diff options
| author | André Noack <noack@data-quest.de> | 2022-05-11 08:06:54 +0000 |
|---|---|---|
| committer | David Siegfried <david.siegfried@uni-vechta.de> | 2022-05-11 08:06:54 +0000 |
| commit | 7db0d91aa4d16ef88315592ccef56bde56e39d51 (patch) | |
| tree | 1e8790d8b3c1d7a5b54bc9dd50a1d9ddd1b80304 /app/controllers/messages.php | |
| parent | 20240b2aacb15ab3264afbfbbc9dae952db4bb63 (diff) | |
resolve #908 #965 Unzureichende Rechteprüfung für filter-Parameter
Closes #908 and #965
Merge request studip/studip!593
Diffstat (limited to 'app/controllers/messages.php')
| -rw-r--r-- | app/controllers/messages.php | 96 |
1 files changed, 52 insertions, 44 deletions
diff --git a/app/controllers/messages.php b/app/controllers/messages.php index a8b0788..5066882 100644 --- a/app/controllers/messages.php +++ b/app/controllers/messages.php @@ -269,60 +269,60 @@ class MessagesController extends AuthenticatedController { } //check if the message shall be sent to all members of an institute: - if(Request::get('inst_id') && $GLOBALS['perm']->have_perm('admin')) { - $query = "SELECT user_id FROM user_inst WHERE Institut_id = ? AND inst_perms != 'user'"; - $this->default_message->receivers = DBManager::get()->fetchAll($query, [Request::option('inst_id')], 'MessageUser::build'); + if (Request::get('inst_id') && $GLOBALS['perm']->have_studip_perm('admin', Request::get('inst_id'))) { + if (Request::get('filter') === 'inst_status') { + $query = "SELECT user_id, 'rec' AS snd_rec + FROM user_inst + JOIN auth_user_md5 USING (user_id) + WHERE Institut_id = ? AND inst_perms = ? + ORDER BY Nachname, Vorname"; + } else { + $query = "SELECT user_id, 'rec' AS snd_rec + FROM user_inst + JOIN auth_user_md5 USING (user_id) + WHERE Institut_id = ? AND inst_perms != 'user' + ORDER BY Nachname, Vorname"; + } + $this->default_message->receivers = DBManager::get()->fetchAll($query, [Request::option('inst_id'), Request::option('who')], 'MessageUser::build'); } //check if the message shall be sent to all (or some) members of a course: $filter = Request::get('filter'); - if ($filter && Request::option("course_id")) { - $additional = ''; - $course = new Course(Request::option('course_id')); - $allow_tutor_filters = false; - if ($GLOBALS['perm']->have_studip_perm('tutor', $course->id) || $course->getSemClass()['studygroup_mode'] || CourseConfig::get($course->id)->COURSE_STUDENT_MAILING) { - $allow_tutor_filters = true; - $additional = " AND seminar_user.visible != 'no'"; - } - $this->default_message->receivers = []; - $query = ''; - $params = [$course->id, Request::option('who')]; - - if ($filter === 'send_sms_to_all' && $allow_tutor_filters) { - $query = "SELECT user_id, 'rec' AS snd_rec + $course = Course::find(Request::option('course_id')); + if ($filter && $course) { + if ($GLOBALS['perm']->have_studip_perm('tutor', $course->id) + || ($GLOBALS['perm']->have_studip_perm('autor', $course->id) + && ($course->getSemClass()['studygroup_mode'] || CourseConfig::get($course->id)->COURSE_STUDENT_MAILING))) { + $this->default_message->receivers = []; + $query = ''; + $params = [$course->id, Request::option('who')]; + if ($GLOBALS['perm']->have_studip_perm('tutor', $course->id)) { + if ($filter === 'send_sms_to_all') { + $query = "SELECT user_id, 'rec' AS snd_rec FROM seminar_user JOIN auth_user_md5 USING (user_id) - WHERE Seminar_id = ? AND status = ? {$additional} + WHERE Seminar_id = ? AND status = ? ORDER BY Nachname, Vorname"; - } elseif ($filter === 'all') { - $query = "SELECT user_id, 'rec' AS snd_rec + } elseif ($filter === 'all') { + $query = "SELECT user_id, 'rec' AS snd_rec FROM seminar_user JOIN auth_user_md5 USING (user_id) - WHERE Seminar_id = ? {$additional} + WHERE Seminar_id = ? ORDER BY Nachname, Vorname"; - } elseif ($filter === 'prelim' && $allow_tutor_filters) { - $query = "SELECT user_id, 'rec' AS snd_rec + } elseif ($filter === 'prelim') { + $query = "SELECT user_id, 'rec' AS snd_rec FROM admission_seminar_user JOIN auth_user_md5 USING (user_id) WHERE seminar_id = ? AND status = 'accepted' - {$additional} ORDER BY Nachname, Vorname"; - } elseif ($filter === 'awaiting' && $allow_tutor_filters) { - $query = "SELECT user_id, 'rec' AS snd_rec + } elseif ($filter === 'awaiting') { + $query = "SELECT user_id, 'rec' AS snd_rec FROM admission_seminar_user JOIN auth_user_md5 USING (user_id) WHERE seminar_id = ? AND status = 'awaiting' - {$additional} ORDER BY Nachname, Vorname"; - } elseif ($filter === 'inst_status') { - $query = "SELECT user_id, 'rec' AS snd_rec - FROM user_inst - JOIN auth_user_md5 USING (user_id) - WHERE Institut_id = ? AND inst_perms = ? - {$additional} - ORDER BY Nachname, Vorname"; - } elseif ($filter === 'not_grouped' && $allow_tutor_filters) { - $query = "SELECT seminar_user.user_id, 'rec' as snd_rec + } elseif ($filter === 'not_grouped') { + $query = "SELECT seminar_user.user_id, 'rec' as snd_rec FROM seminar_user JOIN auth_user_md5 USING (user_id) LEFT JOIN statusgruppen ON range_id = seminar_id @@ -332,16 +332,24 @@ class MessagesController extends AuthenticatedController { GROUP BY seminar_user.user_id HAVING COUNT(statusgruppe_user.statusgruppe_id) = 0 ORDER BY Nachname, Vorname"; - } elseif ($filter === 'claiming' && $allow_tutor_filters) { - $cs = CourseSet::getSetForCourse($course->id); - if (is_object($cs) && !$cs->hasAlgorithmRun()) { - foreach (AdmissionPriority::getPrioritiesByCourse($cs->getId(), $course->id) as $user_id => $p) { - $this->default_message->receivers = MessageUser::build(['user_id' => $user_id, 'snd_rec' => 'rec']); + } elseif ($filter === 'claiming') { + $cs = CourseSet::getSetForCourse($course->id); + if (is_object($cs) && !$cs->hasAlgorithmRun()) { + foreach (AdmissionPriority::getPrioritiesByCourse($cs->getId(), $course->id) as $user_id => $p) { + $this->default_message->receivers[] = MessageUser::build(['user_id' => $user_id, 'snd_rec' => 'rec']); + } + } } + } else { + $query = "SELECT user_id, 'rec' AS snd_rec + FROM seminar_user + JOIN auth_user_md5 USING (user_id) + WHERE Seminar_id = ? AND seminar_user.visible != 'no' + ORDER BY Nachname, Vorname"; + } + if ($query) { + $this->default_message->receivers = DBManager::get()->fetchAll($query, $params, 'MessageUser::build'); } - } - if ($query) { - $this->default_message->receivers = DBManager::get()->fetchAll($query, $params, 'MessageUser::build'); } } |