From: moodler <moodler>
Date: Thu, 30 Mar 2006 04:37:16 +0000 (+0000)
Subject: Some better security when database is hidden
X-Git-Url: http://git.mjollnir.org/gw?a=commitdiff_plain;h=3d1c33ef01aa5bc45a1275cefb0d19759cafe397;p=moodle.git

Some better security when database is hidden
---

diff --git a/mod/data/add.php b/mod/data/add.php
index d79ae3b907..2d39753bcf 100755
--- a/mod/data/add.php
+++ b/mod/data/add.php
@@ -56,14 +56,20 @@
     }
     
     require_course_login($course, false, $cm);
+
+/// If it's hidden then it's don't show anything.  :)
+    if (empty($cm->visible) and !isteacher($course->id)) {
+        notice(get_string("activityiscurrentlyhidden"));
+    }
     
+/// Can't use this if there are no fields
     if (isteacher($course->id)) {
         if (!record_exists('data_fields','dataid',$data->id)) {      // Brand new database!
             redirect($CFG->wwwroot.'/mod/data/field.php?d='.$data->id);  // Redirect to field entry
         }
     }
 
-    ///checking for participants
+/// Check access for participants
     if ((!isteacher($course->id)) && $data->participants == DATA_TEACHERS_ONLY) {
         error (get_string('noaccess','data'));
     }
diff --git a/mod/data/field.php b/mod/data/field.php
index 54695f588e..1b8cdafc87 100755
--- a/mod/data/field.php
+++ b/mod/data/field.php
@@ -25,7 +25,6 @@
     require_once('../../config.php');
     require_once('lib.php');
 
-    require_login();
     
     $id             = optional_param('id', 0, PARAM_INT);            // course module id
     $d              = optional_param('d', 0, PARAM_INT);             // database id
@@ -64,6 +63,8 @@
         }
     }
 
+    require_course_login($course, true, $cm);
+
     if (!isteacheredit($course->id)){
         error(get_string('noaccess','data'));
     }
diff --git a/mod/data/templates.php b/mod/data/templates.php
index 7c3568f501..5b1231e808 100755
--- a/mod/data/templates.php
+++ b/mod/data/templates.php
@@ -55,6 +55,8 @@
         }
     }
 
+    require_course_login($course, true, $cm);
+
     if (!isteacheredit($course->id)){
         error(get_string('noaccess','data'));
     }
diff --git a/mod/data/view.php b/mod/data/view.php
index 5d6a9f4f3a..6d6c7366b0 100755
--- a/mod/data/view.php
+++ b/mod/data/view.php
@@ -81,8 +81,15 @@
         $record = NULL;
     }
 
+
     require_course_login($course, true, $cm);
 
+
+/// If it's hidden then it's don't show anything.  :)
+    if (empty($cm->visible) and !isteacher($course->id)) {
+        notice(get_string("activityiscurrentlyhidden"));
+    }
+
 /// If we have an empty Database then redirect because this page is useless without data
     if (isteacher($course->id)) {
         if (!record_exists('data_fields','dataid',$data->id)) {      // Brand new database!