[BugFix] Bug 5505 - function lesson_print_tree now checks for teacher editing priv...

lesson.php how checks for teacher editing priv for all actions except for continue.  This is just in case the user hacks the URL.

diff --git a/mod/lesson/lesson.php b/mod/lesson/lesson.php
index 5b7e4c1ca83f6398a6c81c7c8c7e27006418dbc5..dac80ef47af951bf3a3e75616f4d5cd803874d66 100644 (file)
--- a/mod/lesson/lesson.php
+++ b/mod/lesson/lesson.php
@@ -40,6 +40,13 @@
 
     require_login($course->id);
     
+    if ($action != 'continue') {
+        // All pages except for continue.php require teacher editing privs
+        if (!isteacheredit($lesson->course)) {
+            error('You must be a teacher with editing privileges to access this page.');
+        }
+    }
+    
     // set up some general variables
     $usehtmleditor = can_use_html_editor();
     

diff --git a/mod/lesson/locallib.php b/mod/lesson/locallib.php
index e7dfb4c6838c991082f5105f966f8354d22e0b99..ae80f145305dc26d2e425c39125e447962771459 100644 (file)
--- a/mod/lesson/locallib.php
+++ b/mod/lesson/locallib.php
@@ -1132,18 +1132,18 @@ function lesson_print_tree_link_menu($page, $id, $showpages=false) {
  * next to the links.
  * 
  * @uses $USER
+ * @uses $CFG
  * @param int $pageid Page id of the first page of the lesson.
- * @param int $lessonid Id of the lesson.
+ * @param object $lesson Object of the current lesson.
  * @param int $cmid The course module id of the lesson.
  * @param string $pixpath Path to the pictures.
- * @todo $pageid does not need to be passed.  Can be found in the function.  $pixpath is just
- *       $CFG->pixpath.  So $CFG should be declaired globally and be used instead of passed.
+ * @todo $pageid does not need to be passed.  Can be found in the function.
  *       This function is only called once.  It should be removed and the code inside it moved to view.php
  */
-function lesson_print_tree($pageid, $lessonid, $cmid, $pixpath) {
-    global $USER;
+function lesson_print_tree($pageid, $lesson, $cmid) {
+    global $USER, $CFG;
 
-    if(!$pages = get_records_select("lesson_pages", "lessonid = $lessonid")) {
+    if(!$pages = get_records_select("lesson_pages", "lessonid = $lesson->id")) {
         error("Error: could not find lesson pages");
     }
     echo "<table>";
@@ -1154,7 +1154,7 @@ function lesson_print_tree($pageid, $lessonid, $cmid, $pixpath) {
         } else {
             $output = "<a href=\"view.php?id=$cmid&display=".$pages[$pageid]->id."\">".format_string($pages[$pageid]->title,true)."</a>\n";
             
-            if($answers = get_records_select("lesson_answers", "lessonid = $lessonid and pageid = $pageid")) {
+            if($answers = get_records_select("lesson_answers", "lessonid = $lesson->id and pageid = $pageid")) {
                 $output .= "Jumps to: ";
                 $end = end($answers);
                 foreach ($answers as $answer) {
@@ -1185,15 +1185,16 @@ function lesson_print_tree($pageid, $lessonid, $cmid, $pixpath) {
         }
         
         echo $output;        
-        if (count($pages) > 1) {
-            echo "<a title=\"move\" href=\"lesson.php?id=$cmid&action=move&pageid=".$pages[$pageid]->id."\">\n".
-                "<img src=\"$pixpath/t/move.gif\" hspace=\"2\" height=11 width=11 alt=\"move\" border=0></a>\n";
+        if (isteacheredit($lesson->course)) {
+          if (count($pages) > 1) {
+              echo "<a title=\"move\" href=\"lesson.php?id=$cmid&action=move&pageid=".$pages[$pageid]->id."\">\n".
+                  "<img src=\"$CFG->pixpath/t/move.gif\" hspace=\"2\" height=11 width=11 alt=\"move\" border=0></a>\n";
+          }
+          echo "<a title=\"update\" href=\"lesson.php?id=$cmid&amp;action=editpage&amp;pageid=".$pages[$pageid]->id."\">\n".
+              "<img src=\"$CFG->pixpath/t/edit.gif\" hspace=\"2\" height=11 width=11 alt=\"edit\" border=0></a>\n".
+              "<a title=\"delete\" href=\"lesson.php?id=$cmid&amp;sesskey=".$USER->sesskey."&amp;action=confirmdelete&amp;pageid=".$pages[$pageid]->id."\">\n".
+              "<img src=\"$CFG->pixpath/t/delete.gif\" hspace=\"2\" height=11 width=11 alt=\"delete\" border=0></a>\n";
         }
-        echo "<a title=\"update\" href=\"lesson.php?id=$cmid&amp;action=editpage&amp;pageid=".$pages[$pageid]->id."\">\n".
-            "<img src=\"$pixpath/t/edit.gif\" hspace=\"2\" height=11 width=11 alt=\"edit\" border=0></a>\n".
-            "<a title=\"delete\" href=\"lesson.php?id=$cmid&amp;sesskey=".$USER->sesskey."&amp;action=confirmdelete&amp;pageid=".$pages[$pageid]->id."\">\n".
-            "<img src=\"$pixpath/t/delete.gif\" hspace=\"2\" height=11 width=11 alt=\"delete\" border=0></a>\n";
-
         echo "</tr></td>";
         $pageid = $pages[$pageid]->nextpageid;
     }

diff --git a/mod/lesson/view.php b/mod/lesson/view.php
index b7e2755a749ca5bde0c699619f88a61da13a0d7e..df244a495cb4eaf6e0a33e5d4290ece5f66405fc 100644 (file)
--- a/mod/lesson/view.php
+++ b/mod/lesson/view.php
@@ -1288,7 +1288,7 @@
             if($collapsed and !$display) {  
                 echo "<div align=\"center\">\n";
                     echo "<table><tr><td>\n";
-                    lesson_print_tree($page->id, $lesson->id, $cm->id, $CFG->pixpath);
+                    lesson_print_tree($page->id, $lesson, $cm->id);
                     echo "</td></tr></table>\n";
                 echo "</div>\n";
             } else {