From ba5e3529480a162b14a9869ef87a059bd222379f Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Andr=C3=A9=20Noack?= <noack@data-quest.de>
Date: Wed, 11 May 2022 08:06:54 +0000
Subject: [PATCH] =?UTF-8?q?resolve=20#908=20#965=20Unzureichende=20Rechtep?=
=?UTF-8?q?r=C3=BCfung=20f=C3=BCr=20filter-Parameter?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Closes #908 and #965
Merge request studip/studip!593
---
app/controllers/messages.php | 96 +++++++++++----------
app/views/institute/members/_table_body.php | 2 +-
2 files changed, 53 insertions(+), 45 deletions(-)
diff --git a/app/controllers/messages.php b/app/controllers/messages.php
index 2ec5d324242..34112461348 100644
--- a/app/controllers/messages.php
+++ b/app/controllers/messages.php
@@ -269,60 +269,60 @@ class MessagesController extends AuthenticatedController {
}
//check if the message shall be sent to all members of an institute:
- if(Request::get('inst_id') && $GLOBALS['perm']->have_perm('admin')) {
- $query = "SELECT user_id FROM user_inst WHERE Institut_id = ? AND inst_perms != 'user'";
- $this->default_message->receivers = DBManager::get()->fetchAll($query, [Request::option('inst_id')], 'MessageUser::build');
+ if (Request::get('inst_id') && $GLOBALS['perm']->have_studip_perm('admin', Request::get('inst_id'))) {
+ if (Request::get('filter') === 'inst_status') {
+ $query = "SELECT user_id, 'rec' AS snd_rec
+ FROM user_inst
+ JOIN auth_user_md5 USING (user_id)
+ WHERE Institut_id = ? AND inst_perms = ?
+ ORDER BY Nachname, Vorname";
+ } else {
+ $query = "SELECT user_id, 'rec' AS snd_rec
+ FROM user_inst
+ JOIN auth_user_md5 USING (user_id)
+ WHERE Institut_id = ? AND inst_perms != 'user'
+ ORDER BY Nachname, Vorname";
+ }
+ $this->default_message->receivers = DBManager::get()->fetchAll($query, [Request::option('inst_id'), Request::option('who')], 'MessageUser::build');
}
//check if the message shall be sent to all (or some) members of a course:
$filter = Request::get('filter');
- if ($filter && Request::option("course_id")) {
- $additional = '';
- $course = new Course(Request::option('course_id'));
- $allow_tutor_filters = false;
- if ($GLOBALS['perm']->have_studip_perm('tutor', $course->id) || $course->getSemClass()['studygroup_mode'] || CourseConfig::get($course->id)->COURSE_STUDENT_MAILING) {
- $allow_tutor_filters = true;
- $additional = " AND seminar_user.visible != 'no'";
- }
- $this->default_message->receivers = [];
- $query = '';
- $params = [$course->id, Request::option('who')];
-
- if ($filter === 'send_sms_to_all' && $allow_tutor_filters) {
- $query = "SELECT user_id, 'rec' AS snd_rec
+ $course = Course::find(Request::option('course_id'));
+ if ($filter && $course) {
+ if ($GLOBALS['perm']->have_studip_perm('tutor', $course->id)
+ || ($GLOBALS['perm']->have_studip_perm('autor', $course->id)
+ && ($course->getSemClass()['studygroup_mode'] || CourseConfig::get($course->id)->COURSE_STUDENT_MAILING))) {
+ $this->default_message->receivers = [];
+ $query = '';
+ $params = [$course->id, Request::option('who')];
+ if ($GLOBALS['perm']->have_studip_perm('tutor', $course->id)) {
+ if ($filter === 'send_sms_to_all') {
+ $query = "SELECT user_id, 'rec' AS snd_rec
FROM seminar_user
JOIN auth_user_md5 USING (user_id)
- WHERE Seminar_id = ? AND status = ? {$additional}
+ WHERE Seminar_id = ? AND status = ?
ORDER BY Nachname, Vorname";
- } elseif ($filter === 'all') {
- $query = "SELECT user_id, 'rec' AS snd_rec
+ } elseif ($filter === 'all') {
+ $query = "SELECT user_id, 'rec' AS snd_rec
FROM seminar_user
JOIN auth_user_md5 USING (user_id)
- WHERE Seminar_id = ? {$additional}
+ WHERE Seminar_id = ?
ORDER BY Nachname, Vorname";
- } elseif ($filter === 'prelim' && $allow_tutor_filters) {
- $query = "SELECT user_id, 'rec' AS snd_rec
+ } elseif ($filter === 'prelim') {
+ $query = "SELECT user_id, 'rec' AS snd_rec
FROM admission_seminar_user
JOIN auth_user_md5 USING (user_id)
WHERE seminar_id = ? AND status = 'accepted'
- {$additional}
ORDER BY Nachname, Vorname";
- } elseif ($filter === 'awaiting' && $allow_tutor_filters) {
- $query = "SELECT user_id, 'rec' AS snd_rec
+ } elseif ($filter === 'awaiting') {
+ $query = "SELECT user_id, 'rec' AS snd_rec
FROM admission_seminar_user
JOIN auth_user_md5 USING (user_id)
WHERE seminar_id = ? AND status = 'awaiting'
- {$additional}
ORDER BY Nachname, Vorname";
- } elseif ($filter === 'inst_status') {
- $query = "SELECT user_id, 'rec' AS snd_rec
- FROM user_inst
- JOIN auth_user_md5 USING (user_id)
- WHERE Institut_id = ? AND inst_perms = ?
- {$additional}
- ORDER BY Nachname, Vorname";
- } elseif ($filter === 'not_grouped' && $allow_tutor_filters) {
- $query = "SELECT seminar_user.user_id, 'rec' as snd_rec
+ } elseif ($filter === 'not_grouped') {
+ $query = "SELECT seminar_user.user_id, 'rec' as snd_rec
FROM seminar_user
JOIN auth_user_md5 USING (user_id)
LEFT JOIN statusgruppen ON range_id = seminar_id
@@ -332,16 +332,24 @@ class MessagesController extends AuthenticatedController {
GROUP BY seminar_user.user_id
HAVING COUNT(statusgruppe_user.statusgruppe_id) = 0
ORDER BY Nachname, Vorname";
- } elseif ($filter === 'claiming' && $allow_tutor_filters) {
- $cs = CourseSet::getSetForCourse($course->id);
- if (is_object($cs) && !$cs->hasAlgorithmRun()) {
- foreach (AdmissionPriority::getPrioritiesByCourse($cs->getId(), $course->id) as $user_id => $p) {
- $this->default_message->receivers = MessageUser::build(['user_id' => $user_id, 'snd_rec' => 'rec']);
+ } elseif ($filter === 'claiming') {
+ $cs = CourseSet::getSetForCourse($course->id);
+ if (is_object($cs) && !$cs->hasAlgorithmRun()) {
+ foreach (AdmissionPriority::getPrioritiesByCourse($cs->getId(), $course->id) as $user_id => $p) {
+ $this->default_message->receivers[] = MessageUser::build(['user_id' => $user_id, 'snd_rec' => 'rec']);
+ }
+ }
}
+ } else {
+ $query = "SELECT user_id, 'rec' AS snd_rec
+ FROM seminar_user
+ JOIN auth_user_md5 USING (user_id)
+ WHERE Seminar_id = ? AND seminar_user.visible != 'no'
+ ORDER BY Nachname, Vorname";
+ }
+ if ($query) {
+ $this->default_message->receivers = DBManager::get()->fetchAll($query, $params, 'MessageUser::build');
}
- }
- if ($query) {
- $this->default_message->receivers = DBManager::get()->fetchAll($query, $params, 'MessageUser::build');
}
}
diff --git a/app/views/institute/members/_table_body.php b/app/views/institute/members/_table_body.php
index 284a46c38d8..90d7c02637e 100644
--- a/app/views/institute/members/_table_body.php
+++ b/app/views/institute/members/_table_body.php
@@ -12,7 +12,7 @@
$controller->url_for('messages/write?filter=inst_status', [
'who' => $key,
'default_subject' => Context::get()->Name,
- 'course_id' => Context::getId(),
+ 'inst_id' => Context::getId(),
]),
sprintf(_('Nachricht an alle Mitglieder mit dem Status %s verschicken'), $th_title),
Icon::create('mail', 'clickable'),
--
GitLab