Commit 50125de2 authored by Robert Lyon's avatar Robert Lyon Committed by Cecilia Vela Gurovic
Browse files

Bug 1823065: Site staff should not see users outside 'no institution' 



When $cfg->isolatedistitutions are turned on because if they can and
message a user that user can't reply to them

Also fixed default filter option from throwing error if current user
is in no institution

Also fix up online users - consolidate duplicate code and restrict
non-admins in no institution is isolated institutions is turned on

behatnotneeded

Change-Id: I5828147461f513bb392598d62337d417e631e6f2
Signed-off-by: default avatarRobert Lyon <robertl@catalyst.net.nz>
(cherry picked from commit 279c33c4)
parent f8ee1cd0

htdocs/lib/mahara.php

+7 −46
Original line number Diff line number Diff line
@@ -3906,57 +3906,16 @@ function profile_sideblock() { 
function onlineusers_sideblock() {

    global $USER;



    if (!$USER->is_logged_in() || in_admin_section()) {

    if (!$USER->is_logged_in() || in_admin_section() || !get_config('showonlineuserssideblock')) {

        return null;

    }

    // Determine what level of users to show

    // 0 = none, 1 = institution/s only, 2 = all users

    $showusers = 2;

    $institutions = $USER->institutions;

    if (!empty($institutions)) {

        $showusers = 0;

        foreach ($institutions as $i) {

            if ($i->showonlineusers == 2) {

                $showusers = 2;

                break;

            }

            if ($i->showonlineusers == 1) {

                $showusers = 1;

            }

        }

    }

    if (!get_config('showonlineuserssideblock') || $showusers == 0) {

        return null;

    }



    $maxonlineusers = get_config('onlineuserssideblockmaxusers');

    switch ($showusers) {

        case 1: // show institution only

            $sql = 'SELECT DISTINCT u.* FROM {usr} u JOIN {usr_institution} i ON u.id = i.usr

                WHERE i.institution IN ('.join(',', array_map('db_quote', array_keys($institutions))).')

                AND lastaccess > ? AND deleted = 0 ORDER BY lastaccess DESC';

            break;

        case 2: // show all

            $sql = 'SELECT * FROM {usr} WHERE lastaccess > ? AND deleted = 0 ORDER BY lastaccess DESC';

            break;

    }



    $onlineusers = get_records_sql_array($sql, array(db_format_timestamp(time() - get_config('accessidletimeout'))), 0, $maxonlineusers);

    if ($onlineusers) {

        foreach ($onlineusers as &$user) {

            $user->profileiconurl = profile_icon_url($user, 20, 20);

    $results = get_onlineusers($maxonlineusers, 0, 'lastaccess DESC');



            // If the user is an MNET user, show where they've come from

            $authobj = AuthFactory::create($user->authinstance);

            if ($authobj->authname == 'xmlrpc') {

                $peer = get_peer($authobj->wwwroot);

                $user->loggedinfrom = $peer->name;

            }

        }

    }

    else {

        $onlineusers = array();

    if ($results['showusers'] == 0 || empty($results['count'])) {

        return null;

    }

    $onlineusers = $results['onlineusers'];



    $sideblock = array(

        'name'   => 'onlineusers',
@@ -5714,6 +5673,8 @@ function is_isolated() { 
        set_config('usersallowedmultipleinstitutions', false);

        set_config('requireregistrationconfirm', true);

        set_config('isolatedinstitutionset', true); // set this in Db so we only do this check/update once

        // Set the institution 'showonlineusers' to institution only if currently all

        execute_sql('UPDATE {institution} SET showonlineusers = ? WHERE showonlineusers = ?', array(1, 2));

    }

    else if ((isset($CFG->isolatedinstitutions) && !$CFG->isolatedinstitutions) && get_field('config', 'value', 'field', 'isolatedinstitutionset')) {

        // Setting $cfg->isolatedinstitutions to false

htdocs/lib/user.php

+16 −4
Original line number Diff line number Diff line
@@ -3103,8 +3103,14 @@ function get_onlineusers($limit=10, $offset=0, $orderby='firstname,lastname') { 
            }

        }

    }

    else if (!$USER->get('admin')) {

        $showusers = get_field('institution', 'showonlineusers', 'name', 'mahara');

        if ((int)$showusers === 1) {

            $showusers = 3;

        }

    }



    $result = array('count' => 0, 'limit' => $limit, 'offset' => $offset, 'data' => false);

    $result = array('count' => 0, 'limit' => $limit, 'offset' => $offset, 'data' => false, 'showusers' => $showusers);

    switch ($showusers) {

        case 0: // show none

            return $result;
@@ -3112,12 +3118,17 @@ function get_onlineusers($limit=10, $offset=0, $orderby='firstname,lastname') { 
            $sql = "SELECT DISTINCT u.* FROM {usr} u JOIN {usr_institution} i ON id = i.usr

                WHERE deleted = 0 AND lastaccess > ? AND i.institution IN (" . join(',',array_map('db_quote', array_keys($institutions))) . ")

                ORDER BY $orderby";

            $countsql = 'SELECT count(DISTINCT id) FROM {usr} JOIN {usr_institution} i ON id = i.usr

            $countsql = 'SELECT COUNT(DISTINCT id) FROM {usr} JOIN {usr_institution} i ON id = i.usr

                WHERE deleted = 0 AND lastaccess > ? AND i.institution IN (' . join(',',array_map('db_quote', array_keys($institutions))) . ')';

            break;

        case 2: // show all

            $sql = "SELECT * FROM {usr} WHERE deleted = 0 AND lastaccess > ? ORDER BY $orderby";

            $countsql = 'SELECT count(id) FROM {usr} WHERE deleted = 0 AND lastaccess > ?';

            $countsql = 'SELECT COUNT(id) FROM {usr} WHERE deleted = 0 AND lastaccess > ?';

            break;

        case 3: // Show all only from no institution

            $sql = "SELECT DISTINCT u.* FROM {usr} u WHERE deleted = 0 AND lastaccess > ? AND u.id NOT IN (SELECT DISTINCT usr FROM {usr_institution})

                ORDER BY $orderby";

            $countsql = 'SELECT COUNT(DISTINCT id) FROM {usr} u WHERE deleted = 0 AND lastaccess > ? AND u.id NOT IN (SELECT DISTINCT usr FROM {usr_institution})';

            break;

    }
@@ -3142,7 +3153,8 @@ function get_onlineusers($limit=10, $offset=0, $orderby='firstname,lastname') { 
    else {

        $onlineusers = array();

    }

    $result['data'] = array_map(function($a) { return $a->id; }, $onlineusers);

    $result['onlineusers'] = $onlineusers; // return a list of user objects

    $result['data'] = array_map(function($a) { return $a->id; }, $onlineusers); // return a list of user id numbers



    return $result;

}

htdocs/search/internal/lib.php

+1 −1
Original line number Diff line number Diff line
@@ -148,7 +148,7 @@ class PluginSearchInternal extends PluginSearch { 
        }



        // For regular members of 'No Institution', if 'isolatedinstitutions' feature is set

        $is_admin = $USER->get('admin') || $USER->get('staff');

        $is_admin = $USER->get('admin');

        if (is_isolated() && !$USER->get('institutions') && !$is_admin) {

            $where .= '

                AND (u.id NOT IN (

htdocs/user/index.php

+1 −1
Original line number Diff line number Diff line
@@ -28,7 +28,7 @@ else if (param_variable('addfriend_submit', null)) { 


$query = param_variable('query', '');

$offset = param_integer('offset', 0);

$filter = param_alpha('filter', $USER->get('admin') ? 'all' : 'myinstitutions');

$filter = param_alpha('filter', (!$USER->get('admin') && !$USER->get('staff') && $USER->get('institutions')) ? 'myinstitutions' : 'all');

$limit  = 10;



$is_admin = $USER->get('admin') || $USER->get('staff');