allow change_view action for admin and root, fixes #502

c1cea9c8 · Elmar Ludwig · e6ddc2bc · c1cea9c8 · c1cea9c8 · c1cea9c8
Commit c1cea9c8 authored 3 years ago by Elmar Ludwig
--- a/app/controllers/admin/courses.php
+++ b/app/controllers/admin/courses.php
@@ -279,7 +279,7 @@ class Admin_CoursesController extends AuthenticatedController
        //delete all temporary permission changes
        if (is_array($_SESSION)) {
            foreach (array_keys($_SESSION) as $key) {
-                if (mb_strpos($key, 'seminar_change_view_') !== false) {
+                if (strpos($key, 'seminar_change_view_') === 0) {
                    unset($_SESSION[$key]);
                }
            }

--- a/app/controllers/course/change_view.php
+++ b/app/controllers/course/change_view.php
@@ -33,7 +33,7 @@ class Course_ChangeViewController extends AuthenticatedController
    public function set_changed_view_action()
    {
        if (!$GLOBALS['perm']->have_studip_perm('tutor', $this->course_id)) {
-            throw new Trails_Exception(400);
+            throw new AccessDeniedException();
        }
        $_SESSION["seminar_change_view_{$this->course_id}"] = 'autor';
        $this->relocate('course/overview');
@@ -47,13 +47,6 @@ class Course_ChangeViewController extends AuthenticatedController
     */
    public function reset_changed_view_action()
    {
-        /*
-         * We need to check the real database entry here because $perm would
-         * only return the simulated rights.
-         */
-        if (!CourseMember::findByCourseAndStatus($this->course_id, ['tutor', 'dozent'])) {
-            throw new Trails_Exception(400);
-        }
        unset($_SESSION["seminar_change_view_{$this->course_id}"]);
        $this->relocate('course/management');
    }

--- a/app/controllers/course/management.php
+++ b/app/controllers/course/management.php
@@ -25,7 +25,7 @@ class Course_ManagementController extends AuthenticatedController
        parent::before_filter($action, $args);
        if (!$GLOBALS['perm']->have_studip_perm("tutor", $GLOBALS['SessionSeminar'])) {
-            throw new Trails_Exception(400);
+            throw new AccessDeniedException();
        }
        if (Context::isCourse()) {
            $sem_class = $GLOBALS['SEM_CLASS'][$GLOBALS['SEM_TYPE'][Context::get()->status]['class']] ?: SemClass::getDefaultSemClass();
@@ -97,13 +97,12 @@ class Course_ManagementController extends AuthenticatedController
                    )->asDialog('size=auto');
                }
            }
-            if (in_array($GLOBALS['perm']->get_studip_perm($course->id), words('tutor dozent'))) {
-                $actions->addLink(
+            $actions->addLink(
-                    _('Studierendenansicht simulieren'),
+                _('Studierendenansicht simulieren'),
-                    URLHelper::getURL('dispatch.php/course/change_view/set_changed_view'),
+                URLHelper::getURL('dispatch.php/course/change_view/set_changed_view'),
-                    Icon::create('visibility-invisible')
+                Icon::create('visibility-invisible')
-                );
+            );
-            }
            $sidebar->addWidget($actions);

--- a/lib/phplib/Seminar_Perm.class.php
+++ b/lib/phplib/Seminar_Perm.class.php
@@ -144,7 +144,7 @@ class Seminar_Perm
            }
        }
        if ($user_perm == "root") {
-            return "root";
+            $status = "root";
        } elseif ($user_perm == "admin") {
            if (Config::get()->ALLOW_ADMIN_RELATED_INST) {
                $sem_inst = 'seminar_inst';
@@ -180,25 +180,23 @@ class Seminar_Perm
            }
        }
+        if (isset($_SESSION['seminar_change_view_' . $range_id])) {
+            $status = $_SESSION['seminar_change_view_' . $range_id];
+        }
        if ($status) {
            return $status;
        }
        if (Config::get()->DEPUTIES_ENABLE && Deputy::isDeputy($user_id, $range_id)) {
-            if ($_SESSION['seminar_change_view_' . $range_id]) {
+            $status = 'dozent';
-                $status = $_SESSION['seminar_change_view_' . $range_id];
-            } else {
-                $status = 'dozent';
-            }
        } else {
            $st = $db->prepare("SELECT status FROM seminar_user
                          WHERE user_id = ? AND Seminar_id = ?");
            $st->execute([$user_id, $range_id]);
-            if ($status = $st->fetchColumn()) {
+            $status = $st->fetchColumn();
-                if (in_array($status, words('dozent tutor')) && isset($_SESSION['seminar_change_view_' . $range_id])) {
-                    $status = $_SESSION['seminar_change_view_' . $range_id];
+            if (!$status) {
-                }
-            } else {
                $st = $db->prepare("SELECT inst_perms FROM user_inst
                              WHERE user_id = ? AND Institut_id = ?");
                $st->execute([$user_id, $range_id]);

--- a/templates/layouts/base.php
+++ b/templates/layouts/base.php
@@ -111,7 +111,7 @@ $getInstalledLanguages = function () {
        (Navigation::hasItem('/admin/institute') && Navigation::getItem('/admin/institute')->isActive())); ?>
    <div id="layout_page" <? if (!($contextable)) echo 'class="contextless"'; ?>>
-    <? if (PageLayout::isHeaderEnabled() && is_object($GLOBALS['user']) && $GLOBALS['user']->id != 'nobody' && Navigation::hasItem('/course') && Navigation::getItem('/course')->isActive() && $_SESSION['seminar_change_view_'.Context::getId()]) : ?>
+    <? if (PageLayout::isHeaderEnabled() && Navigation::hasItem('/course') && Navigation::getItem('/course')->isActive() && $_SESSION['seminar_change_view_'.Context::getId()]) : ?>
        <?= $this->render_partial('change_view', ['changed_status' => $_SESSION['seminar_change_view_'.Context::getId()]]) ?>
    <? endif ?>