Allow group admins to use Emulate User and Batch Create Instr

kreut · Dec 28, 2017 · 21f929b · 21f929b
1 parent 1b6d3ad
commit 21f929b
Show file tree

Hide file tree

Showing 4 changed files with 45 additions and 23 deletions.
diff --git a/admin/admin2.php b/admin/admin2.php
@@ -234,9 +234,12 @@ function getRoleNameByRights($rights) {
       echo '<a href="exportlib.php?cid=admin">',_('Export Libraries'),'</a><br/>';
       echo '<a href="listdiag.php">',_('Diagnostics'),'</a> ';
       echo '</span>';
-
+      
       echo '<span class="column">';
       echo '<a href="forms.php?from=admin2&action=newadmin&group='.Sanitize::encodeUrlParam($showgroup).'">'._('Add New User').'</a>';
+      if (($myspecialrights&16)==16 || ($myspecialrights&32)==32) {
+      	      echo '<br/><a href="../util/batchcreateinstr.php?from=admin">'._('Batch Add Instructors').'</a>';    
+      }
       echo '</span>';
 
       echo '<div class=clear></div></div>';

diff --git a/admin/userdetails.php b/admin/userdetails.php
@@ -170,8 +170,8 @@ function getRoleNameByRights($rights) {
 
   //sub nav links
   echo '<div class="cpmid"><a href="forms.php?from=ud'.$uid.'&action=chgrights&id='.$uid.'">'._('Edit User').'</a>';
+  echo ' | <a href="../util/utils.php?emulateuser='.$uid.'">'. _('Emulate User').'</a>';
   if ($myrights==100) {
-    echo ' | <a href="../util/utils.php?emulateuser='.$uid.'">'. _('Emulate User').'</a>';
     echo ' | <a href="userlti.php?id='.$uid.'">'. _('LTI Connections').'</a>';
   }
   if ($userinfo['rights']==100 || ($userinfo['specialrights']&4)==4) {

diff --git a/util/batchcreateinstr.php b/util/batchcreateinstr.php
@@ -1,7 +1,7 @@
 <?php
 //IMathAS:  Batch create instructors
 //(c) 2017 David Lippman for Lumen Learning
-
+ 
 @set_time_limit(0);
 ini_set("max_input_time", "1600");
 ini_set("max_execution_time", "1600");
@@ -12,16 +12,22 @@
 require("../init.php");
 require_once("../includes/copyiteminc.php");
 
-if ($myrights<100) {
+if ($myrights < 100 && ($myspecialrights&16)!=16 && ($myspecialrights&32)!=32) {
   echo "You're not authorized for this page";
   exit;
 }
 $curBreadcrumb = "<div class=breadcrumb>$breadcrumbbase <a href=\"admin2.php\">Admin</a> &gt; Batch Create Instructors</div>\n";
 
 if (isset($_POST['groupid']) && is_uploaded_file($_FILES['uploadedfile']['tmp_name'])) {
-  if ($_POST['groupid']<1) {
-    echo "Invalid group selection";
-    exit;
+  if ($myrights == 100 || ($myspecialrights&32)==32) {
+  	  if ($_POST['groupid']<1) {
+  	  	  echo "Invalid group selection";
+  	  	  exit;
+  	  } else {
+  	  	  $newusergroupid = $_POST['groupid'];
+  	  }
+  } else {
+  	  $newusergroupid = $groupid;
   }
   if (isset($CFG['GEN']['newpasswords'])) {
     require_once("../includes/password.php");
@@ -54,7 +60,7 @@
     $query = 'INSERT INTO imas_users (SID,password,FirstName,LastName,rights,email,groupid,homelayout) VALUES (:SID, :password, :FirstName, :LastName, :rights, :email, :groupid, :homelayout)';
     $stm = $DBH->prepare($query);
     $stm->execute(array(':SID'=>$data[0], ':password'=>$hashpw, ':FirstName'=>$data[2], ':LastName'=>$data[3],
-            ':rights'=>40, ':email'=>$data[4], ':groupid'=>$_POST['groupid'], ':homelayout'=>$homelayout));
+            ':rights'=>40, ':email'=>$data[4], ':groupid'=>$newusergroupid, ':homelayout'=>$homelayout));
 
     $newuserid = $DBH->lastInsertId();
 
@@ -205,20 +211,24 @@
 } else {
   require("../header.php");
   $curBreadcrumb = "$breadcrumbbase <a href=\"$imasroot/admin/admin2.php\">Admin</a>\n";
-  $curBreadcrumb = $curBreadcrumb . " &gt; <a href=\"$imasroot/util/utils.php\">Utils</a> \n";
+  if ($_GET['from'] != 'admin') {
+  	  $curBreadcrumb = $curBreadcrumb . " &gt; <a href=\"$imasroot/util/utils.php\">Utils</a> \n";
+  }
   echo '<div class="breadcrumb">'.$curBreadcrumb.' &gt; Batch Create Instructors</div>';
   echo '<form enctype="multipart/form-data" method="post" action="'.$imasroot.'/util/batchcreateinstr.php">';
   echo '<p>This page lets you create instructor accounts from a CSV, and copy courses for them if desired</p>';
   echo '<p>Column Format:</p><ul>';
   echo '<li>1) username</li><li>2) password</li><li>3) First Name</li>';
   echo '<li>4) Last Name</li><li>5) email</li>';
   echo '<li>Columns 6,7,etc. can be course IDs to create copies of for that instructor</li></ul>';
-  echo '<p>Group: <select name="groupid"><option value="-1">Select...</option>';
-	$stm = $DBH->query("SELECT id,name FROM imas_groups ORDER BY name");
-	while ($row = $stm->fetch(PDO::FETCH_NUM)) {
-		echo '<option value="'.Sanitize::onlyInt($row[0]).'">'.Sanitize::encodeStringForDisplay($row[1]).'</option>';
-	}
-  echo '</select><br/>';
+  if ($myrights == 100 || ($myspecialrights&32)==32) {
+	  echo '<p>Group: <select name="groupid"><option value="-1">Select...</option>';
+		$stm = $DBH->query("SELECT id,name FROM imas_groups ORDER BY name");
+		while ($row = $stm->fetch(PDO::FETCH_NUM)) {
+			echo '<option value="'.Sanitize::onlyInt($row[0]).'">'.Sanitize::encodeStringForDisplay($row[1]).'</option>';
+		}
+	  echo '</select><br/>';
+  }
   echo 'CSV file: <input type=file name=uploadedfile /><br/>';
   echo '<input type="submit" value="Go"/>';
   echo '</form>';

diff --git a/util/utils.php b/util/utils.php
@@ -9,6 +9,23 @@
 	header('Location: ' . $GLOBALS['basesiteurl'] . "/index.php");
 	exit;
 }
+
+if ($myrights >= 75 && isset($_GET['emulateuser'])) {
+	if ($myrights<100) {
+		$stm = $DBH->prepare("SELECT groupid FROM imas_users WHERE id=?");
+		$stm->execute(array($_GET['emulateuser']));
+		if ($stm->fetchColumn(0) != $groupid) {
+			echo "You can only emulate teachers from your own group";
+			exit;
+		}
+	}
+	$sessiondata['emulateuseroriginaluser'] = $userid;
+	writesessiondata();
+	$stm = $DBH->prepare("UPDATE imas_sessions SET userid=:userid WHERE sessionid=:sessionid");
+	$stm->execute(array(':userid'=>$_GET['emulateuser'], ':sessionid'=>$sessionid));
+	header('Location: ' . $GLOBALS['basesiteurl'] . "/index.php");
+	exit;
+}
 if ($myrights<100) {
 	echo "You are not authorized to view this page";
 	exit;
@@ -23,14 +40,6 @@
 	$stm = $DBH->prepare("DELETE FROM imas_ltiusers WHERE id=:id");
 	$stm->execute(array(':id'=>$id));
 }
-if (isset($_GET['emulateuser'])) {
-	$sessiondata['emulateuseroriginaluser'] = $userid;
-	writesessiondata();
-	$stm = $DBH->prepare("UPDATE imas_sessions SET userid=:userid WHERE sessionid=:sessionid");
-	$stm->execute(array(':userid'=>$_GET['emulateuser'], ':sessionid'=>$sessionid));
-	header('Location: ' . $GLOBALS['basesiteurl'] . "/index.php");
-	exit;
-}
 if (isset($_GET['removecourselti'])) {
 	$id = intval($_GET['removecourselti']);
 	//DB $query = "DELETE FROM imas_lti_courses WHERE id=$id";