arman/science-ation
1
1
Fork 0
forked from science-ation/science-ation
Code Pull Requests Activity

Added abillity to uninvite a user from a particular role where allowed, and api function (/user/uninvite)

Browse Source 
Added function user_list_modifiable, which returns a list of user info that the current user is allowed to modify (users.inc.php)
Added api for calling user_list_modifiable (/user/list)
This commit is contained in:
jacob 2010-12-01 19:40:45 +00:00
parent 39f53e4168
commit 6b94ef5c76
5 changed files with 244 additions and 92 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
account.inc.php
View File

@ -143,7 +143,7 @@ function account_create($username,$password=NULL)
$us = mysql_real_escape_string($username);
$q = mysql_query("SELECT * FROM accounts WHERE username='$us'");
if(mysql_num_rows($q)) {
return i18n("The username \"%1\" is already in use", array($username));
return i18n("The username %1 is already in use", array($username));
}
//if the password is set, make sure its valid, if its null, thats OK, it'll get generated and set by account_set_password

50
api.php
View File

@ -594,6 +594,7 @@ switch($request[0]) {
break;
/* APIDOC: user/invite
description(invites a user to play a particular role in the conference, creating an account for them, and giving them the specifed role)
post(username varchar(64), password varchar(64), email varchar(64), roles_id integer)
@ -621,7 +622,56 @@ switch($request[0]) {
$ret['error'] = $newUser;
}
}
break;
/* APIDOC: user/uninvite
description(uninvite a user from a particular role in the conference, removing only the role, not the user)
post(users_id integer, roles_id integer)
return(user array)
*/
case 'uninvite':
if(!array_key_exists('users_id', $_POST)){
$ret['status'] = 'error';
$ret['error'] = 'parameter users_id required';
break;
}
if(!array_key_exists('roles_id', $_POST)){
$ret['status'] = 'error';
$ret['error'] = 'parameter roles_id required';
break;
}
$result = user_uninvite($_POST['users_id'], $_POST['roles_id']);
if(is_array($result)){
$ret['status'] = 'ok';
$ret['user'] = $result;
}else{
$ret['status'] = 'error';
$ret['error'] = $result;
}
break;
/* APIDOC: user/list
description(list users of the specified role in this conference that the current user has permission to view/modify)
post(roles_id integer)
return(list array)
*/
case 'list':
if(!array_key_exists('roles_id', $_POST)){
$ret['status'] = 'error';
$ret['error'] = 'parameter roles_id required';
}else{
$result = user_list_modifiable($_POST['roles_id']);
if(is_array($result)){
$ret['status'] = 'ok';
$ret['list'] = $result;
}else{
$ret['status'] = 'error';
$ret['error'] = $result;
}
}
break;
}

65
invitestudents.php
View File

@ -13,46 +13,13 @@ if(array_key_exists('action', $_POST)){
$schoolId = $u['schools_id'];
if($_POST['firstname'] && $_POST['lastname'] && $_POST['email'] && $_POST['password'] && $_POST['grade']){
// first we create the account
$account = account_create($_POST['email'], $_POST['password']);
if(!is_array($account)){
echo error(i18n("Error creating account: %1", array($account)));
break;
$newUser = user_invite($_POST['email'], $_POST['password'], $_POST['email'], $roles['participant']['id']);
if(is_array($newUser)){
happy_(i18n("The participant has been successfully invited"));
}else{
// ok, let's add their e-mail address as well
$account['email'] = $_POST['email'];
error_($newUser);
}
// now the user
$user = user_create($account['id'], $conference['id']);
if(!is_array($user)){
echo i18n("Error creating user");
break;
}
// now give them a student role
$result = user_add_role($user, 'participant');
if($result != 'ok'){
echo i18n("Error adding 'participant' role: %1", array($result));
break;
}
// and populate their user data
$user['grade'] = $_POST['grade'];
$user['schools_id'] = $schoolId;
$user['firstname'] = $_POST['firstname'];
$user['lastname'] = $_POST['lastname'];
// $user['email'] = $_POST['email'];
$message = user_save($user);
if($message != 'ok'){
echo error(i18n("Error saving user: %1", array($message)));
break;
}
// we have saved the user successfully
happy_(i18n("The participant has been successfully invited"));
}else{
error_(i18n("All fields are required for invitations"));
}
@ -305,29 +272,9 @@ function draw_invitation_form($school){
echo "</div>";
}
function getStudents($schoolId){
$result = array();
$query = mysql_query("
SELECT users.id, users.firstname, users.lastname, accounts.username, users.grade
FROM users
JOIN accounts ON users.accounts_id = accounts.id
WHERE users.id IN (
SELECT users_id FROM user_roles
JOIN roles ON roles.id = user_roles.roles_id
WHERE roles.`type` = 'participant'
)
AND schools_id = {$schoolId}
");
while($row = mysql_fetch_assoc($query)){
$result[] = $row;
}
return $result;
}
function draw_student_list($schoolId){
global $config;
$studentList = getStudents($schoolId);
global $config, $roles;
$studentList = user_list_modifiable($roles['participant']['id']);
if(count($studentList) > 0){
echo "<table class=\"summarytable\">";
echo "<tr><th>".i18n("Last Name")."</th><th>".i18n("First Name")."</th>";

18
testapi.php
View File

@ -91,7 +91,7 @@ Date List
</form>
<h2>Account Settings</h2>
<strong>Edit account information</strong>
<strong>Edit account information</strong><br/>
Username: <input type="text" id="username"></input><br/>
Password: <input type="text" id="password"></input><br/>
email: <input type="text" id="email"></input><br/>
@ -119,7 +119,14 @@ Link username to email? <input type="radio" name="link_username_to_email" value=
<h2>User Stuff</h2>
<a href="api/user/view/">View the user</a><br/>
Invite a user:<br/>
<br/><strong>List users of a specific role that I'm allowed to modify</strong><br/>
<form method="post" action="api/user/list">
role id: <input type="text" name="roles_id"></input><br/>
<input type="submit" value="Get List"></input>
</form>
<br/><strong>Invite a user:</strong><br/>
<form method="post" action="api/user/invite">
username: <input type="text" name="username"></input><br/>
password: <input type="text" name="password"></input><br/>
@ -128,6 +135,13 @@ role id: <input type="text" name="roles_id"></input><br/>
<input type="submit" value="Invite User"></input>
</form>
<br/><strong>Uninvite a user:</strong><br/>
<form method="post" action="api/user/uninvite">
user id: <input type="text" name="users_id"></input><br/>
role id: <input type="text" name="roles_id"></input><br/>
<input type="submit" value="Uninvite User"></input>
</form>
<h2>Event Schedule</h2>
<a href="api/schedule/list">Schedule Listing</a><br/>

201
user.inc.php
View File

@ -42,7 +42,7 @@ function user_load($users_id, $accounts_id = false)
//hand-code the list here because we dont want all the old stuff that hasnt been removed yet like username/password access_*, etc.
if($accounts_id != false) {
$accounts_id = intval($accounts_id);
$users_id = mysql_result(mysql_query("SELECT users.id FROM users WHERE accounts_id = $accounts_id LIMIT 1", 0));
$users_id = mysql_result(mysql_query("SELECT users.id FROM users WHERE accounts_id = $accounts_id LIMIT 1"), 0);
} else {
$users_id = intval($users_id);
}
@ -1463,9 +1463,7 @@ function user_conference_load($accounts_id,$conferences_id) {
function user_invite($username, $password, $email, $roles_id){
global $roles, $conference;
$u = user_load($_SESSION['users_id']);
$ok = false;
$returnval = null;
$schoolId = null;
$roletype = null;
foreach($roles as $t => $r){
@ -1486,48 +1484,67 @@ function user_invite($username, $password, $email, $roles_id){
if(array_key_exists('admin', $u['roles'])){
// This is an administrative user; they can invite people to any role they want.
$ok = true;
$myRole = 'admin';
}else if(array_key_exists('teacher', $u['roles'])){
// This is a teacher; they can add students.
// make sure this teacher is tied to a school
if(array_key_exists('schools_id', $u) && $u['schools_id'] > 0){
if($roletype == 'participant'){
$ok = true;
$schoolId = $u['schools_id'];
}else{
$returnval = 'You do not have permission to invite this role';
}
}else{
$myRole = 'teacher';
if(!(array_key_exists('schools_id', $u) && $u['schools_id'] > 0)){
$returnval = 'You must be associated with a school to add participants';
}else if($roletype != 'participant'){
$returnval = 'You do not have permission to invite this role';
}
}else{
$returnval = 'You do not have a role with permission to invite users';
}
if($returnval == null){
// all fields have been passed in, let's go ahead and create the account/user/role
$newAccount = account_create($username, $password);
if(!is_array($newAccount)){
$returnval = $newAccount;
}
}
if($returnval == null){
$newUser = user_create($newAccount['id'], $conference['id']);
if(!is_array($newUser)){
$returnval = 'Error creating user';
}else if($schoolId !== null){
// schoolId is only defined if this is a teacher inviting a student
$newUser['schools_id'] = $schoolId;
user_save($newUser);
// good so far, let's see if the account already exists
$q = mysql_query("SELECT id FROM accounts WHERE username = '" . mysql_real_escape_string($username) . "'");
$row = mysql_fetch_assoc($q);
if(is_array($row)){
// This username is already in use. Let's see if this is a user that
// the current one can modify
$newUser = user_load(null, $row['id']);
if(!is_array($newUser)){
$returnval = 'Unable to load user';
}else{
// check for role-specific limitations on who can edit who
// we need to query the data manually, as the user_load function only
// returns user data relative to their current roles, not the one we want to add
if($myRole == 'teacher'){
// we already know that this is a teacher inviting a student
$testquery = mysql_fetch_assoc(mysql_query("SELECT schools_id FROM users WHERE id = {$newUser['id']}"));
if(!(is_array($testquery) && $testquery['schools_id'] == $u['schools_id'])){
$returnval = 'This user is not a member of your school';
}
}
}
}else{
// ok, this is a new user name, so we'll need to create everything
$newAccount = account_create($username, $password);
if(is_array($newAccount)){
// created the account successfully, now do the user
$newUser = user_create($newAccount['id'], $conference['id']);
if(!is_array($newUser)){
$returnval = 'Error creating user';
}else{
if($roletype == 'participant'){
$newUser['schools_id'] = $u['schools_id'];
user_save($newUser);
}
}
}else{
$returnval = $newAccount; // it's an error message
}
}
}
if($returnval == null){
// if we've gotten this far, then either the user was created successfully, or they've
// been loaded and our permission to modify them has been confirmed; we can add the role.
$result = user_add_role($newUser, $roletype);
if($result == 'ok'){
// if we made it here, then it all worked nicely
$returnval = user_load($newUser['id']);
}else{
$returnval = "Error adding '$roletype' role: $result";
@ -1538,4 +1555,128 @@ function user_invite($username, $password, $email, $roles_id){
}
// uninvite the user with the specified user id.
// Returns the user object on success, error message otherwise
function user_uninvite($uid, $roles_id){
global $roles, $conference;
// idiot proofing
if(!is_numeric($uid)) return "Invalid user id";
if(!is_numeric($roles_id)) return "Invalid role id";
$u = user_load($_SESSION['users_id']);
$returnval = null;
$roletype = null;
foreach($roles as $t => $r){
if($r['id'] == $roles_id){
$roletype = $t;
break;
}
}
if($roletype === null){
$returnval = 'Invalid roles_id parameter';
}else if(!user_has_authority($u, $roletype)){
$returnval = 'You can not modify users of ' . $roletype . ' role';
}
if($returnval == null){
$user = user_load($uid);
if($user == false){
$returnval = 'Could not load specified user';
}
}
if($returnval == null){
if($user['schools_id'] != $u['schools_id']){
$returnval = 'You can not uninvite students form other schools';
}
}
if($returnval == null){
// ok, looks like all of the data checks out. Let's remove this user's role
mysql_query("DELETE FROM user_roles WHERE users_id = $uid AND roles_id = $roles_id");
$returnval = mysql_error();
}
if($returnval == null) $returnval = user_load($uid);
return $returnval;
}
// returns an array of users of the specified role that the currently logged in user has permission to modify
function user_list_modifiable($roles_id){
global $roles;
$returnval = null;
$u = user_load($_SESSION['users_id']);
// idiot proofing
if(!is_numeric($roles_id)) return "Invalid role id";
$roletype = null;
foreach($roles as $t => $r){
if($r['id'] == $roles_id){
$roletype = $t;
break;
}
}
if($roletype === null){
$returnval = 'Invalid roles_id parameter';
}else if(!user_has_authority($u, $roletype)){
$returnval = array();
}
if($returnval == null){
$returnval = array();
// ok, if we've gotten here, then they have the necessary permissions and such. Let's
// go ahead and generate some data
// first we'll assemble our WHERE conditions
$conditions = array();
$conditions[] = "users.conferences_id = " . $u['conferences_id'];
$conditions[] = "user_roles.roles_id = " . $roles_id;
if(array_key_exists('admin', $u['roles'])){
// all is allowed
}else if(array_key_exists('teacher', $u['roles'])){
$conditions[] = 'schools_id = ' . $u['schools_id'];
}
$role_fields = 'users.' . implode(', users.', user_get_role_fields($roletype));
$query = "SELECT users.firstname, users.lastname, accounts.username, $role_fields FROM users";
$query .= " JOIN accounts ON users.accounts_id = accounts.id";
$query .= " JOIN user_roles ON user_roles.users_id = users.id";
$query .= " WHERE (" . implode(') AND (', $conditions) . ")";
$query .= " ORDER BY users.id";
$q = mysql_query($query);
while($row = mysql_fetch_assoc($q)){
$returnval[] = $row;
}
}
return $returnval;
}
// determine whethor or not the user $u has the authority to modify users with the specified role
function user_has_authority($u, $role){
// find out if this user has the necessary permission to modify another one
$returnval = false;
if(is_array($u['roles'])){
if(array_key_exists('admin', $u['roles'])){
// This is an administrative user; they can modify people of any role they want.
$returnval = true;
}else if(array_key_exists('teacher', $u['roles'])){
if(array_key_exists('schools_id', $u) && $u['schools_id'] > 0){
if($role == 'participant'){
$returnval = true;
}
}
}
}
return $returnval;
}
?>