";
-if(is_numeric($_POST['template_id'])){
+if (!isset($_SESSION['toolkits_logon_username']))
+{
+ _debug("Session is invalid or expired");
+ die("Session is invalid or expired");
+}
- $template_id = (int) $_POST['template_id'];
- $engine = $_POST['engine'];
+if(is_numeric($_POST['template_id'])){
+ if(is_user_creator_or_coauthor($_POST['template_id'])||is_user_admin()) {
+ $template_id = (int)$_POST['template_id'];
+ $engine = $_POST['engine'];
- if ($engine != 'flash' && $engine!='javascript')
- {
- $engine = 'javascript';
- }
+ if ($engine != 'flash' && $engine != 'javascript') {
+ $engine = 'javascript';
+ }
- // Get extra flags
- $row = db_query_one("SELECT td.extra_flags FROM {$xerte_toolkits_site->database_table_prefix}templatedetails td WHERE td.template_id = ?", array($template_id));
+ // Get extra flags
+ $row = db_query_one("SELECT td.extra_flags FROM {$xerte_toolkits_site->database_table_prefix}templatedetails td WHERE td.template_id = ?", array($template_id));
- $extra_flags = explode(";", $row['extra_flags']);
- $data = array();
- foreach($extra_flags as $i => $flag) {
- $bits = explode('=', $flag);
- $data[$bits[0]] = $bits[1];
- }
- $data['engine'] = $engine;
- // need to form into something like: engine=flash;foo=bar;something=somethingelse
- $db_flags = http_build_query($data, '', ';');
- $db_flags = str_replace(' ', '_', $db_flags); // not sure why we do this.
+ $extra_flags = explode(";", $row['extra_flags']);
+ $data = array();
+ foreach ($extra_flags as $i => $flag) {
+ $bits = explode('=', $flag);
+ $data[$bits[0]] = $bits[1];
+ }
+ $data['engine'] = $engine;
+ // need to form into something like: engine=flash;foo=bar;something=somethingelse
+ $db_flags = http_build_query($data, '', ';');
+ $db_flags = str_replace(' ', '_', $db_flags); // not sure why we do this.
- $query = "UPDATE {$xerte_toolkits_site->database_table_prefix}templatedetails SET extra_flags = ? WHERE template_id = ?";
- $params = array($db_flags, $template_id);
- $ok = db_query($query, $params);
+ $query = "UPDATE {$xerte_toolkits_site->database_table_prefix}templatedetails SET extra_flags = ? WHERE template_id = ?";
+ $params = array($db_flags, $template_id);
+ $ok = db_query($query, $params);
- if($ok) {
- if ($_REQUEST['page']=='properties')
- {
- properties_display($xerte_toolkits_site,$template_id,true,"engine");
- }
- else
- {
- publish_display($template_id);
- }
+ if ($ok) {
+ if ($_REQUEST['page'] == 'properties') {
+ properties_display($xerte_toolkits_site, $template_id, true, "engine");
+ } else {
+ publish_display($template_id);
+ }
- }else{
+ } else {
+ }
}
}
diff --git a/website_code/php/properties/properties_library.php b/website_code/php/properties/properties_library.php
index 1e630874d1..286bdb714c 100644
--- a/website_code/php/properties/properties_library.php
+++ b/website_code/php/properties/properties_library.php
@@ -20,9 +20,10 @@
//PROPERTIES LIBRARY
-require_once("../../../config.php");
-require_once("../template_library.php");
-require_once("../xAPI/xAPI_library.php");
+require_once(dirname(__FILE__) . "/../../../config.php");
+require_once(dirname(__FILE__) . "/../template_status.php");
+require_once(dirname(__FILE__) . "/../template_library.php");
+require_once(dirname(__FILE__) . "/../xAPI/xAPI_library.php");
_load_language_file("/website_code/php/properties/publish.inc");
@@ -274,7 +275,16 @@ function notes_display($notes, $change, $template_id){
$notes = htmlentities($notes, ENT_QUOTES, 'UTF-8', false);
echo "";
- echo "
" . PROPERTIES_LIBRARY_NOTES_EXPLAINED . "
" . $notes . " " . PROPERTIES_LIBRARY_SAVE . " ";
+ echo "
" . PROPERTIES_LIBRARY_NOTES_EXPLAINED . "
" . $notes . " " . PROPERTIES_LIBRARY_SAVE . " ";
+ echo "";
if($change){
@@ -560,7 +570,7 @@ function project_info($template_id){
}
-function statistics_prepare($template_id)
+function statistics_prepare($template_id, $force=false)
{
global $xerte_toolkits_site;
@@ -573,27 +583,28 @@ function statistics_prepare($template_id)
$html = "
";
- if ($xerte_toolkits_site->dashboard_enabled != 'false') {
-
- // determine role and check against minrole
- $role = get_user_access_rights($template_id);
+ if ($xerte_toolkits_site->dashboard_enabled != 'false' || $force) {
$access = false;
- switch($xerte_toolkits_site->xapi_dashboard_minrole)
- {
- case 'creator':
- $access = ($role == 'creator');
- break;
- case 'co-author':
- $access = ($role == 'creator' || $role == 'co-author');
- break;
- case 'editor':
- $access = ($role == 'creator' || $role == 'co-author' || $role == 'editor');
- break;
- case 'read-only':
- $access = ($role == 'creator' || $role == 'co-author' || $role == 'editor' || $role=='read-only');
- break;
+ if (! $force) {
+ // determine role and check against minrole
+ $role = get_user_access_rights($template_id);
+ $access = false;
+ switch ($xerte_toolkits_site->xapi_dashboard_minrole) {
+ case 'creator':
+ $access = ($role == 'creator');
+ break;
+ case 'co-author':
+ $access = ($role == 'creator' || $role == 'co-author');
+ break;
+ case 'editor':
+ $access = ($role == 'creator' || $role == 'co-author' || $role == 'editor');
+ break;
+ case 'read-only':
+ $access = ($role == 'creator' || $role == 'co-author' || $role == 'editor' || $role == 'read-only');
+ break;
+ }
}
- if ($access) {
+ if ($access || $force) {
$prefix = $xerte_toolkits_site->database_table_prefix;
@@ -1055,12 +1066,16 @@ function tsugi_display($id, $lti_def, $mesg = "")
- published ? "checked" : ""); ?>>
+ published ? "checked" : ""); ?>>
-
-
-
-
+
- xapi_enabled ? "checked" : "");?>>
+ xapi_enabled ? "checked" : "");?>>
-
-
xapi_useglobal ? "checked" : "");?>>
-
xapi_useglobal ? "disabled value=\"\"" : "value=\"" . $lti_def->xapi_endpoint . "\""); ?>">
-
xapi_useglobal ? "disabled value=\"\"" : "value=\"" . $lti_def->xapi_username . "\""); ?>">
-
xapi_useglobal ? "disabled value=\"\"" : "value=\"" . $lti_def->xapi_password . "\""); ?>">
-
+ ">
+
xapi_enabled ? "" : "disabled"); ?> onchange="javascript:xapi_toggle_useglobal('')" name="tsugi_xapi_useglobal" id="tsugi_xapi_useglobal" xapi_useglobal ? "checked" : "");?>>
+
diff --git a/website_code/php/properties/remove_sharing_template.php b/website_code/php/properties/remove_sharing_template.php
index 9997ec61e6..b12adac826 100644
--- a/website_code/php/properties/remove_sharing_template.php
+++ b/website_code/php/properties/remove_sharing_template.php
@@ -28,21 +28,29 @@
*/
require_once("../../../config.php");
+include "../template_status.php";
+
+if (!isset($_SESSION['toolkits_logon_username']))
+{
+ _debug("Session is invalid or expired");
+ die("Session is invalid or expired");
+}
if(is_numeric($_POST['template_id'])){
- $prefix = $xerte_toolkits_site->database_table_prefix;
-
- $user_id = $_POST['user_id'];
+ if(is_user_creator_or_coauthor($_POST['template_id'])||is_user_admin()) {
+ $prefix = $xerte_toolkits_site->database_table_prefix;
+
+ $user_id = $_POST['user_id'];
- $tutorial_id = $_POST['template_id'];
+ $tutorial_id = $_POST['template_id'];
- $database_id=database_connect("Template sharing database connect failed","Template sharing database connect failed");
+ $database_id = database_connect("Template sharing database connect failed", "Template sharing database connect failed");
- $query_to_delete_share = "delete from {$prefix}templaterights where template_id = ? AND user_id = ?";
+ $query_to_delete_share = "delete from {$prefix}templaterights where template_id = ? AND user_id = ?";
- $params = array($tutorial_id, $user_id);
- db_query($query_to_delete_share, $params);
-
+ $params = array($tutorial_id, $user_id);
+ db_query($query_to_delete_share, $params);
+ }
}
diff --git a/website_code/php/properties/rename_template.php b/website_code/php/properties/rename_template.php
index f25e37c862..ed17ba0a6e 100644
--- a/website_code/php/properties/rename_template.php
+++ b/website_code/php/properties/rename_template.php
@@ -34,32 +34,39 @@
include "../url_library.php";
include "properties_library.php";
+if (!isset($_SESSION['toolkits_logon_username']))
+{
+ _debug("Session is invalid or expired");
+ die("Session is invalid or expired");
+}
+
if(is_numeric($_POST['template_id'])){
- $tutorial_id = (int)$_POST['template_id'];
+ if(is_user_creator_or_coauthor($_POST['template_id'])||is_user_admin()) {
+ $tutorial_id = (int)$_POST['template_id'];
- $prefix = $xerte_toolkits_site->database_table_prefix;
-
- $database_id = database_connect("Template rename database connect success","Template rename database connect failed");
+ $prefix = $xerte_toolkits_site->database_table_prefix;
- $query = "update {$prefix}templatedetails SET template_name = ? WHERE template_id = ?";
- $params = array(str_replace(" ", "_", $_POST['template_name']), $_POST['template_id']);
+ $database_id = database_connect("Template rename database connect success", "Template rename database connect failed");
- if(db_query($query, $params)) {
+ $query = "update {$prefix}templatedetails SET template_name = ? WHERE template_id = ?";
+ $params = array(str_replace(" ", "_", $_POST['template_name']), $_POST['template_id']);
- $query_for_names = "select template_name, date_created, date_modified from {$prefix}templatedetails where template_id=?";
- $params = array($tutorial_id);
+ if (db_query($query, $params)) {
- $row = db_query_one($query_for_names, $params);
+ $query_for_names = "select template_name, date_created, date_modified from {$prefix}templatedetails where template_id=?";
+ $params = array($tutorial_id);
- echo "~~**~~" . $_POST['template_name'] . "~~**~~";
+ $row = db_query_one($query_for_names, $params);
- properties_display($xerte_toolkits_site,$tutorial_id,true,"name");
+ echo "~~**~~" . $_POST['template_name'] . "~~**~~";
- }else{
- echo "~~**~~ ~~**~~";
+ properties_display($xerte_toolkits_site, $tutorial_id, true, "name");
- properties_display($xerte_toolkits_site,$tutorial_id,false,"name");
- }
+ } else {
+ echo "~~**~~ ~~**~~";
+ properties_display($xerte_toolkits_site, $tutorial_id, false, "name");
+ }
+ }
}
diff --git a/website_code/php/properties/screen_size_template.php b/website_code/php/properties/screen_size_template.php
index d4e03b99c4..cc99415219 100644
--- a/website_code/php/properties/screen_size_template.php
+++ b/website_code/php/properties/screen_size_template.php
@@ -29,20 +29,21 @@
require_once("../../../config.php");
include "../screen_size_library.php";
+include "../template_status.php";
if(is_numeric($_POST['tutorial_id'])){
+ if(is_user_creator_or_coauthor($_POST['template_id'])||is_user_admin()) {
+ $database_id = database_connect("screen size database connect success", "screen size database connect failed");
- $database_id = database_connect("screen size database connect success","screen size database connect failed");
+ $prefix = $xerte_toolkits_site->database_table_prefix;
+ $query_for_template_name = "select {$prefix}originaltemplatesdetails.template_name,"
+ . "{$prefix}originaltemplatesdetails.template_framework from {$prefix}originaltemplatesdetails, {$prefix}templatedetails WHERE "
+ . "{$prefix}templatedetails.template_type_id = {$prefix}originaltemplatesdetails.template_type_id AND template_id = ?";
- $prefix = $xerte_toolkits_site->database_table_prefix ;
- $query_for_template_name = "select {$prefix}originaltemplatesdetails.template_name,"
- . "{$prefix}originaltemplatesdetails.template_framework from {$prefix}originaltemplatesdetails, {$prefix}templatedetails WHERE "
- . "{$prefix}templatedetails.template_type_id = {$prefix}originaltemplatesdetails.template_type_id AND template_id = ?";
+ $params = array($_POST['tutorial_id']);
- $params = array($_POST['tutorial_id']);
-
- $row_name = db_query_one($query_for_template_name, $params);
-
- echo get_template_screen_size($row_name['template_name'], $row_name['template_framework']) . "~" . $_POST['tutorial_id'];
+ $row_name = db_query_one($query_for_template_name, $params);
+ echo get_template_screen_size($row_name['template_name'], $row_name['template_framework']) . "~" . $_POST['tutorial_id'];
+ }
}
diff --git a/website_code/php/properties/set_sharing_rights_template.php b/website_code/php/properties/set_sharing_rights_template.php
index 2a2bde76dc..be7b2a7986 100644
--- a/website_code/php/properties/set_sharing_rights_template.php
+++ b/website_code/php/properties/set_sharing_rights_template.php
@@ -28,19 +28,22 @@
require_once("../../../config.php");
+include "../template_status.php";
$prefix = $xerte_toolkits_site->database_table_prefix;
if(is_numeric($_POST['user_id'])&&is_numeric($_POST['template_id'])){
- $new_rights = $_POST['rights'];
+ if(is_user_creator_or_coauthor($_POST['template_id'])||is_user_admin()) {
+ $new_rights = $_POST['rights'];
- $user_id = $_POST['user_id'];
+ $user_id = $_POST['user_id'];
- $tutorial_id = $_POST['template_id'];
+ $tutorial_id = $_POST['template_id'];
- $database_id=database_connect("Template sharing rights database connect success","Template sharing rights database connect failed");
+ $database_id = database_connect("Template sharing rights database connect success", "Template sharing rights database connect failed");
- $query_to_change_share_rights = "update {$prefix}templaterights set role = ? WHERE template_id = ? and user_id= ?";
- $params = array($new_rights, $tutorial_id, $user_id);
- db_query($query_to_change_share_rights, $params);
+ $query_to_change_share_rights = "update {$prefix}templaterights set role = ? WHERE template_id = ? and user_id= ?";
+ $params = array($new_rights, $tutorial_id, $user_id);
+ db_query($query_to_change_share_rights, $params);
+ }
}
diff --git a/website_code/php/properties/share_this_template.php b/website_code/php/properties/share_this_template.php
index ba9ea019c8..e180ef7127 100644
--- a/website_code/php/properties/share_this_template.php
+++ b/website_code/php/properties/share_this_template.php
@@ -27,47 +27,50 @@
*/
require_once("../../../config.php");
+require_once("../template_status.php");
_load_language_file("/website_code/php/properties/share_this_template.inc");
$prefix = $xerte_toolkits_site->database_table_prefix;
if(is_numeric($_POST['user_id'])&&is_numeric($_POST['template_id'])){
- $user_id = $_POST['user_id'];
+ if(is_user_creator_or_coauthor($_POST['template_id'])||is_user_admin()) {
+ $user_id = $_POST['user_id'];
- $tutorial_id = $_POST['template_id'];
+ $tutorial_id = $_POST['template_id'];
- $database_id=database_connect("Share this template database connect success","Share this template database connect success");
+ $database_id = database_connect("Share this template database connect success", "Share this template database connect success");
- /**
- * find the user you are sharing with's root folder to add this template to
- */
+ /**
+ * find the user you are sharing with's root folder to add this template to
+ */
- $query_to_find_out_root_folder = "select folder_id from {$prefix}folderdetails where login_id = ? and folder_parent=? and folder_name!=?";
+ $query_to_find_out_root_folder = "select folder_id from {$prefix}folderdetails where login_id = ? and folder_parent=? and folder_name!=?";
- $params = array($user_id, '0', 'recyclebin');
-
- $row_query_root = db_query_one($query_to_find_out_root_folder, $params);
+ $params = array($user_id, '0', 'recyclebin');
- $query_to_insert_share = "INSERT INTO {$prefix}templaterights (template_id, user_id, role, folder) VALUES (?,?,?,?)";
- $params = array($tutorial_id, $user_id,"editor", $row_query_root['folder_id']);
+ $row_query_root = db_query_one($query_to_find_out_root_folder, $params);
- if(db_query($query_to_insert_share, $params)){
+ $query_to_insert_share = "INSERT INTO {$prefix}templaterights (template_id, user_id, role, folder) VALUES (?,?,?,?)";
+ $params = array($tutorial_id, $user_id, "editor", $row_query_root['folder_id']);
- /**
- * sort ouf the html to return to the screen
- */
+ if (db_query($query_to_insert_share, $params)) {
+
+ /**
+ * sort ouf the html to return to the screen
+ */
- $query_for_name = "select firstname, surname from {$prefix}logindetails WHERE login_id=?";
- $params = array($user_id);
+ $query_for_name = "select firstname, surname from {$prefix}logindetails WHERE login_id=?";
+ $params = array($user_id);
- $row = db_query_one($query_for_name, $params);
+ $row = db_query_one($query_for_name, $params);
- echo SHARING_THIS_FEEDBACK_SUCCESS . " " . $row['firstname'] . " " . $row['surname'] . " ";
+ echo SHARING_THIS_FEEDBACK_SUCCESS . " " . $row['firstname'] . " " . $row['surname'] . " ";
- }else{
+ } else {
- echo SHARING_THIS_FEEDBACK_FAIL . " ";
+ echo SHARING_THIS_FEEDBACK_FAIL . " ";
+ }
}
}
\ No newline at end of file
diff --git a/website_code/php/properties/tsugi_template.php b/website_code/php/properties/tsugi_template.php
index e619bc5ee1..4978df9bbf 100644
--- a/website_code/php/properties/tsugi_template.php
+++ b/website_code/php/properties/tsugi_template.php
@@ -48,7 +48,7 @@ function generatePwd($length){
$template_id = $id;
$safe_template_id = (int)$id;
$query_for_preview_content = "select otd.template_name, ld.username, otd.template_framework, tr.user_id, tr.folder, tr.template_id, td.template_name as name, td.access_to_whom, td.extra_flags,";
- $query_for_preview_content .= "td.tsugi_published, td.tsugi_xapi_enabled, td.tsugi_xapi_useglobal, td.tsugi_xapi_endpoint, td.tsugi_xapi_key, td.tsugi_xapi_secret, td.tsugi_xapi_student_id_mode, td.dashboard_allowed_links";
+ $query_for_preview_content .= "td.tsugi_published, td.tsugi_usetsugikey, td.tsugi_privatekeyonly, td.tsugi_xapi_enabled, td.tsugi_xapi_useglobal, td.tsugi_xapi_endpoint, td.tsugi_xapi_key, td.tsugi_xapi_secret, td.tsugi_xapi_student_id_mode, td.dashboard_allowed_links";
$query_for_preview_content .= " from " . $xerte_toolkits_site->database_table_prefix . "originaltemplatesdetails otd, " . $xerte_toolkits_site->database_table_prefix . "templaterights tr, " . $xerte_toolkits_site->database_table_prefix . "templatedetails td, " . $xerte_toolkits_site->database_table_prefix . "logindetails ld";
$query_for_preview_content .= " where td.template_type_id = otd.template_type_id and td.creator_id = ld.login_id and tr.template_id = td.template_id and tr.template_id=? and (role='creator' || role='co-author')";
@@ -62,6 +62,8 @@ function generatePwd($length){
$lti_def->key = $row['name'] . "_" . $id;
$lti_def->secret = generatePwd(16);
$lti_def->published = $row["tsugi_published"];
+ $lti_def->tsugi_useglobal = $row['tsugi_usetsugikey'];
+ $lti_def->tsugi_privateonly = $row['tsugi_privatekeyonly'];
$lti_def->tsugi_url = $xerte_toolkits_site->site_url . "lti_launch.php?template_id=" . $row['template_id'];
$lti_def->url = $xerte_toolkits_site->site_url . "lti_launch.php?template_id=" . $row['template_id'];
$lti_def->xapionly_url = $xerte_toolkits_site->site_url . "xapi_launch.php?template_id=" . $row['template_id'] . "&group=groupname";
@@ -71,7 +73,7 @@ function generatePwd($length){
$lti_def->xapi_password = "";
$lti_def->xapi_student_id_mode = 0; // e-mail address
if ($tsugi_installed) {
- if ($lti_def->published == 1) {
+ if ($lti_def->published == 1 && !$lti_def->tsugi_useglobal) {
$PDOX = LTIX::getConnection();
$tsugirow = $PDOX->rowDie(
" SELECT l.title, k.key_key, k.secret
@@ -84,6 +86,11 @@ function generatePwd($length){
$lti_def->title = $tsugirow["title"];
}
}
+ else{
+ $lti_def->key = "";
+ $lti_def->secret = "";
+ $lti_def->title = "";
+ }
}
if($lti_def->xapi_enabled == 1)
{
diff --git a/website_code/php/publish/publish_template.php b/website_code/php/publish/publish_template.php
index 788796f923..c950e3629f 100644
--- a/website_code/php/publish/publish_template.php
+++ b/website_code/php/publish/publish_template.php
@@ -65,8 +65,7 @@
$row_publish = db_query_one($query_for_edit_content);
-
- if(is_user_an_editor($safe_template_id,$_SESSION['toolkits_logon_id'])){
+ if(is_user_an_editor($safe_template_id,$_SESSION['toolkits_logon_id'])||is_user_admin()){
// XXX What is temp_array[2] here? Looks broken. TODO: Fix it.
require("../../../modules/" . $temp_array[2] . "/publish.php");
diff --git a/website_code/php/templates/duplicate_folder.php b/website_code/php/templates/duplicate_folder.php
index 0ae17665bd..5db0b4cf09 100644
--- a/website_code/php/templates/duplicate_folder.php
+++ b/website_code/php/templates/duplicate_folder.php
@@ -29,6 +29,7 @@
require_once("../../../config.php");
include "../user_library.php";
+include "../folder_library.php";
include "../template_library.php";
include "../template_status.php";
@@ -44,91 +45,92 @@
$prefix = $xerte_toolkits_site->database_table_prefix;
-if(is_numeric($_POST['folder_id'])){
+if (!isset($_SESSION['toolkits_logon_username']))
+{
+ _debug("Session is invalid or expired");
+ die("Session is invalid or expired");
+}
- $folder_id = $_POST['folder_id'];
+if(is_numeric($_POST['folder_id'])){
+ if (has_rights_to_this_folder($_POST['folder_id'], $_SESSION['toolkits_logon_id'])) {
+ $folder_id = $_POST['folder_id'];
- if($_POST['parentfolder_id']=="workspace"){
+ if ($_POST['parentfolder_id'] == "workspace") {
- $parentfolder_id = get_user_root_folder();
+ $parentfolder_id = get_user_root_folder();
- }else{
+ } else {
- $parentfolder_id = $_POST['parentfolder_id'];
+ $parentfolder_id = $_POST['parentfolder_id'];
- }
+ }
- /*
- * get the maximum id number from templates, as the id for this template
- */
-
- // Check all templates within the folder
- // Get all templates within chosen folder
- $sql = "select td.*, tr.user_id, tr.folder, tr.role, otd.template_framework, otd.template_name as org_template_name from {$prefix}templaterights tr, {$prefix}templatedetails td, {$prefix}originaltemplatesdetails otd where td.template_id=tr.template_id and td.template_type_id=otd.template_type_id and tr.user_id=? and tr.folder=?";
- $params = array($_SESSION['toolkits_logon_id'], $folder_id);
-
- $templates = db_query($sql, $params);
- if ($templates !== false)
- {
- foreach ($templates as $template)
- {
- if ($template['role'] != 'creator' && $template['role'] != 'co-author')
- {
- echo DUPLICATE_TEMPLATE_NOT_CREATOR;
- exit(-1);
+ /*
+ * get the maximum id number from templates, as the id for this template
+ */
+
+ // Check all templates within the folder
+ // Get all templates within chosen folder
+ $sql = "select td.*, tr.user_id, tr.folder, tr.role, otd.template_framework, otd.template_name as org_template_name from {$prefix}templaterights tr, {$prefix}templatedetails td, {$prefix}originaltemplatesdetails otd where td.template_id=tr.template_id and td.template_type_id=otd.template_type_id and tr.user_id=? and tr.folder=?";
+ $params = array($_SESSION['toolkits_logon_id'], $folder_id);
+
+ $templates = db_query($sql, $params);
+ if ($templates !== false) {
+ foreach ($templates as $template) {
+ if ($template['role'] != 'creator' && $template['role'] != 'co-author') {
+ echo DUPLICATE_TEMPLATE_NOT_CREATOR;
+ exit(-1);
+ }
}
- }
- // Create duplicate of folder
- $folder_name = "Copy of " . $_POST['folder_name'];
- $query = "INSERT INTO {$prefix}folderdetails (login_id,folder_parent,folder_name,date_created) values (?,?,?,?)";
- $params = array($_SESSION['toolkits_logon_id'], $parentfolder_id, $folder_name, date('Y-m-d'));
+ // Create duplicate of folder
+ $folder_name = "Copy of " . $_POST['folder_name'];
+ $query = "INSERT INTO {$prefix}folderdetails (login_id,folder_parent,folder_name,date_created) values (?,?,?,?)";
+ $params = array($_SESSION['toolkits_logon_id'], $parentfolder_id, $folder_name, date('Y-m-d'));
- $new_folder_id = db_query($query, $params);
+ $new_folder_id = db_query($query, $params);
- // Create copies (with same name in new folder)
- foreach ($templates as $template)
- {
- /*
- * create the new template record in the database
- */
+ // Create copies (with same name in new folder)
+ foreach ($templates as $template) {
+ /*
+ * create the new template record in the database
+ */
- $query_for_new_template = "INSERT INTO {$prefix}templatedetails "
- . "(creator_id, template_type_id, date_created, date_modified, access_to_whom, template_name, extra_flags)"
- . " VALUES (?,?,?,?,?,?,?)";
- $params = array(
- $_SESSION['toolkits_logon_id'],
- $template['template_type_id'],
- date('Y-m-d'),
- date('Y-m-d'),
- $template['access_to_whom'],
- $template['template_name'],
- $template['extra_flags']);
+ $query_for_new_template = "INSERT INTO {$prefix}templatedetails "
+ . "(creator_id, template_type_id, date_created, date_modified, access_to_whom, template_name, extra_flags)"
+ . " VALUES (?,?,?,?,?,?,?)";
+ $params = array(
+ $_SESSION['toolkits_logon_id'],
+ $template['template_type_id'],
+ date('Y-m-d'),
+ date('Y-m-d'),
+ $template['access_to_whom'],
+ $template['template_name'],
+ $template['extra_flags']);
- $new_template_id = db_query($query_for_new_template, $params);
- if($new_template_id !== FALSE) {
+ $new_template_id = db_query($query_for_new_template, $params);
+ if ($new_template_id !== FALSE) {
- $query_for_template_rights = "INSERT INTO {$prefix}templaterights (template_id,user_id,role, folder) VALUES (?,?,?,?)";
- $params = array($new_template_id, $_SESSION['toolkits_logon_id'], "creator", $new_folder_id);
+ $query_for_template_rights = "INSERT INTO {$prefix}templaterights (template_id,user_id,role, folder) VALUES (?,?,?,?)";
+ $params = array($new_template_id, $_SESSION['toolkits_logon_id'], "creator", $new_folder_id);
- if (db_query($query_for_template_rights, $params) !== FALSE) {
+ if (db_query($query_for_template_rights, $params) !== FALSE) {
- receive_message($_SESSION['toolkits_logon_username'], "ADMIN", "SUCCESS", "Created new template record for the database", $query_for_new_template . " " . $query_for_template_rights);
+ receive_message($_SESSION['toolkits_logon_username'], "ADMIN", "SUCCESS", "Created new template record for the database", $query_for_new_template . " " . $query_for_template_rights);
- require_once $xerte_toolkits_site->root_file_path . $xerte_toolkits_site->module_path . $template['template_framework'] . "/duplicate_template.php";
+ require_once $xerte_toolkits_site->root_file_path . $xerte_toolkits_site->module_path . $template['template_framework'] . "/duplicate_template.php";
- duplicate_template($new_template_id, $template['template_id'], $template['org_template_name']);
- }
- else{
- receive_message($_SESSION['toolkits_logon_username'], "ADMIN", "CRITICAL", "Failed to create new template record for the database", $query_for_template_rights);
+ duplicate_template($new_template_id, $template['template_id'], $template['org_template_name']);
+ } else {
+ receive_message($_SESSION['toolkits_logon_username'], "ADMIN", "CRITICAL", "Failed to create new template record for the database", $query_for_template_rights);
+
+ echo("FAILED-" . $_SESSION['toolkits_most_recent_error']);
+ }
+ } else {
+ receive_message($_SESSION['toolkits_logon_username'], "ADMIN", "CRITICAL", "Failed to create new template record for the database", $query_for_new_template);
echo("FAILED-" . $_SESSION['toolkits_most_recent_error']);
}
}
- else{
- receive_message($_SESSION['toolkits_logon_username'], "ADMIN", "CRITICAL", "Failed to create new template record for the database", $query_for_new_template);
-
- echo("FAILED-" . $_SESSION['toolkits_most_recent_error']);
- }
}
}
}
diff --git a/website_code/php/templates/general_templates.php b/website_code/php/templates/general_templates.php
index 3f914b07bc..c71b6ec7b2 100644
--- a/website_code/php/templates/general_templates.php
+++ b/website_code/php/templates/general_templates.php
@@ -31,5 +31,11 @@
require_once("../../../config.php");
include "../display_library.php";
+if (!isset($_SESSION['toolkits_logon_username']))
+{
+ _debug("Session is invalid or expired");
+ die("Session is invalid or expired");
+}
+
list_blank_templates();
diff --git a/website_code/php/templates/get_template_info.php b/website_code/php/templates/get_template_info.php
index a8b2c4d62b..39bede17f2 100644
--- a/website_code/php/templates/get_template_info.php
+++ b/website_code/php/templates/get_template_info.php
@@ -35,41 +35,42 @@
if(empty($_SESSION['toolkits_logon_id'])) {
die("Please login");
}
+if(has_rights_to_this_template($_POST['template_id'], $_SESSION['toolkits_logon_id']) || is_user_admin()) {
+ $info = new stdClass();
+ $info->template_id = $_POST['template_id'];
+ $_SESSION["XAPI_PROXY"] = $_POST['template_id'];
+ $info->properties = project_info($_POST['template_id']);
+ $info->properties .= media_quota_info($_POST['template_id']);
+ $info->properties .= access_info($_POST['template_id']);
+ $info->properties .= sharing_info($_POST['template_id']);
+ $info->properties .= rss_syndication($_POST['template_id']);
-$info = new stdClass();
-$info->template_id = $_POST['template_id'];
-$_SESSION["XAPI_PROXY"] = $_POST['template_id'];
-$info->properties = project_info($_POST['template_id']);
-$info->properties .= media_quota_info($_POST['template_id']);
-$info->properties .= access_info($_POST['template_id']);
-$info->properties .= sharing_info($_POST['template_id']);
-$info->properties .= rss_syndication($_POST['template_id']);
+ $statistics_available = statistics_prepare($_POST['template_id']);
-$statistics_available = statistics_prepare($_POST['template_id']);
+ if ($statistics_available->published) {
+ $info->properties .= $statistics_available->linkinfo;
+ }
-if ($statistics_available->published) {
- $info->properties .= $statistics_available->linkinfo;
-}
+ if ($statistics_available->available) {
+ $info->properties .= $statistics_available->xapi_linkinfo;
+ $info->properties .= "" . $statistics_available->xapi_url . " ";
+ }
+ $info->properties .= $statistics_available->info;
+ $info->fetch_statistics = $statistics_available->available;
+ $info->lrs = $statistics_available->lrs;
+ $info->dashboard = $statistics_available->dashboard;
-if ($statistics_available->available)
-{
- $info->properties .= $statistics_available->xapi_linkinfo;
- $info->properties .= "" . $statistics_available->xapi_url . " ";
-}
-$info->properties .= $statistics_available->info;
-$info->fetch_statistics = $statistics_available->available;
-$info->lrs = $statistics_available->lrs;
-$info->dashboard = $statistics_available->dashboard;
+ $sql = "SELECT template_id, user_id, firstname, surname, role FROM " .
+ " {$xerte_toolkits_site->database_table_prefix}templaterights, {$xerte_toolkits_site->database_table_prefix}logindetails WHERE " .
+ " {$xerte_toolkits_site->database_table_prefix}logindetails.login_id = {$xerte_toolkits_site->database_table_prefix}templaterights.user_id and template_id= ? and user_id = ?";
-$sql = "SELECT template_id, user_id, firstname, surname, role FROM " .
- " {$xerte_toolkits_site->database_table_prefix}templaterights, {$xerte_toolkits_site->database_table_prefix}logindetails WHERE " .
- " {$xerte_toolkits_site->database_table_prefix}logindetails.login_id = {$xerte_toolkits_site->database_table_prefix}templaterights.user_id and template_id= ? and user_id = ?";
+ $row = db_query_one($sql, array($_POST['template_id'], $_SESSION['toolkits_logon_id']));
-$row = db_query_one($sql, array($_POST['template_id'], $_SESSION['toolkits_logon_id']));
+ $info->role = $row['role'];
-$info->role = $row['role'];
-echo json_encode($info);
+ echo json_encode($info);
//$info = get_project_info($_POST['template_id']);
//echo $info;
+}
\ No newline at end of file
diff --git a/website_code/php/versioncontrol/template_close.php b/website_code/php/versioncontrol/template_close.php
index f405f96b27..f37e7862e3 100644
--- a/website_code/php/versioncontrol/template_close.php
+++ b/website_code/php/versioncontrol/template_close.php
@@ -49,6 +49,8 @@
* Code to delete the lock file
*/
+ _debug("Detected lockfile on closing " . $_POST['file_path']);
+
$row_template_name = db_query_one("Select template_name from {$xerte_toolkits_site->database_table_prefix}templatedetails WHERE template_id = ?", array($temp_array[0]));
$lock_file_data = file_get_contents($xerte_toolkits_site->users_file_area_full . $temp_array[0] . "-" . $temp_array[1] . "-" . $temp_array[2] . "/lockfile.txt");
@@ -91,6 +93,7 @@
unlink($xerte_toolkits_site->users_file_area_full . $_POST['file_path'] . "lockfile.txt");
+ _debug("Lockfile " . $xerte_toolkits_site->users_file_area_full . $_POST['file_path'] . "lockfile.txt" . " is deleted.");
}
/*
diff --git a/website_code/php/versioncontrol/update_file.php b/website_code/php/versioncontrol/update_file.php
index 69cb7d7a6f..d0edec8c27 100644
--- a/website_code/php/versioncontrol/update_file.php
+++ b/website_code/php/versioncontrol/update_file.php
@@ -33,6 +33,12 @@
require('../template_status.php');
+if (!isset($_SESSION['toolkits_logon_username']))
+{
+ _debug("Session is invalid or expired");
+ die("Session is invalid or expired");
+}
+
database_connect("file update success","file_update_fail");
if(isset($_POST['template_id'])){
diff --git a/website_code/php/xAPI/update_dashboard_display_properties.php b/website_code/php/xAPI/update_dashboard_display_properties.php
index 6ff1dac643..4f9fd4f423 100644
--- a/website_code/php/xAPI/update_dashboard_display_properties.php
+++ b/website_code/php/xAPI/update_dashboard_display_properties.php
@@ -9,8 +9,9 @@
$properties = $_POST["properties"];
if(is_numeric($id))
{
- if(isset($_SESSION['toolkits_logon_id'])){
- db_query("update templatedetails set dashboard_display_options = ? where template_id = ?", array($properties, $id));
+ if(has_rights_to_this_template($id, $_SESSION['toolkits_logon_id']) || is_user_admin()) {
+ $prefix = $xerte_toolkits_site->database_table_prefix;
+ db_query("update ${prefix}templatedetails set dashboard_display_options = ? where template_id = ?", array($properties, $id));
}
}
?>
\ No newline at end of file
diff --git a/website_code/scripts/peer.js b/website_code/scripts/peer.js
index 5b011c8550..81e0442f8e 100644
--- a/website_code/scripts/peer.js
+++ b/website_code/scripts/peer.js
@@ -53,7 +53,8 @@ function peer_stateChanged(){
* @author Patrick Lockley
*/
-function send_review(retouremail,template_id){
+//function send_review(retouremail,template_id){
+function send_review(){
if(setup_ajax()!=false){
@@ -63,7 +64,11 @@ function send_review(retouremail,template_id){
xmlHttp.onreadystatechange=peer_stateChanged;
xmlHttp.setRequestHeader("Content-Type", "application/x-www-form-urlencoded");
- xmlHttp.send('retouremail=' + retouremail + '&template_id=' + template_id + '&feedback=' + document.peer.response.value);
+ // Cleanup peer review text
+ var response = $('').html(document.peer.response.value);
+ var response_cleantxt = $.trim(response.text());
+ //xmlHttp.send('retouremail=' + retouremail + '&template_id=' + template_id + '&feedback=' + response_cleantxt);
+ xmlHttp.send('feedback=' + response_cleantxt);
}