From a7f8999e4898823fbbf9613d6a761d53073f8c6e Mon Sep 17 00:00:00 2001 From: Tom Reijnders Date: Thu, 25 Mar 2021 11:50:58 +0100 Subject: [PATCH] First round of fixes of several vulnarabilities - The vulnarabilities would enable unauthorized persons to modify data in your Xerte Toolkits installation Many thanks to Bauke Gehem, System addin at Summa College, Eindhoven, The Netherlands --- feedback.php | 4 +- languages/en-GB/modules/xerte/peer.inc | 4 +- languages/en-GB/peer.inc | 4 +- .../website_code/php/peer/peer_review.inc | 4 +- peer.php | 14 +- show_peer.php | 2 +- website_code/php/folder_library.php | 12 + .../folder_content_template.php | 6 + .../folderproperties/folder_rss_template.php | 6 + .../folderproperties_template.php | 6 + .../rename_folder_template.php | 5 + .../php/folders/copy_to_new_folder.php | 6 + website_code/php/folders/delete_folder.php | 6 + website_code/php/folders/make_new_folder.php | 6 + website_code/php/peer/peer_review.php | 15 +- .../php/properties/access_change_template.php | 33 ++- .../php/properties/delete_file_template.php | 9 +- .../php/properties/gift_this_template.php | 182 +++++++------- website_code/php/properties/lti_update.php | 234 +++++++++--------- .../properties/name_select_gift_template.php | 47 ++-- .../php/properties/name_select_template.php | 49 ++-- .../php/properties/notes_change_template.php | 28 ++- website_code/php/properties/peer_template.php | 20 +- .../properties/properties_default_engine.php | 67 ++--- .../php/properties/properties_library.php | 95 ++++--- website_code/php/properties/publish.php | 13 +- .../properties/remove_sharing_template.php | 26 +- .../php/properties/rename_template.php | 39 +-- .../php/properties/screen_size_template.php | 21 +- .../set_sharing_rights_template.php | 17 +- .../php/properties/share_this_template.php | 47 ++-- .../php/properties/tsugi_template.php | 11 +- website_code/php/publish/publish_template.php | 3 +- .../php/templates/duplicate_folder.php | 130 +++++----- .../php/templates/general_templates.php | 6 + .../php/templates/get_template_info.php | 55 ++-- .../php/versioncontrol/template_close.php | 3 + .../php/versioncontrol/update_file.php | 6 + .../update_dashboard_display_properties.php | 5 +- website_code/scripts/peer.js | 9 +- 40 files changed, 729 insertions(+), 526 deletions(-) diff --git a/feedback.php b/feedback.php index e5fa5f5c8b..3f30f2ddd4 100644 --- a/feedback.php +++ b/feedback.php @@ -55,7 +55,8 @@ function show_peer_form($row, $retouremail)

-
+ +
@@ -106,6 +107,7 @@ function show_peer_form($row, $retouremail) $retouremail = $extra[1]; $_SESSION['template_id'] = $template_id; + $_SESSION['retouremail'] = $retouremail; show_peer_form($row_play, $retouremail); } \ No newline at end of file diff --git a/languages/en-GB/modules/xerte/peer.inc b/languages/en-GB/modules/xerte/peer.inc index 83725dd8bb..72b819c967 100644 --- a/languages/en-GB/modules/xerte/peer.inc +++ b/languages/en-GB/modules/xerte/peer.inc @@ -14,8 +14,8 @@ define("XERTE_PEER_DESCRIPTION", "Peer review page"); define("XERTE_PEER_GUIDANCE", "Please review this learning object. Use the feedback form below to submit your feedback."); - - define("XERTE_PEER_TEXTAREA_INSTRUCTIONS", "You have been asked to provide some feedback on this learning object. Please enter your feedback and click save when you have finished. This feedback is anonymous."); + + define("XERTE_PEER_TEXTAREA_INSTRUCTIONS", "You have been asked to provide some feedback on this learning object created on the Xerte installation {url} by {creator}. Please enter your feedback and click save when you have finished. This feedback is anonymous. If you wish to be contacted please add your name and contact details to your response before clicking send. This feedback will be sent to {email}"); define("XERTE_PEER_BUTTON_SEND", "Send"); diff --git a/languages/en-GB/peer.inc b/languages/en-GB/peer.inc index 3666e4d597..e33056f4e7 100644 --- a/languages/en-GB/peer.inc +++ b/languages/en-GB/peer.inc @@ -16,9 +16,9 @@ define("XERTE_PEER_GUIDANCE", "Please review this learning object. Use the feedback form below to submit your feedback."); -define("XERTE_PEER_LIGHTBOX", "View in lightbox"); + define("XERTE_PEER_LIGHTBOX", "View in lightbox"); - define("XERTE_PEER_TEXTAREA_INSTRUCTIONS", "You have been asked to provide some feedback on this learning object. Please enter your feedback and click send when you have finished. This feedback is anonymous. If you wish to be contacted please add your name and contact details to your response before clicking send."); + define("XERTE_PEER_TEXTAREA_INSTRUCTIONS", "You have been asked to provide some feedback on this learning object created on the Xerte installation {url} by {creator}. Please enter your feedback and click send when you have finished. This feedback is anonymous. If you wish to be contacted please add your name and contact details to your response before clicking send. This feedback will be sent to {email}"); define("XERTE_PEER_BUTTON_SEND", "Send"); diff --git a/languages/en-GB/website_code/php/peer/peer_review.inc b/languages/en-GB/website_code/php/peer/peer_review.inc index 63da1c0d3e..d7fe0d6500 100644 --- a/languages/en-GB/website_code/php/peer/peer_review.inc +++ b/languages/en-GB/website_code/php/peer/peer_review.inc @@ -21,7 +21,9 @@ define("PEER_REVIEW_EMAIL_SIGNATURE","The Xerte Project"); - define("PEER_REVIEW_USER_FEEDBACK","Your feedback has been sent to the user"); + define("PEER_REVIEW_IDENTIFICATION","This email was sent as feedback on learning object {template_id} of the Xerte installation hosted at {url}"); + + define("PEER_REVIEW_USER_FEEDBACK","Your feedback has been sent to the user"); define("PEER_REVIEW_PROBLEM","A problem has occured"); diff --git a/peer.php b/peer.php index 8c05e06774..c49d9f3e6e 100644 --- a/peer.php +++ b/peer.php @@ -36,6 +36,12 @@ function show_peer_template_form($row, $retouremail) { + global $xerte_toolkits_site; + $helptext = XERTE_PEER_TEXTAREA_INSTRUCTIONS; + $helptext = str_replace("{creator}", $row['firstname'] . ' ' . $row['surname'], $helptext); + $helptext = str_replace("{url}", $xerte_toolkits_site->site_url, $helptext); + $helptext = str_replace("{email}", $retouremail, $helptext); + ?> @@ -53,8 +59,9 @@ function show_peer_template_form($row, $retouremail)

- - + + +
@@ -105,7 +112,7 @@ function show_peer_login_form($mesg="") if(!empty($query_for_peer_response)) { - $query_for_play_content = "select otd.template_name, otd.parent_template, ld.username, otd.template_framework, tr.user_id, tr.folder, tr.template_id, td.access_to_whom, td.extra_flags"; + $query_for_play_content = "select otd.template_name, otd.parent_template, ld.username, ld.surname, ld.firstname, otd.template_framework, tr.user_id, tr.folder, tr.template_id, td.access_to_whom, td.extra_flags"; $query_for_play_content .= " from " . $xerte_toolkits_site->database_table_prefix . "originaltemplatesdetails otd, " . $xerte_toolkits_site->database_table_prefix . "templaterights tr, " . $xerte_toolkits_site->database_table_prefix . "templatedetails td, " . $xerte_toolkits_site->database_table_prefix . "logindetails ld"; $query_for_play_content .= " where td.template_type_id = otd.template_type_id and td.creator_id = ld.login_id and tr.template_id = td.template_id and tr.template_id=" . $template_id . " and (role='creator' or role='co-author')"; @@ -146,6 +153,7 @@ function show_peer_login_form($mesg="") * Output the code */ $_SESSION['template_id'] = $template_id; + $_SESSION['retouremail'] = $retouremail; show_peer_template_form($row_play, $retouremail); }else{ show_peer_login_form(PEER_LOGON_FAIL); diff --git a/show_peer.php b/show_peer.php index ec34b22ae7..155d26b65e 100644 --- a/show_peer.php +++ b/show_peer.php @@ -53,7 +53,7 @@ if(!empty($query_for_peer_response)) { - $query_for_play_content = "select otd.template_name, otd.parent_template, ld.username, otd.template_framework, tr.user_id, tr.folder, tr.template_id, td.access_to_whom, td.extra_flags"; + $query_for_play_content = "select otd.template_name, otd.parent_template, ld.username, otd.template_framework, tr.user_id, tr.folder, tr.template_id, td.access_to_whom, td.date_modified, td.extra_flags"; $query_for_play_content .= " from " . $xerte_toolkits_site->database_table_prefix . "originaltemplatesdetails otd, " . $xerte_toolkits_site->database_table_prefix . "templaterights tr, " . $xerte_toolkits_site->database_table_prefix . "templatedetails td, " . $xerte_toolkits_site->database_table_prefix . "logindetails ld"; $query_for_play_content .= " where td.template_type_id = otd.template_type_id and td.creator_id = ld.login_id and tr.template_id = td.template_id and tr.template_id=" . $template_id . " and (role='creator' or role='co-author')"; diff --git a/website_code/php/folder_library.php b/website_code/php/folder_library.php index cbc8f1ffa8..ee3cfd9b33 100644 --- a/website_code/php/folder_library.php +++ b/website_code/php/folder_library.php @@ -196,3 +196,15 @@ function move_folder($folder_id,$destination) } } +function has_rights_to_this_folder($folder_id, $user_id){ + global $xerte_toolkits_site; + $query = "select * from {$xerte_toolkits_site->database_table_prefix}folderdetails where login_id=? AND folder_id = ?"; + $result = db_query_one($query, array($user_id, $folder_id)); + + if(!empty($result)) { + return true; + } + return false; +} + + diff --git a/website_code/php/folderproperties/folder_content_template.php b/website_code/php/folderproperties/folder_content_template.php index d54756d63c..f82407dbaf 100644 --- a/website_code/php/folderproperties/folder_content_template.php +++ b/website_code/php/folderproperties/folder_content_template.php @@ -35,6 +35,12 @@ include "../display_library.php"; +if (!isset($_SESSION['toolkits_logon_username'])) +{ + _debug("Session is invalid or expired"); + die("Session is invalid or expired"); +} + /** * connect to the database */ diff --git a/website_code/php/folderproperties/folder_rss_template.php b/website_code/php/folderproperties/folder_rss_template.php index c5424ecf11..944e7904e9 100644 --- a/website_code/php/folderproperties/folder_rss_template.php +++ b/website_code/php/folderproperties/folder_rss_template.php @@ -33,6 +33,12 @@ include "../url_library.php"; +if (!isset($_SESSION['toolkits_logon_username'])) +{ + _debug("Session is invalid or expired"); + die("Session is invalid or expired"); +} + //connect to the database $parameters = explode("_", $_POST['folder_id']); diff --git a/website_code/php/folderproperties/folderproperties_template.php b/website_code/php/folderproperties/folderproperties_template.php index 8141658e35..71006b9318 100644 --- a/website_code/php/folderproperties/folderproperties_template.php +++ b/website_code/php/folderproperties/folderproperties_template.php @@ -33,6 +33,12 @@ include "../url_library.php"; +if (!isset($_SESSION['toolkits_logon_username'])) +{ + _debug("Session is invalid or expired"); + die("Session is invalid or expired"); +} + //connect to the database if(is_numeric($_POST['folder_id'])){ diff --git a/website_code/php/folderproperties/rename_folder_template.php b/website_code/php/folderproperties/rename_folder_template.php index dc525ff68d..a372a117e1 100644 --- a/website_code/php/folderproperties/rename_folder_template.php +++ b/website_code/php/folderproperties/rename_folder_template.php @@ -32,6 +32,11 @@ _load_language_file("/website_code/php/folderproperties/folderproperties_template.inc"); _load_language_file("/website_code/php/folderproperties/rename_folder_template.inc"); +if (!isset($_SESSION['toolkits_logon_username'])) +{ + _debug("Session is invalid or expired"); + die("Session is invalid or expired"); +} if(is_numeric($_POST['folder_id'])&&is_string($_POST['folder_name'])){ diff --git a/website_code/php/folders/copy_to_new_folder.php b/website_code/php/folders/copy_to_new_folder.php index b31facf459..8946305c24 100644 --- a/website_code/php/folders/copy_to_new_folder.php +++ b/website_code/php/folders/copy_to_new_folder.php @@ -30,6 +30,12 @@ require_once('../../../config.php'); include '../folder_library.php'; +if (!isset($_SESSION['toolkits_logon_username'])) +{ + _debug("Session is invalid or expired"); + die("Session is invalid or expired"); +} + if (isset($_POST['folder_id'])) { move_folder($_POST['folder_id'], $_POST['destination']); diff --git a/website_code/php/folders/delete_folder.php b/website_code/php/folders/delete_folder.php index ac200535d7..28b6fed702 100644 --- a/website_code/php/folders/delete_folder.php +++ b/website_code/php/folders/delete_folder.php @@ -30,6 +30,12 @@ require_once('../../../config.php'); include "../folder_library.php"; +if (!isset($_SESSION['toolkits_logon_username'])) +{ + _debug("Session is invalid or expired"); + die("Session is invalid or expired"); +} + delete_folder($_POST['folder_id']); ?> diff --git a/website_code/php/folders/make_new_folder.php b/website_code/php/folders/make_new_folder.php index a17622c246..721cbe75e1 100644 --- a/website_code/php/folders/make_new_folder.php +++ b/website_code/php/folders/make_new_folder.php @@ -30,4 +30,10 @@ require_once("../../../config.php"); include '../folder_library.php'; +if (!isset($_SESSION['toolkits_logon_username'])) +{ + _debug("Session is invalid or expired"); + die("Session is invalid or expired"); +} + make_new_folder($_POST['folder_id'],$_POST['folder_name']); diff --git a/website_code/php/peer/peer_review.php b/website_code/php/peer/peer_review.php index a74f6735f6..f1c078b33d 100644 --- a/website_code/php/peer/peer_review.php +++ b/website_code/php/peer/peer_review.php @@ -30,22 +30,22 @@ _load_language_file("/website_code/php/peer/peer_review.inc"); -if(empty($_POST['template_id'])) { +if(empty($_SESSION['template_id'])) { die("invalid form submission"); } $query_for_file_name = "select template_name from {$xerte_toolkits_site->database_table_prefix}templatedetails where template_id =?"; -$row_template_name = db_query_one($query_for_file_name, array($_POST['template_id'])); +$row_template_name = db_query_one($query_for_file_name, array($_SESSION['template_id'])); $query_for_access_to_whom = "select access_to_whom from {$xerte_toolkits_site->database_table_prefix}templatedetails where template_id =?"; -$row_access_to_whom = db_query_one($query_for_access_to_whom, array($_POST['template_id'])); +$row_access_to_whom = db_query_one($query_for_access_to_whom, array($_SESSION['template_id'])); $access=$row_access_to_whom["access_to_whom"]; $headers = get_email_headers(); -if(isset($_POST['retouremail'])){ +if(isset($_SESSION['retouremail'])){ if($xerte_toolkits_site->apache=="true") { $playstring = "peerreview_"; @@ -59,12 +59,15 @@ } } + $identification = PEER_REVIEW_IDENTIFICATION; + $identification = str_replace("{template_id}", $_SESSION['template_id'], $identification); + $identification = str_replace("{url}", $xerte_toolkits_site->site_url, $identification); $subject = PEER_REVIEW_FEEDBACK . " - \"" . str_replace("_"," ",$row_template_name['template_name']) ."\""; - $message = PEER_REVIEW_EMAIL_GREETING . "

" . PEER_REVIEW_EMAIL_INTRO . " ". str_replace("_"," ",$row_template_name['template_name']) ."."."


" . $xerte_toolkits_site->site_url . $playstring . $_POST['template_id'] . "


" . str_replace("\n", "
\n", $_POST['feedback']) . "


" . PEER_REVIEW_EMAIL_YOURS . "

" . PEER_REVIEW_EMAIL_SIGNATURE; + $message = PEER_REVIEW_EMAIL_GREETING . "

" . PEER_REVIEW_EMAIL_INTRO . " ". str_replace("_"," ",$row_template_name['template_name']) ."."."


" . $xerte_toolkits_site->site_url . $playstring . $_SESSION['template_id'] . "


" . str_replace("\n", "
\n", $_POST['feedback']) . "


" . PEER_REVIEW_EMAIL_YOURS . "

" . PEER_REVIEW_EMAIL_SIGNATURE . "

" . $identification; - if(mail( $_POST['retouremail'], $subject, $message, $headers)){ + if(mail( $_SESSION['retouremail'], $subject, $message, $headers)){ echo "" . PEER_REVIEW_USER_FEEDBACK . ""; diff --git a/website_code/php/properties/access_change_template.php b/website_code/php/properties/access_change_template.php index f618a49230..3d136580f8 100644 --- a/website_code/php/properties/access_change_template.php +++ b/website_code/php/properties/access_change_template.php @@ -34,6 +34,12 @@ include "properties_library.php"; +if (!isset($_SESSION['toolkits_logon_username'])) +{ + _debug("Session is invalid or expired"); + die("Session is invalid or expired"); +} + /** * * Function template share status @@ -64,21 +70,22 @@ function template_share_status($string){ * Update the database setting */ $prefix = $xerte_toolkits_site->database_table_prefix; +if(is_user_creator_or_coauthor($_POST['template_id'])||is_user_admin()) { + $query = "UPDATE {$prefix}templatedetails SET access_to_whom = ? WHERE template_id = ?"; + if (isset($_POST['server_string'])) { + $access_to_whom = $_POST['access'] . '-' . $_POST['server_string']; + } else { + $access_to_whom = $_POST['access']; + } - $query = "UPDATE {$prefix}templatedetails SET access_to_whom = ? WHERE template_id = ?"; -if(isset($_POST['server_string'])){ - $access_to_whom = $_POST['access'] . '-' . $_POST['server_string']; -}else{ - $access_to_whom = $_POST['access']; -} - -$params = array($access_to_whom, $_POST['template_id']); -$ok = db_query($query, $params); + $params = array($access_to_whom, $_POST['template_id']); + $ok = db_query($query, $params); -if($ok === false) { - access_display_fail(); + if ($ok === false) { + access_display_fail(); -}else { + } else { - access_display($xerte_toolkits_site, true); + access_display($xerte_toolkits_site, true); + } } diff --git a/website_code/php/properties/delete_file_template.php b/website_code/php/properties/delete_file_template.php index c6ab44f24c..5ac42a692d 100644 --- a/website_code/php/properties/delete_file_template.php +++ b/website_code/php/properties/delete_file_template.php @@ -31,12 +31,11 @@ include "../error_library.php"; include "../../../config.php"; -/** XXX/ TODO SECURITY HOLE - NEED TO CHECK $_POST['file'] IS VALID */ - -if(!isset($_SESSION['toolkits_logon_username'])) { - die("Sorry; you can't delete this without being logged in."); +if (!isset($_SESSION['toolkits_logon_username'])) +{ + _debug("Session is invalid or expired"); + die("Session is invalid or expired"); } - if(unlink(urldecode($_POST['file']))){ receive_message($_SESSION['toolkits_logon_username'], "FILE", "SUCCESS", "The file " . $_POST['file'] . "has been deleted", "User " . $_SESSION['toolkits_logon_username'] . " has deleted " . $_POST['file']); }else{ diff --git a/website_code/php/properties/gift_this_template.php b/website_code/php/properties/gift_this_template.php index b988a17067..e5b06819cd 100644 --- a/website_code/php/properties/gift_this_template.php +++ b/website_code/php/properties/gift_this_template.php @@ -80,6 +80,14 @@ function copy_loop($start_path, $final_path){ _load_language_file("/website_code/php/properties/gift_this_template.inc"); include "../template_library.php"; +include "../template_status.php"; + + +if (!isset($_SESSION['toolkits_logon_username'])) +{ + _debug("Session is invalid or expired"); + die("Session is invalid or expired"); +} /** * Check id is numeric @@ -87,131 +95,133 @@ function copy_loop($start_path, $final_path){ if(is_numeric($_POST['tutorial_id'])){ - $tutorial_id = (int) $_POST['tutorial_id']; - - $user_id = (int) $_POST['user_id']; + if(is_user_creator_or_coauthor($_POST['template_id'])||is_user_admin()){ + $tutorial_id = (int)$_POST['tutorial_id']; - /** - * Giving a copy, or giving it away - */ - - if($_POST['action']=="give"){ + $user_id = (int)$_POST['user_id']; /** - * Giving it away + * Giving a copy, or giving it away */ - $database_id=database_connect("gift sharing database connect success","gift sharing database connect failed"); + if ($_POST['action'] == "give") { - $prefix = $xerte_toolkits_site->database_table_prefix; - - $query_for_rename = "select * from {$prefix}logindetails, {$prefix}templatedetails, {$prefix}originaltemplatesdetails " - . "where {$prefix}templatedetails.template_type_id = {$prefix}originaltemplatesdetails.template_type_id and" - . " template_id = ? and " - . " login_id = creator_id"; - - $row_rename = db_query_one($query_for_rename, array($tutorial_id)); - + /** + * Giving it away + */ - /** - * Update the database - */ + $database_id = database_connect("gift sharing database connect success", "gift sharing database connect failed"); - $query_to_gift = "update {$prefix}templatedetails set creator_id = ? WHERE template_id = ?"; - $params = array($user_id, $tutorial_id); + $prefix = $xerte_toolkits_site->database_table_prefix; - $ok = db_query($query_to_gift, $params); - - $query_for_root_folder = "select folder_id from {prefix}folderdetails where login_id= ? and folder_name != ?"; - $params = array($user_id, 'recyclebin'); + $query_for_rename = "select * from {$prefix}logindetails, {$prefix}templatedetails, {$prefix}originaltemplatesdetails " + . "where {$prefix}templatedetails.template_type_id = {$prefix}originaltemplatesdetails.template_type_id and" + . " template_id = ? and " + . " login_id = creator_id"; - $row_folder = db_query_one($query_for_root_folder, $params); - - - $query_to_gift = "update {$prefix}templaterights set user_id = ?, folder = ? WHERE template_id = ?"; - $params = array($user_id, $row_folder['folder_id'], $tutorial_id); - - db_query($query_to_gift, $params); + $row_rename = db_query_one($query_for_rename, array($tutorial_id)); - - $query_for_new_login = "select username from {$prefix}logindetails where login_id= ? "; - - $row_new_login = db_query_one($query_for_new_login, array($user_id)); + /** + * Update the database + */ - $base_path = $xerte_toolkits_site->root_file_path . $xerte_toolkits_site->users_file_area_short; + $query_to_gift = "update {$prefix}templatedetails set creator_id = ? WHERE template_id = ?"; + $params = array($user_id, $tutorial_id); - /** - * Rename the folder where the template is - */ + $ok = db_query($query_to_gift, $params); - rename($base_path . $tutorial_id . "-" . $row_rename['username'] . "-" . $row_rename['template_name'] . "/", $base_path . $tutorial_id . "-" . $row_new_login['username'] . "-" . $row_rename['template_name'] . "/"); + $query_for_root_folder = "select folder_id from {prefix}folderdetails where login_id= ? and folder_name != ?"; + $params = array($user_id, 'recyclebin'); - echo "

" . GIFT_RESPONSE_FAIL . "

"; + $row_folder = db_query_one($query_for_root_folder, $params); - }else{ - /** - * Giving away a duplicate - */ - $prefix = $xerte_toolkits_site->database_table_prefix; + $query_to_gift = "update {$prefix}templaterights set user_id = ?, folder = ? WHERE template_id = ?"; + $params = array($user_id, $row_folder['folder_id'], $tutorial_id); + + db_query($query_to_gift, $params); + + + $query_for_new_login = "select username from {$prefix}logindetails where login_id= ? "; - $database_id=database_connect("Template sharing rights database connect success","Template sharing rights database connect failed"); + $row_new_login = db_query_one($query_for_new_login, array($user_id)); - $query_for_currentdetails = "select *,{$prefix}templatedetails.template_name AS actual_name FROM " - . "{$prefix}templatedetails, {$prefix}originaltemplatesdetails where " - . "template_id= ? AND {$prefix}originaltemplatesdetails.template_type_id = {$prefix}templatedetails.template_type_id"; - $params = array($tutorial_id); - - $row_currentdetails = db_query_one($query_for_currentdetails, $params); + $base_path = $xerte_toolkits_site->root_file_path . $xerte_toolkits_site->users_file_area_short; - $creation_query = "INSERT INTO {$prefix}templatedetails " - . "(creator_id, template_type_id,template_name,date_created,date_modified,date_accessed,number_of_uses,access_to_whom,extra_flags) " - . " VALUES (?,?,?,?,?,?,?,?,?)"; - $params = array($user_id, $row_currentdetails['template_type_id'], $row_currentdetails['actual_name'], date('Y-m-d'), date('Y-m-d'), date('Y-m-d'),0,"Private",$row_currentdetails['extra_flags']); + /** + * Rename the folder where the template is + */ - $new_template_id = db_query($creation_query, $params); - - $query_for_currentrights = "select * from {$prefix}templaterights where template_id = ?"; - $params = array($tutorial_id); + rename($base_path . $tutorial_id . "-" . $row_rename['username'] . "-" . $row_rename['template_name'] . "/", $base_path . $tutorial_id . "-" . $row_new_login['username'] . "-" . $row_rename['template_name'] . "/"); - $row_currentrights = db_query_one($query_for_currentdetails, $params); + echo "

" . GIFT_RESPONSE_FAIL . "

"; - $query_for_root_folder = "select folder_id from {$prefix}folderdetails where login_id= ? AND folder_name != ? AND folder_parent=0"; - $params = array($user_id, 'recyclebin'); + } else { - $row_folder = db_query_one($query_for_root_folder, $params); - - $create_rights_query = "INSERT INTO {$prefix}templaterights (template_id, user_id, role,folder,notes) VALUES (?,?,?,?,?)"; - $params = array($new_template_id, $user_id, "creator", $row_folder['folder_id'], ''); + /** + * Giving away a duplicate + */ + $prefix = $xerte_toolkits_site->database_table_prefix; - db_query($create_rights_query, $params); - + $database_id = database_connect("Template sharing rights database connect success", "Template sharing rights database connect failed"); - $query_for_new_login = "select firstname, surname, username from {$prefix}logindetails where login_id= ?"; - $params = array($user_id); + $query_for_currentdetails = "select *,{$prefix}templatedetails.template_name AS actual_name FROM " + . "{$prefix}templatedetails, {$prefix}originaltemplatesdetails where " + . "template_id= ? AND {$prefix}originaltemplatesdetails.template_type_id = {$prefix}templatedetails.template_type_id"; - - $row_new_login = db_query_one($query_for_new_login, $params); + $params = array($tutorial_id); - $new_directory = $xerte_toolkits_site->root_file_path . $xerte_toolkits_site->users_file_area_short . + $row_currentdetails = db_query_one($query_for_currentdetails, $params); + + $creation_query = "INSERT INTO {$prefix}templatedetails " + . "(creator_id, template_type_id,template_name,date_created,date_modified,date_accessed,number_of_uses,access_to_whom,extra_flags) " + . " VALUES (?,?,?,?,?,?,?,?,?)"; + $params = array($user_id, $row_currentdetails['template_type_id'], $row_currentdetails['actual_name'], date('Y-m-d'), date('Y-m-d'), date('Y-m-d'), 0, "Private", $row_currentdetails['extra_flags']); + + $new_template_id = db_query($creation_query, $params); + + $query_for_currentrights = "select * from {$prefix}templaterights where template_id = ?"; + $params = array($tutorial_id); + + $row_currentrights = db_query_one($query_for_currentdetails, $params); + + $query_for_root_folder = "select folder_id from {$prefix}folderdetails where login_id= ? AND folder_name != ? AND folder_parent=0"; + $params = array($user_id, 'recyclebin'); + + $row_folder = db_query_one($query_for_root_folder, $params); + + $create_rights_query = "INSERT INTO {$prefix}templaterights (template_id, user_id, role,folder,notes) VALUES (?,?,?,?,?)"; + $params = array($new_template_id, $user_id, "creator", $row_folder['folder_id'], ''); + + db_query($create_rights_query, $params); + + + $query_for_new_login = "select firstname, surname, username from {$prefix}logindetails where login_id= ?"; + $params = array($user_id); + + + $row_new_login = db_query_one($query_for_new_login, $params); + + $new_directory = $xerte_toolkits_site->root_file_path . $xerte_toolkits_site->users_file_area_short . $new_template_id . "-" . $row_new_login['username'] . "-" . $row_currentdetails['template_name'] . "/"; - mkdir($new_directory); + mkdir($new_directory); - chmod($new_directory,0777); + chmod($new_directory, 0777); - mkdir($new_directory . "media/"); + mkdir($new_directory . "media/"); - chmod($new_directory . "media/" ,0777); + chmod($new_directory . "media/", 0777); - $current_directory = $xerte_toolkits_site->root_file_path . $xerte_toolkits_site->users_file_area_short . $tutorial_id . "-" . $_SESSION['toolkits_logon_username'] . "-" . $row_currentdetails['template_name'] . "/"; + $current_directory = $xerte_toolkits_site->root_file_path . $xerte_toolkits_site->users_file_area_short . $tutorial_id . "-" . $_SESSION['toolkits_logon_username'] . "-" . $row_currentdetails['template_name'] . "/"; - copy_loop($current_directory, $new_directory); + copy_loop($current_directory, $new_directory); - echo "

" . GIFT_RESPONSE_INSTRUCTIONS . ".

" . GIFT_RESPONSE_SUCCESS . " " . $row_new_login['firstname'] . " " . $row_new_login['surname'] . " (" . $row_new_login['username'] . ")

" . GIFT_RESPONSE_NAMES . "

"; + echo "

" . GIFT_RESPONSE_INSTRUCTIONS . ".

" . GIFT_RESPONSE_SUCCESS . " " . $row_new_login['firstname'] . " " . $row_new_login['surname'] . " (" . $row_new_login['username'] . ")

" . GIFT_RESPONSE_NAMES . "

"; + } } } diff --git a/website_code/php/properties/lti_update.php b/website_code/php/properties/lti_update.php index e9404f9e4c..809378e0b2 100644 --- a/website_code/php/properties/lti_update.php +++ b/website_code/php/properties/lti_update.php @@ -3,8 +3,15 @@ require_once("../../../config.php"); require_once "properties_library.php"; + global $xerte_toolkits_site; +if (!isset($_SESSION['toolkits_logon_username'])) +{ + _debug("Session is invalid or expired"); + die("Session is invalid or expired"); +} + $tsugi_installed = false; if (file_exists($xerte_toolkits_site->tsugi_dir)) { if ($xerte_toolkits_site->authentication_method == "Moodle") { @@ -26,140 +33,143 @@ { tsugi_display_fail(); } -if ($tsugi_installed) { - $tsugi_publish = isset($_POST["tsugi_published"]) && $_POST["tsugi_published"] == "true"; -} -$lti_def = new stdClass(); -$lti_def->tsugi_installed = $tsugi_installed; -$lti_def->secret = (isset($_POST["tsugi_secret"]) ? htmlspecialchars($_POST["tsugi_secret"]) : ""); -$lti_def->key = (isset($_POST["tsugi_key"]) ? htmlspecialchars($_POST["tsugi_key"]) : ""); -$lti_def->title = (isset($_POST["tsugi_title"]) ? htmlspecialchars($_POST["tsugi_title"]) : ""); -$lti_def->xapi_enabled = isset($_POST["tsugi_xapi"]) && $_POST["tsugi_xapi"] == "true"; -$lti_def->published = isset($_POST["tsugi_published"]) && $_POST["tsugi_published"] == "true"; -$lti_def->tsugi_url = $xerte_toolkits_site->site_url . "lti_launch.php?template_id=" . $template_id; -$lti_def->url = $xerte_toolkits_site->site_url . "lti_launch.php?template_id=" . $template_id; -$lti_def->xapionly_url = $xerte_toolkits_site->site_url . "xapi_launch.php?template_id=" . $template_id . "&group=groupname"; -$lti_def->xapi_useglobal = isset($_POST["tsugi_xapi_useglobal"]) && $_POST["tsugi_xapi_useglobal"] == "true"; -$lti_def->xapi_endpoint = (isset($_POST["tsugi_xapi_endpoint"]) ? htmlspecialchars($_POST["tsugi_xapi_endpoint"]) : ""); -$lti_def->xapi_username = (isset($_POST["tsugi_xapi_username"]) ? htmlspecialchars($_POST["tsugi_xapi_username"]) : ""); -$lti_def->xapi_password = (isset($_POST["tsugi_xapi_password"]) ? htmlspecialchars($_POST["tsugi_xapi_password"]) : ""); -$lti_def->xapi_student_id_mode = (isset($_POST["tsugi_xapi_student_id_mode"]) ? $_POST["tsugi_xapi_student_id_mode"] : ""); -$lti_def->dashboard_urls = (isset($_POST["dashboard_urls"]) ? $_POST["dashboard_urls"] : ""); +if(is_user_creator_or_coauthor($_POST['template_id'])||is_user_admin()){ + if ($tsugi_installed) { + $tsugi_publish = isset($_POST["tsugi_published"]) && $_POST["tsugi_published"] == "true"; + } + $lti_def = new stdClass(); + $lti_def->tsugi_installed = $tsugi_installed; + $lti_def->secret = (isset($_POST["tsugi_secret"]) ? htmlspecialchars($_POST["tsugi_secret"]) : ""); + $lti_def->key = (isset($_POST["tsugi_key"]) ? htmlspecialchars($_POST["tsugi_key"]) : ""); + $lti_def->title = (isset($_POST["tsugi_title"]) ? htmlspecialchars($_POST["tsugi_title"]) : ""); + $lti_def->xapi_enabled = isset($_POST["tsugi_xapi"]) && $_POST["tsugi_xapi"] == "true"; + $lti_def->published = isset($_POST["tsugi_published"]) && $_POST["tsugi_published"] == "true"; + $lti_def->tsugi_useglobal = isset($_POST["tsugi_useglobal"]) && $_POST["tsugi_useglobal"] == "true"; + $lti_def->tsugi_privateonly = isset($_POST["tsugi_useprivateonly"]) && $_POST["tsugi_useprivateonly"] == "true"; + $lti_def->tsugi_url = $xerte_toolkits_site->site_url . "lti_launch.php?template_id=" . $template_id; + $lti_def->url = $xerte_toolkits_site->site_url . "lti_launch.php?template_id=" . $template_id; + $lti_def->xapionly_url = $xerte_toolkits_site->site_url . "xapi_launch.php?template_id=" . $template_id . "&group=groupname"; + $lti_def->xapi_useglobal = isset($_POST["tsugi_xapi_useglobal"]) && $_POST["tsugi_xapi_useglobal"] == "true"; + $lti_def->xapi_endpoint = (isset($_POST["tsugi_xapi_endpoint"]) ? htmlspecialchars($_POST["tsugi_xapi_endpoint"]) : ""); + $lti_def->xapi_username = (isset($_POST["tsugi_xapi_username"]) ? htmlspecialchars($_POST["tsugi_xapi_username"]) : ""); + $lti_def->xapi_password = (isset($_POST["tsugi_xapi_password"]) ? htmlspecialchars($_POST["tsugi_xapi_password"]) : ""); + $lti_def->xapi_student_id_mode = (isset($_POST["tsugi_xapi_student_id_mode"]) ? $_POST["tsugi_xapi_student_id_mode"] : ""); + $lti_def->dashboard_urls = (isset($_POST["dashboard_urls"]) ? $_POST["dashboard_urls"] : ""); // Force groupmode -if (!$tsugi_installed) -{ - $lti_def->xapi_student_id_mode = 3; -} + if (!$tsugi_installed) { + $lti_def->xapi_student_id_mode = 3; + } + + if ($lti_def->xapi_student_id_mode == 3) { + $lti_def->url .= "&group=groupname"; + } + + if ($tsugi_installed) { + $PDOX = LTIX::getConnection(); + $p = $CFG->dbprefix; + $xp = $xerte_toolkits_site->database_table_prefix; + _debug("Data init " . print_r($_POST, true)); + $url = $xerte_toolkits_site->site_url . "lti_launch.php?template_id=" . $template_id; + _debug("Detele " . $url); -if ($lti_def->xapi_student_id_mode == 3) -{ - $lti_def->url .= "&group=groupname"; -} -if ($tsugi_installed) { - $PDOX = LTIX::getConnection(); - $p = $CFG->dbprefix; - $xp = $xerte_toolkits_site->database_table_prefix; - _debug("Data init " . print_r($_POST, true)); - $url = $xerte_toolkits_site->site_url . "lti_launch.php?template_id=" . $template_id; - _debug("Detele " . $url); + /* + if ($tsugi_publish) { + $rows = $PDOX->allRowsDie("SELECT * FROM {$p}lti_key k, {$p}lti_context c, {$p}lti_link l WHERE k.key_sha256 = :KEY and c.key_id = k.key_id and l.context_id=c.context_id and l.path != :URL", array( + ':KEY' => lti_sha256($lti_def->key), + ':URL' => $lti_def->tsugi_url)); + if (count($rows) > 0) { + $mesg = "Key already in use, use another key."; + tsugi_display($template_id, $lti_def, $mesg); + exit; + } - /* - if ($tsugi_publish) { + } + */ - $rows = $PDOX->allRowsDie("SELECT * FROM {$p}lti_key k, {$p}lti_context c, {$p}lti_link l WHERE k.key_sha256 = :KEY and c.key_id = k.key_id and l.context_id=c.context_id and l.path != :URL", array( - ':KEY' => lti_sha256($lti_def->key), + // Remove key from tsugi + $rows = $PDOX->allRowsDie("SELECT * FROM {$p}lti_key k, {$p}lti_context c, {$p}lti_link l WHERE c.key_id = k.key_id and l.context_id=c.context_id and l.path = :URL", array( ':URL' => $lti_def->tsugi_url)); if (count($rows) > 0) { - $mesg = "Key already in use, use another key."; - tsugi_display($template_id, $lti_def, $mesg); - exit; + $sql = "delete from {$p}lti_key where key_id = ?"; + $params = array($rows[0]['key_id']); + $res = $PDOX->queryDie($sql, $params); } - } - */ - - // Remove key from tsugi - $rows = $PDOX->allRowsDie("SELECT * FROM {$p}lti_key k, {$p}lti_context c, {$p}lti_link l WHERE c.key_id = k.key_id and l.context_id=c.context_id and l.path = :URL", array( - ':URL' => $lti_def->tsugi_url)); - if (count($rows) > 0) { - $sql = "delete from {$p}lti_key where key_id = ?"; - $params = array($rows[0]['key_id']); - $res = $PDOX->queryDie($sql, $params); - } - - if (!$tsugi_publish) { - $sql = "UPDATE {$xp}templatedetails SET tsugi_published = 0 WHERE template_id = ?"; - db_query($sql, array($template_id)); - $mesg = "Object is no longer published."; - } + if (!$tsugi_publish) { + $sql = "UPDATE {$xp}templatedetails SET tsugi_published = 0 WHERE template_id = ?"; + db_query($sql, array($template_id)); + $mesg = "Object is no longer published."; + } - if ($tsugi_publish) { - $url = $xerte_toolkits_site->site_url . "lti_launch.php?template_id=" . $template_id; - $PDOX = LTIX::getConnection(); - $p = $CFG->dbprefix; - $context_row = $PDOX->rowDie("SELECT MAX(context_id) FROM {$p}lti_context;"); - $context_id = ($context_row["MAX(context_id)"]) + 1; - $key_row = $PDOX->rowDie("SELECT MAX(key_id) FROM {$p}lti_key;"); - $key_id = ($key_row["MAX(key_id)"]) + 1; - $link_row = $PDOX->rowDie("SELECT MAX(link_id) FROM {$p}lti_link;"); - $link_id = ($link_row["MAX(link_id)"]) + 1; - $sql = "INSERT INTO {$p}lti_key + if ($tsugi_publish) { + $url = $xerte_toolkits_site->site_url . "lti_launch.php?template_id=" . $template_id; + $PDOX = LTIX::getConnection(); + $p = $CFG->dbprefix; + $context_row = $PDOX->rowDie("SELECT MAX(context_id) FROM {$p}lti_context;"); + $context_id = ($context_row["MAX(context_id)"]) + 1; + $key_row = $PDOX->rowDie("SELECT MAX(key_id) FROM {$p}lti_key;"); + $key_id = ($key_row["MAX(key_id)"]) + 1; + $link_row = $PDOX->rowDie("SELECT MAX(link_id) FROM {$p}lti_link;"); + $link_id = ($link_row["MAX(link_id)"]) + 1; + $sql = "INSERT INTO {$p}lti_key ( key_id, key_sha256, key_key, secret) VALUES ( :key_id, :key_sha256, :key_key, :secret);"; - $param = array( - ':key_id' => $key_id, - ':key_sha256' => lti_sha256($lti_def->key), - ':key_key' => $lti_def->key, - ':secret' => $lti_def->secret - ); - $res = $PDOX->queryDie($sql, $param); + $param = array( + ':key_id' => $key_id, + ':key_sha256' => lti_sha256($lti_def->key), + ':key_key' => $lti_def->key, + ':secret' => $lti_def->secret + ); + $res = $PDOX->queryDie($sql, $param); - $sql = "INSERT INTO {$p}lti_context + $sql = "INSERT INTO {$p}lti_context ( context_id, context_sha256, context_key, title, key_id, created_at, updated_at ) VALUES ( :context_id, :context_sha256, :context_key, :title, :key_id, NOW(), NOW() );"; - $PDOX->queryDie($sql, array( - ':context_id' => $context_id, - ':context_sha256' => lti_sha256($context_id), - ':context_key' => $context_id, - ':title' => $lti_def->title, - ':key_id' => $key_id)); - $sql = "INSERT INTO {$p}lti_link + $PDOX->queryDie($sql, array( + ':context_id' => $context_id, + ':context_sha256' => lti_sha256($context_id), + ':context_key' => $context_id, + ':title' => $lti_def->title, + ':key_id' => $key_id)); + $sql = "INSERT INTO {$p}lti_link ( link_id, link_sha256, link_key, title, context_id, path, created_at, updated_at ) VALUES ( :link_id, :link_sha256, :link_key, :title, :context_id, :path, NOW(), NOW() );"; - $params = array( - ':link_id' => $link_id, - ':link_sha256' => lti_sha256($link_id), - ':link_key' => $link_id, - ':title' => $lti_def->title, - ':context_id' => $context_id, - ':path' => $lti_def->tsugi_url - ); - $link = $PDOX->queryDie($sql, $params); + $params = array( + ':link_id' => $link_id, + ':link_sha256' => lti_sha256($link_id), + ':link_key' => $link_id, + ':title' => $lti_def->title, + ':context_id' => $context_id, + ':path' => $lti_def->tsugi_url + ); + $link = $PDOX->queryDie($sql, $params); + } } -} -$sql = "UPDATE {$xp}templatedetails SET tsugi_published = ?, tsugi_xapi_enabled = ?, tsugi_xapi_useglobal = ?, tsugi_xapi_endpoint = ?, tsugi_xapi_key = ?, tsugi_xapi_secret = ?, tsugi_xapi_student_id_mode = ?, dashboard_allowed_links = ? WHERE template_id = ?"; -db_query($sql, - array( - $lti_def->published ? "1" : "0", - $lti_def->xapi_enabled ? "1" : "0", - $lti_def->xapi_enabled ? ($lti_def->xapi_useglobal ? "1" : "0") : "1", - $lti_def->xapi_enabled ? $lti_def->xapi_endpoint : "", - $lti_def->xapi_enabled ? $lti_def->xapi_username : "", - $lti_def->xapi_enabled ? $lti_def->xapi_password : "", - $lti_def->xapi_enabled ? $lti_def->xapi_student_id_mode : "0", - $lti_def->xapi_enabled ? $lti_def->dashboard_urls : "", - $template_id - ) -); -tsugi_display($template_id, $lti_def, "Updated."); - -_debug("Done"); - + $sql = "UPDATE {$xp}templatedetails SET tsugi_published = ?, tsugi_usetsugikey = ?, tsugi_privatekeyonly = ?, tsugi_xapi_enabled = ?, tsugi_xapi_useglobal = ?, tsugi_xapi_endpoint = ?, tsugi_xapi_key = ?, tsugi_xapi_secret = ?, tsugi_xapi_student_id_mode = ?, dashboard_allowed_links = ? WHERE template_id = ?"; + db_query($sql, + array( + $lti_def->published ? "1" : "0", + $lti_def->tsugi_useglobal ? "1" : "0", + $lti_def->tsugi_privateonly ? "1" : "0", + $lti_def->xapi_enabled ? "1" : "0", + $lti_def->xapi_enabled ? ($lti_def->xapi_useglobal ? "1" : "0") : "1", + $lti_def->xapi_enabled ? $lti_def->xapi_endpoint : "", + $lti_def->xapi_enabled ? $lti_def->xapi_username : "", + $lti_def->xapi_enabled ? $lti_def->xapi_password : "", + $lti_def->xapi_enabled ? $lti_def->xapi_student_id_mode : "0", + $lti_def->xapi_enabled ? $lti_def->dashboard_urls : "", + $template_id + ) + ); + tsugi_display($template_id, $lti_def, "Updated."); + + _debug("Done"); +} ?> \ No newline at end of file diff --git a/website_code/php/properties/name_select_gift_template.php b/website_code/php/properties/name_select_gift_template.php index 70b7f5311e..c703abd218 100644 --- a/website_code/php/properties/name_select_gift_template.php +++ b/website_code/php/properties/name_select_gift_template.php @@ -27,43 +27,52 @@ */ require_once("../../../config.php"); +include "../template_status.php"; + _load_language_file("/website_code/php/properties/name_select_gift_template.inc"); $search = $_POST['search_string']; $prefix = $xerte_toolkits_site->database_table_prefix; +if (!isset($_SESSION['toolkits_logon_username'])) +{ + _debug("Session is invalid or expired"); + die("Session is invalid or expired"); +} + if(is_numeric($_POST['template_id'])){ + if(is_user_creator_or_coauthor($_POST['template_id'])||is_user_admin()){ + $tutorial_id = (int)$_POST['template_id']; - $tutorial_id = (int) $_POST['template_id']; + $database_id = database_connect("Template name select share access database connect success", "Template name select share database connect failed"); - $database_id=database_connect("Template name select share access database connect success","Template name select share database connect failed"); + /** + * Search the list of user logins for user with that name + */ - /** - * Search the list of user logins for user with that name - */ + if (strlen($search) != 0) { - if(strlen($search)!=0){ - - $query_for_names = "SELECT login_id, firstname, surname, username from {$prefix}logindetails WHERE " - . "((firstname like ? ) or (surname like ?) or (username like ?) ) " - . "AND login_id not in( SELECT creator_id from {$prefix}templatedetails where template_id= ? ) ORDER BY firstname ASC"; + $query_for_names = "SELECT login_id, firstname, surname, username from {$prefix}logindetails WHERE " + . "((firstname like ? ) or (surname like ?) or (username like ?) ) " + . "AND login_id not in( SELECT creator_id from {$prefix}templatedetails where template_id= ? ) ORDER BY firstname ASC"; -$params = array("$search%", "$search%", "$search%", $tutorial_id); - $rows = db_query($query_for_names, $params); + $params = array("$search%", "$search%", "$search%", $tutorial_id); + $rows = db_query($query_for_names, $params); - if(sizeof($rows) > 0){ + if (sizeof($rows) > 0) { - foreach($rows as $row) { - echo "

" . $row['firstname'] . " " . $row['surname'] . " (" . $row['username'] . ") - " . NAME_SELECT_GIFT_INSTRUCTION . "

"; + foreach ($rows as $row) { + echo "

" . $row['firstname'] . " " . $row['surname'] . " (" . $row['username'] . ") - " . NAME_SELECT_GIFT_INSTRUCTION . "

"; - } + } - }else{ + } else { - echo "

" . NAME_SELECT_GIFT_FIND_FAIL . "

"; + echo "

" . NAME_SELECT_GIFT_FIND_FAIL . "

"; - } + } + } } } diff --git a/website_code/php/properties/name_select_template.php b/website_code/php/properties/name_select_template.php index 5037b0337b..951b08a02e 100644 --- a/website_code/php/properties/name_select_template.php +++ b/website_code/php/properties/name_select_template.php @@ -28,45 +28,54 @@ */ require_once("../../../config.php"); +include "../template_status.php"; + _load_language_file("/website_code/php/properties/name_select_template.inc"); $prefix = $xerte_toolkits_site->database_table_prefix; +if (!isset($_SESSION['toolkits_logon_username'])) +{ + _debug("Session is invalid or expired"); + die("Session is invalid or expired"); +} + if(is_numeric($_POST['template_id'])){ + if(is_user_creator_or_coauthor($_POST['template_id'])||is_user_admin()){ + $search = $_POST['search_string']; - $search = $_POST['search_string']; + $tutorial_id = (int)$_POST['template_id']; - $tutorial_id = (int) $_POST['template_id']; + $database_id = database_connect("Template name select share access database connect success", "Template name select share database connect failed"); - $database_id=database_connect("Template name select share access database connect success","Template name select share database connect failed"); + /** + * Search the list of user logins for user with that name + */ - /** - * Search the list of user logins for user with that name - */ + if (strlen($search) != 0) { - if(strlen($search)!=0){ + $query_for_names = "select login_id, firstname, surname, username from {$prefix}logindetails WHERE " + . "((firstname like ?) or (surname like ?) or (username like ?)) AND login_id NOT IN ( " + . "SELECT user_id from {$prefix}templaterights where template_id = ? ) ORDER BY firstname ASC"; - $query_for_names = "select login_id, firstname, surname, username from {$prefix}logindetails WHERE " - . "((firstname like ?) or (surname like ?) or (username like ?)) AND login_id NOT IN ( " - . "SELECT user_id from {$prefix}templaterights where template_id = ? ) ORDER BY firstname ASC"; + $params = array("$search%", "$search%", "$search%", $tutorial_id); - $params = array("$search%", "$search%", "$search%", $tutorial_id); - - $query_names_response = db_query($query_for_names, $params); + $query_names_response = db_query($query_for_names, $params); - if(sizeof($query_names_response)!=0){ + if (sizeof($query_names_response) != 0) { - foreach($query_names_response as $row){ + foreach ($query_names_response as $row) { - echo "

" . $row['firstname'] . " " . $row['surname'] . " (" . $row['username'] . ") -

"; + echo "

" . $row['firstname'] . " " . $row['surname'] . " (" . $row['username'] . ") -

"; - } + } - }else{ + } else { - echo "

" . NAME_SELECT_DETAILS_FAIL . "

"; + echo "

" . NAME_SELECT_DETAILS_FAIL . "

"; - } + } + } } } diff --git a/website_code/php/properties/notes_change_template.php b/website_code/php/properties/notes_change_template.php index 27353e1ef2..30175e3f2d 100644 --- a/website_code/php/properties/notes_change_template.php +++ b/website_code/php/properties/notes_change_template.php @@ -32,22 +32,28 @@ include "../user_library.php"; include "properties_library.php"; +if (!isset($_SESSION['toolkits_logon_username'])) +{ + _debug("Session is invalid or expired"); + die("Session is invalid or expired"); +} if(is_numeric($_POST['template_id'])){ - $database_id = database_connect("notes change template database connect success","notes change template database connect failed"); - $prefix = $xerte_toolkits_site->database_table_prefix; - $query = "update {$prefix}templaterights SET notes = ? WHERE template_id = ?"; + if(is_user_creator_or_coauthor($_POST['template_id'])||is_user_admin()){ + $database_id = database_connect("notes change template database connect success", "notes change template database connect failed"); + $prefix = $xerte_toolkits_site->database_table_prefix; + $query = "update {$prefix}templaterights SET notes = ? WHERE template_id = ?"; - $params = array($_POST['notes'], $_POST['template_id']); - - - if(db_query($query, $params)){ + $params = array($_POST['notes'], $_POST['template_id']); - notes_display($_POST['notes'],true, $_POST['template_id']); - }else{ - notes_display($_POST['notes'],false, $_POST['template_id']); - } + if (db_query($query, $params)) { + notes_display($_POST['notes'], true, $_POST['template_id']); + + } else { + notes_display($_POST['notes'], false, $_POST['template_id']); + } + } } diff --git a/website_code/php/properties/peer_template.php b/website_code/php/properties/peer_template.php index 2f8a405b3e..f7ac1a298b 100644 --- a/website_code/php/properties/peer_template.php +++ b/website_code/php/properties/peer_template.php @@ -37,19 +37,25 @@ include "properties_library.php"; -if(is_numeric($_POST['template_id'])){ +if (!isset($_SESSION['toolkits_logon_username'])) +{ + _debug("Session is invalid or expired"); + die("Session is invalid or expired"); +} - $database_id = database_connect("peer template database connect success","peer template change database connect failed"); +if(is_numeric($_POST['template_id'])){ + if(is_user_creator_or_coauthor($_POST['template_id'])||is_user_admin()) { + $database_id = database_connect("peer template database connect success", "peer template change database connect failed"); - if(is_user_creator_or_coauthor($_POST['template_id'])||is_user_admin()){ + if (is_user_creator_or_coauthor($_POST['template_id']) || is_user_admin()) { - peer_display($xerte_toolkits_site,false, $_POST['template_id']); + peer_display($xerte_toolkits_site, false, $_POST['template_id']); - }else{ + } else { - peer_display_fail(); + peer_display_fail(); + } } - } diff --git a/website_code/php/properties/properties_default_engine.php b/website_code/php/properties/properties_default_engine.php index 9a84b6be51..6f04d6a131 100644 --- a/website_code/php/properties/properties_default_engine.php +++ b/website_code/php/properties/properties_default_engine.php @@ -35,45 +35,48 @@ include "../user_library.php"; include "properties_library.php"; -if(is_numeric($_POST['template_id'])){ +if (!isset($_SESSION['toolkits_logon_username'])) +{ + _debug("Session is invalid or expired"); + die("Session is invalid or expired"); +} - $template_id = (int) $_POST['template_id']; - $engine = $_POST['engine']; +if(is_numeric($_POST['template_id'])){ + if(is_user_creator_or_coauthor($_POST['template_id'])||is_user_admin()) { + $template_id = (int)$_POST['template_id']; + $engine = $_POST['engine']; - if ($engine != 'flash' && $engine!='javascript') - { - $engine = 'javascript'; - } + if ($engine != 'flash' && $engine != 'javascript') { + $engine = 'javascript'; + } - // Get extra flags - $row = db_query_one("SELECT td.extra_flags FROM {$xerte_toolkits_site->database_table_prefix}templatedetails td WHERE td.template_id = ?", array($template_id)); + // Get extra flags + $row = db_query_one("SELECT td.extra_flags FROM {$xerte_toolkits_site->database_table_prefix}templatedetails td WHERE td.template_id = ?", array($template_id)); - $extra_flags = explode(";", $row['extra_flags']); - $data = array(); - foreach($extra_flags as $i => $flag) { - $bits = explode('=', $flag); - $data[$bits[0]] = $bits[1]; - } - $data['engine'] = $engine; - // need to form into something like: engine=flash;foo=bar;something=somethingelse - $db_flags = http_build_query($data, '', ';'); - $db_flags = str_replace(' ', '_', $db_flags); // not sure why we do this. + $extra_flags = explode(";", $row['extra_flags']); + $data = array(); + foreach ($extra_flags as $i => $flag) { + $bits = explode('=', $flag); + $data[$bits[0]] = $bits[1]; + } + $data['engine'] = $engine; + // need to form into something like: engine=flash;foo=bar;something=somethingelse + $db_flags = http_build_query($data, '', ';'); + $db_flags = str_replace(' ', '_', $db_flags); // not sure why we do this. - $query = "UPDATE {$xerte_toolkits_site->database_table_prefix}templatedetails SET extra_flags = ? WHERE template_id = ?"; - $params = array($db_flags, $template_id); - $ok = db_query($query, $params); + $query = "UPDATE {$xerte_toolkits_site->database_table_prefix}templatedetails SET extra_flags = ? WHERE template_id = ?"; + $params = array($db_flags, $template_id); + $ok = db_query($query, $params); - if($ok) { - if ($_REQUEST['page']=='properties') - { - properties_display($xerte_toolkits_site,$template_id,true,"engine"); - } - else - { - publish_display($template_id); - } + if ($ok) { + if ($_REQUEST['page'] == 'properties') { + properties_display($xerte_toolkits_site, $template_id, true, "engine"); + } else { + publish_display($template_id); + } - }else{ + } else { + } } } diff --git a/website_code/php/properties/properties_library.php b/website_code/php/properties/properties_library.php index 1e630874d1..286bdb714c 100644 --- a/website_code/php/properties/properties_library.php +++ b/website_code/php/properties/properties_library.php @@ -20,9 +20,10 @@ //PROPERTIES LIBRARY -require_once("../../../config.php"); -require_once("../template_library.php"); -require_once("../xAPI/xAPI_library.php"); +require_once(dirname(__FILE__) . "/../../../config.php"); +require_once(dirname(__FILE__) . "/../template_status.php"); +require_once(dirname(__FILE__) . "/../template_library.php"); +require_once(dirname(__FILE__) . "/../xAPI/xAPI_library.php"); _load_language_file("/website_code/php/properties/publish.inc"); @@ -274,7 +275,16 @@ function notes_display($notes, $change, $template_id){ $notes = htmlentities($notes, ENT_QUOTES, 'UTF-8', false); echo "

" . PROPERTIES_TAB_NOTES . "

"; - echo "

" . PROPERTIES_LIBRARY_NOTES_EXPLAINED . "

"; + echo "

" . PROPERTIES_LIBRARY_NOTES_EXPLAINED . "

"; + echo ""; if($change){ @@ -560,7 +570,7 @@ function project_info($template_id){ } -function statistics_prepare($template_id) +function statistics_prepare($template_id, $force=false) { global $xerte_toolkits_site; @@ -573,27 +583,28 @@ function statistics_prepare($template_id) $html = "
"; - if ($xerte_toolkits_site->dashboard_enabled != 'false') { - - // determine role and check against minrole - $role = get_user_access_rights($template_id); + if ($xerte_toolkits_site->dashboard_enabled != 'false' || $force) { $access = false; - switch($xerte_toolkits_site->xapi_dashboard_minrole) - { - case 'creator': - $access = ($role == 'creator'); - break; - case 'co-author': - $access = ($role == 'creator' || $role == 'co-author'); - break; - case 'editor': - $access = ($role == 'creator' || $role == 'co-author' || $role == 'editor'); - break; - case 'read-only': - $access = ($role == 'creator' || $role == 'co-author' || $role == 'editor' || $role=='read-only'); - break; + if (! $force) { + // determine role and check against minrole + $role = get_user_access_rights($template_id); + $access = false; + switch ($xerte_toolkits_site->xapi_dashboard_minrole) { + case 'creator': + $access = ($role == 'creator'); + break; + case 'co-author': + $access = ($role == 'creator' || $role == 'co-author'); + break; + case 'editor': + $access = ($role == 'creator' || $role == 'co-author' || $role == 'editor'); + break; + case 'read-only': + $access = ($role == 'creator' || $role == 'co-author' || $role == 'editor' || $role == 'read-only'); + break; + } } - if ($access) { + if ($access || $force) { $prefix = $xerte_toolkits_site->database_table_prefix; @@ -1055,12 +1066,16 @@ function tsugi_display($id, $lti_def, $mesg = "")

- published ? "checked" : ""); ?>> + published ? "checked" : ""); ?>>

-
-
-
-
+
"> + published ? "" : "disabled"); ?> name="tsugi_useglobal" id="tsugi_useglobal" tsugi_useglobal ? "checked" : "");?>>
+ published ? "" : "disabled"); ?> name="tsugi_useprivateonly" id="tsugi_useprivateonly" tsugi_privateonly ? "checked" : "");?>>
+ + + + +
tsugi_useglobal || !$lti_def->published ? "disabled value=\"\"" : "value=\"" . $lti_def->title . "\"");?>>
tsugi_useglobal || !$lti_def->published ? "disabled value=\"\"" : "value=\"" . $lti_def->key . "\"");?>>
tsugi_useglobal || !$lti_def->published ? "disabled value=\"\"" : "value=\"" . $lti_def->secret . "\"");?>>

- xapi_enabled ? "checked" : "");?>> + xapi_enabled ? "checked" : "");?>>

-
- xapi_useglobal ? "checked" : "");?>>
- xapi_useglobal ? "disabled value=\"\"" : "value=\"" . $lti_def->xapi_endpoint . "\""); ?>">
- xapi_useglobal ? "disabled value=\"\"" : "value=\"" . $lti_def->xapi_username . "\""); ?>">
- xapi_useglobal ? "disabled value=\"\"" : "value=\"" . $lti_def->xapi_password . "\""); ?>">
- xapi_enabled ? "" : "disabled"); ?> onchange="javascript:xapi_toggle_useglobal('')" name="tsugi_xapi_useglobal" id="tsugi_xapi_useglobal" xapi_useglobal ? "checked" : "");?>>
+ + + + + + + +
xapi_useglobal || !$lti_def->xapi_enabled ? "disabled value=\"\"" : "value=\"" . $lti_def->xapi_endpoint . "\""); ?>">
xapi_useglobal || !$lti_def->xapi_enabled ? "disabled value=\"\"" : "value=\"" . $lti_def->xapi_username . "\""); ?>">
xapi_useglobal || !$lti_def->xapi_enabled ? "disabled value=\"\"" : "value=\"" . $lti_def->xapi_password . "\""); ?>">

-
- +
xapi_enabled ? "" : "disabled"); ?> value="dashboard_urls ?>">
diff --git a/website_code/php/properties/remove_sharing_template.php b/website_code/php/properties/remove_sharing_template.php index 9997ec61e6..b12adac826 100644 --- a/website_code/php/properties/remove_sharing_template.php +++ b/website_code/php/properties/remove_sharing_template.php @@ -28,21 +28,29 @@ */ require_once("../../../config.php"); +include "../template_status.php"; + +if (!isset($_SESSION['toolkits_logon_username'])) +{ + _debug("Session is invalid or expired"); + die("Session is invalid or expired"); +} if(is_numeric($_POST['template_id'])){ - $prefix = $xerte_toolkits_site->database_table_prefix; - - $user_id = $_POST['user_id']; + if(is_user_creator_or_coauthor($_POST['template_id'])||is_user_admin()) { + $prefix = $xerte_toolkits_site->database_table_prefix; + + $user_id = $_POST['user_id']; - $tutorial_id = $_POST['template_id']; + $tutorial_id = $_POST['template_id']; - $database_id=database_connect("Template sharing database connect failed","Template sharing database connect failed"); + $database_id = database_connect("Template sharing database connect failed", "Template sharing database connect failed"); - $query_to_delete_share = "delete from {$prefix}templaterights where template_id = ? AND user_id = ?"; + $query_to_delete_share = "delete from {$prefix}templaterights where template_id = ? AND user_id = ?"; - $params = array($tutorial_id, $user_id); - db_query($query_to_delete_share, $params); - + $params = array($tutorial_id, $user_id); + db_query($query_to_delete_share, $params); + } } diff --git a/website_code/php/properties/rename_template.php b/website_code/php/properties/rename_template.php index f25e37c862..ed17ba0a6e 100644 --- a/website_code/php/properties/rename_template.php +++ b/website_code/php/properties/rename_template.php @@ -34,32 +34,39 @@ include "../url_library.php"; include "properties_library.php"; +if (!isset($_SESSION['toolkits_logon_username'])) +{ + _debug("Session is invalid or expired"); + die("Session is invalid or expired"); +} + if(is_numeric($_POST['template_id'])){ - $tutorial_id = (int)$_POST['template_id']; + if(is_user_creator_or_coauthor($_POST['template_id'])||is_user_admin()) { + $tutorial_id = (int)$_POST['template_id']; - $prefix = $xerte_toolkits_site->database_table_prefix; - - $database_id = database_connect("Template rename database connect success","Template rename database connect failed"); + $prefix = $xerte_toolkits_site->database_table_prefix; - $query = "update {$prefix}templatedetails SET template_name = ? WHERE template_id = ?"; - $params = array(str_replace(" ", "_", $_POST['template_name']), $_POST['template_id']); + $database_id = database_connect("Template rename database connect success", "Template rename database connect failed"); - if(db_query($query, $params)) { + $query = "update {$prefix}templatedetails SET template_name = ? WHERE template_id = ?"; + $params = array(str_replace(" ", "_", $_POST['template_name']), $_POST['template_id']); - $query_for_names = "select template_name, date_created, date_modified from {$prefix}templatedetails where template_id=?"; - $params = array($tutorial_id); + if (db_query($query, $params)) { - $row = db_query_one($query_for_names, $params); + $query_for_names = "select template_name, date_created, date_modified from {$prefix}templatedetails where template_id=?"; + $params = array($tutorial_id); - echo "~~**~~" . $_POST['template_name'] . "~~**~~"; + $row = db_query_one($query_for_names, $params); - properties_display($xerte_toolkits_site,$tutorial_id,true,"name"); + echo "~~**~~" . $_POST['template_name'] . "~~**~~"; - }else{ - echo "~~**~~ ~~**~~"; + properties_display($xerte_toolkits_site, $tutorial_id, true, "name"); - properties_display($xerte_toolkits_site,$tutorial_id,false,"name"); - } + } else { + echo "~~**~~ ~~**~~"; + properties_display($xerte_toolkits_site, $tutorial_id, false, "name"); + } + } } diff --git a/website_code/php/properties/screen_size_template.php b/website_code/php/properties/screen_size_template.php index d4e03b99c4..cc99415219 100644 --- a/website_code/php/properties/screen_size_template.php +++ b/website_code/php/properties/screen_size_template.php @@ -29,20 +29,21 @@ require_once("../../../config.php"); include "../screen_size_library.php"; +include "../template_status.php"; if(is_numeric($_POST['tutorial_id'])){ + if(is_user_creator_or_coauthor($_POST['template_id'])||is_user_admin()) { + $database_id = database_connect("screen size database connect success", "screen size database connect failed"); - $database_id = database_connect("screen size database connect success","screen size database connect failed"); + $prefix = $xerte_toolkits_site->database_table_prefix; + $query_for_template_name = "select {$prefix}originaltemplatesdetails.template_name," + . "{$prefix}originaltemplatesdetails.template_framework from {$prefix}originaltemplatesdetails, {$prefix}templatedetails WHERE " + . "{$prefix}templatedetails.template_type_id = {$prefix}originaltemplatesdetails.template_type_id AND template_id = ?"; - $prefix = $xerte_toolkits_site->database_table_prefix ; - $query_for_template_name = "select {$prefix}originaltemplatesdetails.template_name," - . "{$prefix}originaltemplatesdetails.template_framework from {$prefix}originaltemplatesdetails, {$prefix}templatedetails WHERE " - . "{$prefix}templatedetails.template_type_id = {$prefix}originaltemplatesdetails.template_type_id AND template_id = ?"; + $params = array($_POST['tutorial_id']); - $params = array($_POST['tutorial_id']); - - $row_name = db_query_one($query_for_template_name, $params); - - echo get_template_screen_size($row_name['template_name'], $row_name['template_framework']) . "~" . $_POST['tutorial_id']; + $row_name = db_query_one($query_for_template_name, $params); + echo get_template_screen_size($row_name['template_name'], $row_name['template_framework']) . "~" . $_POST['tutorial_id']; + } } diff --git a/website_code/php/properties/set_sharing_rights_template.php b/website_code/php/properties/set_sharing_rights_template.php index 2a2bde76dc..be7b2a7986 100644 --- a/website_code/php/properties/set_sharing_rights_template.php +++ b/website_code/php/properties/set_sharing_rights_template.php @@ -28,19 +28,22 @@ require_once("../../../config.php"); +include "../template_status.php"; $prefix = $xerte_toolkits_site->database_table_prefix; if(is_numeric($_POST['user_id'])&&is_numeric($_POST['template_id'])){ - $new_rights = $_POST['rights']; + if(is_user_creator_or_coauthor($_POST['template_id'])||is_user_admin()) { + $new_rights = $_POST['rights']; - $user_id = $_POST['user_id']; + $user_id = $_POST['user_id']; - $tutorial_id = $_POST['template_id']; + $tutorial_id = $_POST['template_id']; - $database_id=database_connect("Template sharing rights database connect success","Template sharing rights database connect failed"); + $database_id = database_connect("Template sharing rights database connect success", "Template sharing rights database connect failed"); - $query_to_change_share_rights = "update {$prefix}templaterights set role = ? WHERE template_id = ? and user_id= ?"; - $params = array($new_rights, $tutorial_id, $user_id); - db_query($query_to_change_share_rights, $params); + $query_to_change_share_rights = "update {$prefix}templaterights set role = ? WHERE template_id = ? and user_id= ?"; + $params = array($new_rights, $tutorial_id, $user_id); + db_query($query_to_change_share_rights, $params); + } } diff --git a/website_code/php/properties/share_this_template.php b/website_code/php/properties/share_this_template.php index ba9ea019c8..e180ef7127 100644 --- a/website_code/php/properties/share_this_template.php +++ b/website_code/php/properties/share_this_template.php @@ -27,47 +27,50 @@ */ require_once("../../../config.php"); +require_once("../template_status.php"); _load_language_file("/website_code/php/properties/share_this_template.inc"); $prefix = $xerte_toolkits_site->database_table_prefix; if(is_numeric($_POST['user_id'])&&is_numeric($_POST['template_id'])){ - $user_id = $_POST['user_id']; + if(is_user_creator_or_coauthor($_POST['template_id'])||is_user_admin()) { + $user_id = $_POST['user_id']; - $tutorial_id = $_POST['template_id']; + $tutorial_id = $_POST['template_id']; - $database_id=database_connect("Share this template database connect success","Share this template database connect success"); + $database_id = database_connect("Share this template database connect success", "Share this template database connect success"); - /** - * find the user you are sharing with's root folder to add this template to - */ + /** + * find the user you are sharing with's root folder to add this template to + */ - $query_to_find_out_root_folder = "select folder_id from {$prefix}folderdetails where login_id = ? and folder_parent=? and folder_name!=?"; + $query_to_find_out_root_folder = "select folder_id from {$prefix}folderdetails where login_id = ? and folder_parent=? and folder_name!=?"; - $params = array($user_id, '0', 'recyclebin'); - - $row_query_root = db_query_one($query_to_find_out_root_folder, $params); + $params = array($user_id, '0', 'recyclebin'); - $query_to_insert_share = "INSERT INTO {$prefix}templaterights (template_id, user_id, role, folder) VALUES (?,?,?,?)"; - $params = array($tutorial_id, $user_id,"editor", $row_query_root['folder_id']); + $row_query_root = db_query_one($query_to_find_out_root_folder, $params); - if(db_query($query_to_insert_share, $params)){ + $query_to_insert_share = "INSERT INTO {$prefix}templaterights (template_id, user_id, role, folder) VALUES (?,?,?,?)"; + $params = array($tutorial_id, $user_id, "editor", $row_query_root['folder_id']); - /** - * sort ouf the html to return to the screen - */ + if (db_query($query_to_insert_share, $params)) { + + /** + * sort ouf the html to return to the screen + */ - $query_for_name = "select firstname, surname from {$prefix}logindetails WHERE login_id=?"; - $params = array($user_id); + $query_for_name = "select firstname, surname from {$prefix}logindetails WHERE login_id=?"; + $params = array($user_id); - $row = db_query_one($query_for_name, $params); + $row = db_query_one($query_for_name, $params); - echo SHARING_THIS_FEEDBACK_SUCCESS . " " . $row['firstname'] . " " . $row['surname'] . "
"; + echo SHARING_THIS_FEEDBACK_SUCCESS . " " . $row['firstname'] . " " . $row['surname'] . "
"; - }else{ + } else { - echo SHARING_THIS_FEEDBACK_FAIL . "
"; + echo SHARING_THIS_FEEDBACK_FAIL . "
"; + } } } \ No newline at end of file diff --git a/website_code/php/properties/tsugi_template.php b/website_code/php/properties/tsugi_template.php index e619bc5ee1..4978df9bbf 100644 --- a/website_code/php/properties/tsugi_template.php +++ b/website_code/php/properties/tsugi_template.php @@ -48,7 +48,7 @@ function generatePwd($length){ $template_id = $id; $safe_template_id = (int)$id; $query_for_preview_content = "select otd.template_name, ld.username, otd.template_framework, tr.user_id, tr.folder, tr.template_id, td.template_name as name, td.access_to_whom, td.extra_flags,"; - $query_for_preview_content .= "td.tsugi_published, td.tsugi_xapi_enabled, td.tsugi_xapi_useglobal, td.tsugi_xapi_endpoint, td.tsugi_xapi_key, td.tsugi_xapi_secret, td.tsugi_xapi_student_id_mode, td.dashboard_allowed_links"; + $query_for_preview_content .= "td.tsugi_published, td.tsugi_usetsugikey, td.tsugi_privatekeyonly, td.tsugi_xapi_enabled, td.tsugi_xapi_useglobal, td.tsugi_xapi_endpoint, td.tsugi_xapi_key, td.tsugi_xapi_secret, td.tsugi_xapi_student_id_mode, td.dashboard_allowed_links"; $query_for_preview_content .= " from " . $xerte_toolkits_site->database_table_prefix . "originaltemplatesdetails otd, " . $xerte_toolkits_site->database_table_prefix . "templaterights tr, " . $xerte_toolkits_site->database_table_prefix . "templatedetails td, " . $xerte_toolkits_site->database_table_prefix . "logindetails ld"; $query_for_preview_content .= " where td.template_type_id = otd.template_type_id and td.creator_id = ld.login_id and tr.template_id = td.template_id and tr.template_id=? and (role='creator' || role='co-author')"; @@ -62,6 +62,8 @@ function generatePwd($length){ $lti_def->key = $row['name'] . "_" . $id; $lti_def->secret = generatePwd(16); $lti_def->published = $row["tsugi_published"]; + $lti_def->tsugi_useglobal = $row['tsugi_usetsugikey']; + $lti_def->tsugi_privateonly = $row['tsugi_privatekeyonly']; $lti_def->tsugi_url = $xerte_toolkits_site->site_url . "lti_launch.php?template_id=" . $row['template_id']; $lti_def->url = $xerte_toolkits_site->site_url . "lti_launch.php?template_id=" . $row['template_id']; $lti_def->xapionly_url = $xerte_toolkits_site->site_url . "xapi_launch.php?template_id=" . $row['template_id'] . "&group=groupname"; @@ -71,7 +73,7 @@ function generatePwd($length){ $lti_def->xapi_password = ""; $lti_def->xapi_student_id_mode = 0; // e-mail address if ($tsugi_installed) { - if ($lti_def->published == 1) { + if ($lti_def->published == 1 && !$lti_def->tsugi_useglobal) { $PDOX = LTIX::getConnection(); $tsugirow = $PDOX->rowDie( " SELECT l.title, k.key_key, k.secret @@ -84,6 +86,11 @@ function generatePwd($length){ $lti_def->title = $tsugirow["title"]; } } + else{ + $lti_def->key = ""; + $lti_def->secret = ""; + $lti_def->title = ""; + } } if($lti_def->xapi_enabled == 1) { diff --git a/website_code/php/publish/publish_template.php b/website_code/php/publish/publish_template.php index 788796f923..c950e3629f 100644 --- a/website_code/php/publish/publish_template.php +++ b/website_code/php/publish/publish_template.php @@ -65,8 +65,7 @@ $row_publish = db_query_one($query_for_edit_content); - - if(is_user_an_editor($safe_template_id,$_SESSION['toolkits_logon_id'])){ + if(is_user_an_editor($safe_template_id,$_SESSION['toolkits_logon_id'])||is_user_admin()){ // XXX What is temp_array[2] here? Looks broken. TODO: Fix it. require("../../../modules/" . $temp_array[2] . "/publish.php"); diff --git a/website_code/php/templates/duplicate_folder.php b/website_code/php/templates/duplicate_folder.php index 0ae17665bd..5db0b4cf09 100644 --- a/website_code/php/templates/duplicate_folder.php +++ b/website_code/php/templates/duplicate_folder.php @@ -29,6 +29,7 @@ require_once("../../../config.php"); include "../user_library.php"; +include "../folder_library.php"; include "../template_library.php"; include "../template_status.php"; @@ -44,91 +45,92 @@ $prefix = $xerte_toolkits_site->database_table_prefix; -if(is_numeric($_POST['folder_id'])){ +if (!isset($_SESSION['toolkits_logon_username'])) +{ + _debug("Session is invalid or expired"); + die("Session is invalid or expired"); +} - $folder_id = $_POST['folder_id']; +if(is_numeric($_POST['folder_id'])){ + if (has_rights_to_this_folder($_POST['folder_id'], $_SESSION['toolkits_logon_id'])) { + $folder_id = $_POST['folder_id']; - if($_POST['parentfolder_id']=="workspace"){ + if ($_POST['parentfolder_id'] == "workspace") { - $parentfolder_id = get_user_root_folder(); + $parentfolder_id = get_user_root_folder(); - }else{ + } else { - $parentfolder_id = $_POST['parentfolder_id']; + $parentfolder_id = $_POST['parentfolder_id']; - } + } - /* - * get the maximum id number from templates, as the id for this template - */ - - // Check all templates within the folder - // Get all templates within chosen folder - $sql = "select td.*, tr.user_id, tr.folder, tr.role, otd.template_framework, otd.template_name as org_template_name from {$prefix}templaterights tr, {$prefix}templatedetails td, {$prefix}originaltemplatesdetails otd where td.template_id=tr.template_id and td.template_type_id=otd.template_type_id and tr.user_id=? and tr.folder=?"; - $params = array($_SESSION['toolkits_logon_id'], $folder_id); - - $templates = db_query($sql, $params); - if ($templates !== false) - { - foreach ($templates as $template) - { - if ($template['role'] != 'creator' && $template['role'] != 'co-author') - { - echo DUPLICATE_TEMPLATE_NOT_CREATOR; - exit(-1); + /* + * get the maximum id number from templates, as the id for this template + */ + + // Check all templates within the folder + // Get all templates within chosen folder + $sql = "select td.*, tr.user_id, tr.folder, tr.role, otd.template_framework, otd.template_name as org_template_name from {$prefix}templaterights tr, {$prefix}templatedetails td, {$prefix}originaltemplatesdetails otd where td.template_id=tr.template_id and td.template_type_id=otd.template_type_id and tr.user_id=? and tr.folder=?"; + $params = array($_SESSION['toolkits_logon_id'], $folder_id); + + $templates = db_query($sql, $params); + if ($templates !== false) { + foreach ($templates as $template) { + if ($template['role'] != 'creator' && $template['role'] != 'co-author') { + echo DUPLICATE_TEMPLATE_NOT_CREATOR; + exit(-1); + } } - } - // Create duplicate of folder - $folder_name = "Copy of " . $_POST['folder_name']; - $query = "INSERT INTO {$prefix}folderdetails (login_id,folder_parent,folder_name,date_created) values (?,?,?,?)"; - $params = array($_SESSION['toolkits_logon_id'], $parentfolder_id, $folder_name, date('Y-m-d')); + // Create duplicate of folder + $folder_name = "Copy of " . $_POST['folder_name']; + $query = "INSERT INTO {$prefix}folderdetails (login_id,folder_parent,folder_name,date_created) values (?,?,?,?)"; + $params = array($_SESSION['toolkits_logon_id'], $parentfolder_id, $folder_name, date('Y-m-d')); - $new_folder_id = db_query($query, $params); + $new_folder_id = db_query($query, $params); - // Create copies (with same name in new folder) - foreach ($templates as $template) - { - /* - * create the new template record in the database - */ + // Create copies (with same name in new folder) + foreach ($templates as $template) { + /* + * create the new template record in the database + */ - $query_for_new_template = "INSERT INTO {$prefix}templatedetails " - . "(creator_id, template_type_id, date_created, date_modified, access_to_whom, template_name, extra_flags)" - . " VALUES (?,?,?,?,?,?,?)"; - $params = array( - $_SESSION['toolkits_logon_id'], - $template['template_type_id'], - date('Y-m-d'), - date('Y-m-d'), - $template['access_to_whom'], - $template['template_name'], - $template['extra_flags']); + $query_for_new_template = "INSERT INTO {$prefix}templatedetails " + . "(creator_id, template_type_id, date_created, date_modified, access_to_whom, template_name, extra_flags)" + . " VALUES (?,?,?,?,?,?,?)"; + $params = array( + $_SESSION['toolkits_logon_id'], + $template['template_type_id'], + date('Y-m-d'), + date('Y-m-d'), + $template['access_to_whom'], + $template['template_name'], + $template['extra_flags']); - $new_template_id = db_query($query_for_new_template, $params); - if($new_template_id !== FALSE) { + $new_template_id = db_query($query_for_new_template, $params); + if ($new_template_id !== FALSE) { - $query_for_template_rights = "INSERT INTO {$prefix}templaterights (template_id,user_id,role, folder) VALUES (?,?,?,?)"; - $params = array($new_template_id, $_SESSION['toolkits_logon_id'], "creator", $new_folder_id); + $query_for_template_rights = "INSERT INTO {$prefix}templaterights (template_id,user_id,role, folder) VALUES (?,?,?,?)"; + $params = array($new_template_id, $_SESSION['toolkits_logon_id'], "creator", $new_folder_id); - if (db_query($query_for_template_rights, $params) !== FALSE) { + if (db_query($query_for_template_rights, $params) !== FALSE) { - receive_message($_SESSION['toolkits_logon_username'], "ADMIN", "SUCCESS", "Created new template record for the database", $query_for_new_template . " " . $query_for_template_rights); + receive_message($_SESSION['toolkits_logon_username'], "ADMIN", "SUCCESS", "Created new template record for the database", $query_for_new_template . " " . $query_for_template_rights); - require_once $xerte_toolkits_site->root_file_path . $xerte_toolkits_site->module_path . $template['template_framework'] . "/duplicate_template.php"; + require_once $xerte_toolkits_site->root_file_path . $xerte_toolkits_site->module_path . $template['template_framework'] . "/duplicate_template.php"; - duplicate_template($new_template_id, $template['template_id'], $template['org_template_name']); - } - else{ - receive_message($_SESSION['toolkits_logon_username'], "ADMIN", "CRITICAL", "Failed to create new template record for the database", $query_for_template_rights); + duplicate_template($new_template_id, $template['template_id'], $template['org_template_name']); + } else { + receive_message($_SESSION['toolkits_logon_username'], "ADMIN", "CRITICAL", "Failed to create new template record for the database", $query_for_template_rights); + + echo("FAILED-" . $_SESSION['toolkits_most_recent_error']); + } + } else { + receive_message($_SESSION['toolkits_logon_username'], "ADMIN", "CRITICAL", "Failed to create new template record for the database", $query_for_new_template); echo("FAILED-" . $_SESSION['toolkits_most_recent_error']); } } - else{ - receive_message($_SESSION['toolkits_logon_username'], "ADMIN", "CRITICAL", "Failed to create new template record for the database", $query_for_new_template); - - echo("FAILED-" . $_SESSION['toolkits_most_recent_error']); - } } } } diff --git a/website_code/php/templates/general_templates.php b/website_code/php/templates/general_templates.php index 3f914b07bc..c71b6ec7b2 100644 --- a/website_code/php/templates/general_templates.php +++ b/website_code/php/templates/general_templates.php @@ -31,5 +31,11 @@ require_once("../../../config.php"); include "../display_library.php"; +if (!isset($_SESSION['toolkits_logon_username'])) +{ + _debug("Session is invalid or expired"); + die("Session is invalid or expired"); +} + list_blank_templates(); diff --git a/website_code/php/templates/get_template_info.php b/website_code/php/templates/get_template_info.php index a8b2c4d62b..39bede17f2 100644 --- a/website_code/php/templates/get_template_info.php +++ b/website_code/php/templates/get_template_info.php @@ -35,41 +35,42 @@ if(empty($_SESSION['toolkits_logon_id'])) { die("Please login"); } +if(has_rights_to_this_template($_POST['template_id'], $_SESSION['toolkits_logon_id']) || is_user_admin()) { + $info = new stdClass(); + $info->template_id = $_POST['template_id']; + $_SESSION["XAPI_PROXY"] = $_POST['template_id']; + $info->properties = project_info($_POST['template_id']); + $info->properties .= media_quota_info($_POST['template_id']); + $info->properties .= access_info($_POST['template_id']); + $info->properties .= sharing_info($_POST['template_id']); + $info->properties .= rss_syndication($_POST['template_id']); -$info = new stdClass(); -$info->template_id = $_POST['template_id']; -$_SESSION["XAPI_PROXY"] = $_POST['template_id']; -$info->properties = project_info($_POST['template_id']); -$info->properties .= media_quota_info($_POST['template_id']); -$info->properties .= access_info($_POST['template_id']); -$info->properties .= sharing_info($_POST['template_id']); -$info->properties .= rss_syndication($_POST['template_id']); + $statistics_available = statistics_prepare($_POST['template_id']); -$statistics_available = statistics_prepare($_POST['template_id']); + if ($statistics_available->published) { + $info->properties .= $statistics_available->linkinfo; + } -if ($statistics_available->published) { - $info->properties .= $statistics_available->linkinfo; -} + if ($statistics_available->available) { + $info->properties .= $statistics_available->xapi_linkinfo; + $info->properties .= "
  • " . $statistics_available->xapi_url . "
    • "; + } + $info->properties .= $statistics_available->info; + $info->fetch_statistics = $statistics_available->available; + $info->lrs = $statistics_available->lrs; + $info->dashboard = $statistics_available->dashboard; -if ($statistics_available->available) -{ - $info->properties .= $statistics_available->xapi_linkinfo; - $info->properties .= "
  • " . $statistics_available->xapi_url . "
    • "; -} -$info->properties .= $statistics_available->info; -$info->fetch_statistics = $statistics_available->available; -$info->lrs = $statistics_available->lrs; -$info->dashboard = $statistics_available->dashboard; + $sql = "SELECT template_id, user_id, firstname, surname, role FROM " . + " {$xerte_toolkits_site->database_table_prefix}templaterights, {$xerte_toolkits_site->database_table_prefix}logindetails WHERE " . + " {$xerte_toolkits_site->database_table_prefix}logindetails.login_id = {$xerte_toolkits_site->database_table_prefix}templaterights.user_id and template_id= ? and user_id = ?"; -$sql = "SELECT template_id, user_id, firstname, surname, role FROM " . - " {$xerte_toolkits_site->database_table_prefix}templaterights, {$xerte_toolkits_site->database_table_prefix}logindetails WHERE " . - " {$xerte_toolkits_site->database_table_prefix}logindetails.login_id = {$xerte_toolkits_site->database_table_prefix}templaterights.user_id and template_id= ? and user_id = ?"; + $row = db_query_one($sql, array($_POST['template_id'], $_SESSION['toolkits_logon_id'])); -$row = db_query_one($sql, array($_POST['template_id'], $_SESSION['toolkits_logon_id'])); + $info->role = $row['role']; -$info->role = $row['role']; -echo json_encode($info); + echo json_encode($info); //$info = get_project_info($_POST['template_id']); //echo $info; +} \ No newline at end of file diff --git a/website_code/php/versioncontrol/template_close.php b/website_code/php/versioncontrol/template_close.php index f405f96b27..f37e7862e3 100644 --- a/website_code/php/versioncontrol/template_close.php +++ b/website_code/php/versioncontrol/template_close.php @@ -49,6 +49,8 @@ * Code to delete the lock file */ + _debug("Detected lockfile on closing " . $_POST['file_path']); + $row_template_name = db_query_one("Select template_name from {$xerte_toolkits_site->database_table_prefix}templatedetails WHERE template_id = ?", array($temp_array[0])); $lock_file_data = file_get_contents($xerte_toolkits_site->users_file_area_full . $temp_array[0] . "-" . $temp_array[1] . "-" . $temp_array[2] . "/lockfile.txt"); @@ -91,6 +93,7 @@ unlink($xerte_toolkits_site->users_file_area_full . $_POST['file_path'] . "lockfile.txt"); + _debug("Lockfile " . $xerte_toolkits_site->users_file_area_full . $_POST['file_path'] . "lockfile.txt" . " is deleted."); } /* diff --git a/website_code/php/versioncontrol/update_file.php b/website_code/php/versioncontrol/update_file.php index 69cb7d7a6f..d0edec8c27 100644 --- a/website_code/php/versioncontrol/update_file.php +++ b/website_code/php/versioncontrol/update_file.php @@ -33,6 +33,12 @@ require('../template_status.php'); +if (!isset($_SESSION['toolkits_logon_username'])) +{ + _debug("Session is invalid or expired"); + die("Session is invalid or expired"); +} + database_connect("file update success","file_update_fail"); if(isset($_POST['template_id'])){ diff --git a/website_code/php/xAPI/update_dashboard_display_properties.php b/website_code/php/xAPI/update_dashboard_display_properties.php index 6ff1dac643..4f9fd4f423 100644 --- a/website_code/php/xAPI/update_dashboard_display_properties.php +++ b/website_code/php/xAPI/update_dashboard_display_properties.php @@ -9,8 +9,9 @@ $properties = $_POST["properties"]; if(is_numeric($id)) { - if(isset($_SESSION['toolkits_logon_id'])){ - db_query("update templatedetails set dashboard_display_options = ? where template_id = ?", array($properties, $id)); + if(has_rights_to_this_template($id, $_SESSION['toolkits_logon_id']) || is_user_admin()) { + $prefix = $xerte_toolkits_site->database_table_prefix; + db_query("update ${prefix}templatedetails set dashboard_display_options = ? where template_id = ?", array($properties, $id)); } } ?> \ No newline at end of file diff --git a/website_code/scripts/peer.js b/website_code/scripts/peer.js index 5b011c8550..81e0442f8e 100644 --- a/website_code/scripts/peer.js +++ b/website_code/scripts/peer.js @@ -53,7 +53,8 @@ function peer_stateChanged(){ * @author Patrick Lockley */ -function send_review(retouremail,template_id){ +//function send_review(retouremail,template_id){ +function send_review(){ if(setup_ajax()!=false){ @@ -63,7 +64,11 @@ function send_review(retouremail,template_id){ xmlHttp.onreadystatechange=peer_stateChanged; xmlHttp.setRequestHeader("Content-Type", "application/x-www-form-urlencoded"); - xmlHttp.send('retouremail=' + retouremail + '&template_id=' + template_id + '&feedback=' + document.peer.response.value); + // Cleanup peer review text + var response = $('
    ').html(document.peer.response.value); + var response_cleantxt = $.trim(response.text()); + //xmlHttp.send('retouremail=' + retouremail + '&template_id=' + template_id + '&feedback=' + response_cleantxt); + xmlHttp.send('feedback=' + response_cleantxt); }