Commit 279c33c4 authored by Robert Lyon's avatar Robert Lyon
Browse files

Bug 1823065: Site staff should not see users outside 'no institution'



When $cfg->isolatedistitutions are turned on because if they can and
message a user that user can't reply to them

Also fixed default filter option from throwing error if current user
is in no institution

Also fix up online users - consolidate duplicate code and restrict
non-admins in no institution is isolated institutions is turned on

behatnotneeded

Change-Id: I5828147461f513bb392598d62337d417e631e6f2
Signed-off-by: Robert Lyon's avatarRobert Lyon <robertl@catalyst.net.nz>
parent 6627ff82
......@@ -3906,57 +3906,16 @@ function profile_sideblock() {
function onlineusers_sideblock() {
global $USER;
if (!$USER->is_logged_in() || in_admin_section()) {
return null;
}
// Determine what level of users to show
// 0 = none, 1 = institution/s only, 2 = all users
$showusers = 2;
$institutions = $USER->institutions;
if (!empty($institutions)) {
$showusers = 0;
foreach ($institutions as $i) {
if ($i->showonlineusers == 2) {
$showusers = 2;
break;
}
if ($i->showonlineusers == 1) {
$showusers = 1;
}
}
}
if (!get_config('showonlineuserssideblock') || $showusers == 0) {
if (!$USER->is_logged_in() || in_admin_section() || !get_config('showonlineuserssideblock')) {
return null;
}
$maxonlineusers = get_config('onlineuserssideblockmaxusers');
switch ($showusers) {
case 1: // show institution only
$sql = 'SELECT DISTINCT u.* FROM {usr} u JOIN {usr_institution} i ON u.id = i.usr
WHERE i.institution IN ('.join(',', array_map('db_quote', array_keys($institutions))).')
AND lastaccess > ? AND deleted = 0 ORDER BY lastaccess DESC';
break;
case 2: // show all
$sql = 'SELECT * FROM {usr} WHERE lastaccess > ? AND deleted = 0 ORDER BY lastaccess DESC';
break;
}
$results = get_onlineusers($maxonlineusers, 0, 'lastaccess DESC');
$onlineusers = get_records_sql_array($sql, array(db_format_timestamp(time() - get_config('accessidletimeout'))), 0, $maxonlineusers);
if ($onlineusers) {
foreach ($onlineusers as &$user) {
$user->profileiconurl = profile_icon_url($user, 20, 20);
// If the user is an MNET user, show where they've come from
$authobj = AuthFactory::create($user->authinstance);
if ($authobj->authname == 'xmlrpc') {
$peer = get_peer($authobj->wwwroot);
$user->loggedinfrom = $peer->name;
}
}
}
else {
$onlineusers = array();
if ($results['showusers'] == 0 || empty($results['count'])) {
return null;
}
$onlineusers = $results['onlineusers'];
$sideblock = array(
'name' => 'onlineusers',
......@@ -5714,6 +5673,8 @@ function is_isolated() {
set_config('usersallowedmultipleinstitutions', false);
set_config('requireregistrationconfirm', true);
set_config('isolatedinstitutionset', true); // set this in Db so we only do this check/update once
// Set the institution 'showonlineusers' to institution only if currently all
execute_sql('UPDATE {institution} SET showonlineusers = ? WHERE showonlineusers = ?', array(1, 2));
}
else if ((isset($CFG->isolatedinstitutions) && !$CFG->isolatedinstitutions) && get_field('config', 'value', 'field', 'isolatedinstitutionset')) {
// Setting $cfg->isolatedinstitutions to false
......
......@@ -3103,8 +3103,14 @@ function get_onlineusers($limit=10, $offset=0, $orderby='firstname,lastname') {
}
}
}
else if (!$USER->get('admin')) {
$showusers = get_field('institution', 'showonlineusers', 'name', 'mahara');
if ((int)$showusers === 1) {
$showusers = 3;
}
}
$result = array('count' => 0, 'limit' => $limit, 'offset' => $offset, 'data' => false);
$result = array('count' => 0, 'limit' => $limit, 'offset' => $offset, 'data' => false, 'showusers' => $showusers);
switch ($showusers) {
case 0: // show none
return $result;
......@@ -3112,12 +3118,17 @@ function get_onlineusers($limit=10, $offset=0, $orderby='firstname,lastname') {
$sql = "SELECT DISTINCT u.* FROM {usr} u JOIN {usr_institution} i ON id = i.usr
WHERE deleted = 0 AND lastaccess > ? AND i.institution IN (" . join(',',array_map('db_quote', array_keys($institutions))) . ")
ORDER BY $orderby";
$countsql = 'SELECT count(DISTINCT id) FROM {usr} JOIN {usr_institution} i ON id = i.usr
$countsql = 'SELECT COUNT(DISTINCT id) FROM {usr} JOIN {usr_institution} i ON id = i.usr
WHERE deleted = 0 AND lastaccess > ? AND i.institution IN (' . join(',',array_map('db_quote', array_keys($institutions))) . ')';
break;
case 2: // show all
$sql = "SELECT * FROM {usr} WHERE deleted = 0 AND lastaccess > ? ORDER BY $orderby";
$countsql = 'SELECT count(id) FROM {usr} WHERE deleted = 0 AND lastaccess > ?';
$countsql = 'SELECT COUNT(id) FROM {usr} WHERE deleted = 0 AND lastaccess > ?';
break;
case 3: // Show all only from no institution
$sql = "SELECT DISTINCT u.* FROM {usr} u WHERE deleted = 0 AND lastaccess > ? AND u.id NOT IN (SELECT DISTINCT usr FROM {usr_institution})
ORDER BY $orderby";
$countsql = 'SELECT COUNT(DISTINCT id) FROM {usr} u WHERE deleted = 0 AND lastaccess > ? AND u.id NOT IN (SELECT DISTINCT usr FROM {usr_institution})';
break;
}
......@@ -3142,7 +3153,8 @@ function get_onlineusers($limit=10, $offset=0, $orderby='firstname,lastname') {
else {
$onlineusers = array();
}
$result['data'] = array_map(function($a) { return $a->id; }, $onlineusers);
$result['onlineusers'] = $onlineusers; // return a list of user objects
$result['data'] = array_map(function($a) { return $a->id; }, $onlineusers); // return a list of user id numbers
return $result;
}
......
......@@ -148,7 +148,7 @@ class PluginSearchInternal extends PluginSearch {
}
// For regular members of 'No Institution', if 'isolatedinstitutions' feature is set
$is_admin = $USER->get('admin') || $USER->get('staff');
$is_admin = $USER->get('admin');
if (is_isolated() && !$USER->get('institutions') && !$is_admin) {
$where .= '
AND (u.id NOT IN (
......
......@@ -28,7 +28,7 @@ else if (param_variable('addfriend_submit', null)) {
$query = param_variable('query', '');
$offset = param_integer('offset', 0);
$filter = param_alpha('filter', $USER->get('admin') ? 'all' : 'myinstitutions');
$filter = param_alpha('filter', (!$USER->get('admin') && !$USER->get('staff') && $USER->get('institutions')) ? 'myinstitutions' : 'all');
$limit = 10;
$is_admin = $USER->get('admin') || $USER->get('staff');
......
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment