Fixes to prevent teachers using loginas to enter other courses as that student

diff --git a/lang/en/moodle.php b/lang/en/moodle.php
index 45561973bab3a5ab33eac43f8f723e7641437f06..a8aa1c95e8fabf3b5c7ac622478fedde353acc8c 100644 (file)
--- a/lang/en/moodle.php
+++ b/lang/en/moodle.php
@@ -433,6 +433,7 @@ $string['startdate'] = "Course start date";
 $string['startsignup'] = "Start now by creating a new account!";
 $string['status'] = "Status";
 $string['stringsnotset'] = "The following strings are not defined in \$a";
+$string['studentnotallowed'] = "Sorry, but you can not enter this course as '\$a'";
 $string['success'] = "Success";
 $string['summary'] = "Summary";
 $string['summaryof'] = "Summary of \$a";

diff --git a/lib/moodlelib.php b/lib/moodlelib.php
index 10038882fcf5eb544e3e30e10d76ea532e79d50f..e1cf81ed0b379721ebffac61f40105d227055f2a 100644 (file)
--- a/lib/moodlelib.php
+++ b/lib/moodlelib.php
@@ -1138,7 +1138,13 @@ function require_login($courseid=0) {
     // Next, check if the user can be in a particular course
     if ($courseid) {
         if ($USER->student[$courseid] || $USER->teacher[$courseid] || $USER->admin) {
-            if (!isset($USER->realuser)) {  // Don't update if this isn't a realuser
+            if (isset($USER->realuser)) {   // Make sure the REAL person can also access this course
+                if (!isteacher($courseid, $USER->realuser)) {
+                    print_header();
+                    notice(get_string("studentnotallowed", "", "$USER->firstname $USER->lastname"));
+                }
+
+            } else {  // just update their last login time
                 update_user_in_db();
             }
             if (!$USER->email) {            // User logged in, but has not set up profile!