diff --git a/account.inc.php b/account.inc.php index eb9eeae..f8fc2da 100644 --- a/account.inc.php +++ b/account.inc.php @@ -143,7 +143,7 @@ function account_create($username,$password=NULL) $us = mysql_real_escape_string($username); $q = mysql_query("SELECT * FROM accounts WHERE username='$us'"); if(mysql_num_rows($q)) { - return i18n("The username \"%1\" is already in use", array($username)); + return i18n("The username %1 is already in use", array($username)); } //if the password is set, make sure its valid, if its null, thats OK, it'll get generated and set by account_set_password diff --git a/api.php b/api.php index 46038bc..eff0525 100644 --- a/api.php +++ b/api.php @@ -594,6 +594,7 @@ switch($request[0]) { break; + /* APIDOC: user/invite description(invites a user to play a particular role in the conference, creating an account for them, and giving them the specifed role) post(username varchar(64), password varchar(64), email varchar(64), roles_id integer) @@ -621,7 +622,56 @@ switch($request[0]) { $ret['error'] = $newUser; } } + break; + /* APIDOC: user/uninvite + description(uninvite a user from a particular role in the conference, removing only the role, not the user) + post(users_id integer, roles_id integer) + return(user array) + */ + case 'uninvite': + if(!array_key_exists('users_id', $_POST)){ + $ret['status'] = 'error'; + $ret['error'] = 'parameter users_id required'; + break; + } + + if(!array_key_exists('roles_id', $_POST)){ + $ret['status'] = 'error'; + $ret['error'] = 'parameter roles_id required'; + break; + } + + $result = user_uninvite($_POST['users_id'], $_POST['roles_id']); + + if(is_array($result)){ + $ret['status'] = 'ok'; + $ret['user'] = $result; + }else{ + $ret['status'] = 'error'; + $ret['error'] = $result; + } + break; + + /* APIDOC: user/list + description(list users of the specified role in this conference that the current user has permission to view/modify) + post(roles_id integer) + return(list array) + */ + case 'list': + if(!array_key_exists('roles_id', $_POST)){ + $ret['status'] = 'error'; + $ret['error'] = 'parameter roles_id required'; + }else{ + $result = user_list_modifiable($_POST['roles_id']); + if(is_array($result)){ + $ret['status'] = 'ok'; + $ret['list'] = $result; + }else{ + $ret['status'] = 'error'; + $ret['error'] = $result; + } + } break; } diff --git a/invitestudents.php b/invitestudents.php index 976cbc9..c752c5e 100644 --- a/invitestudents.php +++ b/invitestudents.php @@ -13,46 +13,13 @@ if(array_key_exists('action', $_POST)){ $schoolId = $u['schools_id']; if($_POST['firstname'] && $_POST['lastname'] && $_POST['email'] && $_POST['password'] && $_POST['grade']){ - // first we create the account - $account = account_create($_POST['email'], $_POST['password']); - if(!is_array($account)){ - echo error(i18n("Error creating account: %1", array($account))); - break; + $newUser = user_invite($_POST['email'], $_POST['password'], $_POST['email'], $roles['participant']['id']); + if(is_array($newUser)){ + happy_(i18n("The participant has been successfully invited")); }else{ - // ok, let's add their e-mail address as well - $account['email'] = $_POST['email']; + error_($newUser); } - // now the user - $user = user_create($account['id'], $conference['id']); - if(!is_array($user)){ - echo i18n("Error creating user"); - break; - } - - // now give them a student role - $result = user_add_role($user, 'participant'); - if($result != 'ok'){ - echo i18n("Error adding 'participant' role: %1", array($result)); - break; - } - - // and populate their user data - $user['grade'] = $_POST['grade']; - $user['schools_id'] = $schoolId; - $user['firstname'] = $_POST['firstname']; - $user['lastname'] = $_POST['lastname']; -// $user['email'] = $_POST['email']; - $message = user_save($user); - if($message != 'ok'){ - echo error(i18n("Error saving user: %1", array($message))); - break; - } - - - // we have saved the user successfully - happy_(i18n("The participant has been successfully invited")); - }else{ error_(i18n("All fields are required for invitations")); } @@ -305,29 +272,9 @@ function draw_invitation_form($school){ echo ""; } -function getStudents($schoolId){ - $result = array(); - $query = mysql_query(" - SELECT users.id, users.firstname, users.lastname, accounts.username, users.grade - FROM users - JOIN accounts ON users.accounts_id = accounts.id - WHERE users.id IN ( - SELECT users_id FROM user_roles - JOIN roles ON roles.id = user_roles.roles_id - WHERE roles.`type` = 'participant' - ) - AND schools_id = {$schoolId} - "); - - while($row = mysql_fetch_assoc($query)){ - $result[] = $row; - } - return $result; -} - function draw_student_list($schoolId){ - global $config; - $studentList = getStudents($schoolId); + global $config, $roles; + $studentList = user_list_modifiable($roles['participant']['id']); if(count($studentList) > 0){ echo ""; echo ""; diff --git a/testapi.php b/testapi.php index 50fa25f..65e025c 100644 --- a/testapi.php +++ b/testapi.php @@ -91,7 +91,7 @@ Date List

Account Settings

-Edit account information +Edit account information
Username:
Password:
email:
@@ -119,7 +119,14 @@ Link username to email? User StuffView the user
-Invite a user:
+ +
List users of a specific role that I'm allowed to modify
+ +role id:
+ + + +
Invite a user:
username:
password:
@@ -128,6 +135,13 @@ role id:
+
Uninvite a user:
+ +user id:
+role id:
+ + +

Event Schedule

Schedule Listing
diff --git a/user.inc.php b/user.inc.php index 58baf1a..3f76717 100644 --- a/user.inc.php +++ b/user.inc.php @@ -42,7 +42,7 @@ function user_load($users_id, $accounts_id = false) //hand-code the list here because we dont want all the old stuff that hasnt been removed yet like username/password access_*, etc. if($accounts_id != false) { $accounts_id = intval($accounts_id); - $users_id = mysql_result(mysql_query("SELECT users.id FROM users WHERE accounts_id = $accounts_id LIMIT 1", 0)); + $users_id = mysql_result(mysql_query("SELECT users.id FROM users WHERE accounts_id = $accounts_id LIMIT 1"), 0); } else { $users_id = intval($users_id); } @@ -1463,9 +1463,7 @@ function user_conference_load($accounts_id,$conferences_id) { function user_invite($username, $password, $email, $roles_id){ global $roles, $conference; $u = user_load($_SESSION['users_id']); - $ok = false; $returnval = null; - $schoolId = null; $roletype = null; foreach($roles as $t => $r){ @@ -1486,48 +1484,67 @@ function user_invite($username, $password, $email, $roles_id){ if(array_key_exists('admin', $u['roles'])){ // This is an administrative user; they can invite people to any role they want. - $ok = true; + $myRole = 'admin'; }else if(array_key_exists('teacher', $u['roles'])){ // This is a teacher; they can add students. - - // make sure this teacher is tied to a school - if(array_key_exists('schools_id', $u) && $u['schools_id'] > 0){ - if($roletype == 'participant'){ - $ok = true; - $schoolId = $u['schools_id']; - }else{ - $returnval = 'You do not have permission to invite this role'; - } - }else{ + $myRole = 'teacher'; + if(!(array_key_exists('schools_id', $u) && $u['schools_id'] > 0)){ $returnval = 'You must be associated with a school to add participants'; + }else if($roletype != 'participant'){ + $returnval = 'You do not have permission to invite this role'; } }else{ $returnval = 'You do not have a role with permission to invite users'; } if($returnval == null){ - // all fields have been passed in, let's go ahead and create the account/user/role - $newAccount = account_create($username, $password); - if(!is_array($newAccount)){ - $returnval = $newAccount; - } - } - - if($returnval == null){ - $newUser = user_create($newAccount['id'], $conference['id']); - if(!is_array($newUser)){ - $returnval = 'Error creating user'; - }else if($schoolId !== null){ - // schoolId is only defined if this is a teacher inviting a student - $newUser['schools_id'] = $schoolId; - user_save($newUser); + // good so far, let's see if the account already exists + $q = mysql_query("SELECT id FROM accounts WHERE username = '" . mysql_real_escape_string($username) . "'"); + $row = mysql_fetch_assoc($q); + if(is_array($row)){ + // This username is already in use. Let's see if this is a user that + // the current one can modify + $newUser = user_load(null, $row['id']); + if(!is_array($newUser)){ + $returnval = 'Unable to load user'; + }else{ + // check for role-specific limitations on who can edit who + // we need to query the data manually, as the user_load function only + // returns user data relative to their current roles, not the one we want to add + + if($myRole == 'teacher'){ + // we already know that this is a teacher inviting a student + $testquery = mysql_fetch_assoc(mysql_query("SELECT schools_id FROM users WHERE id = {$newUser['id']}")); + if(!(is_array($testquery) && $testquery['schools_id'] == $u['schools_id'])){ + $returnval = 'This user is not a member of your school'; + } + } + } + }else{ + // ok, this is a new user name, so we'll need to create everything + $newAccount = account_create($username, $password); + if(is_array($newAccount)){ + // created the account successfully, now do the user + $newUser = user_create($newAccount['id'], $conference['id']); + if(!is_array($newUser)){ + $returnval = 'Error creating user'; + }else{ + if($roletype == 'participant'){ + $newUser['schools_id'] = $u['schools_id']; + user_save($newUser); + } + } + }else{ + $returnval = $newAccount; // it's an error message + } } } if($returnval == null){ + // if we've gotten this far, then either the user was created successfully, or they've + // been loaded and our permission to modify them has been confirmed; we can add the role. $result = user_add_role($newUser, $roletype); if($result == 'ok'){ - // if we made it here, then it all worked nicely $returnval = user_load($newUser['id']); }else{ $returnval = "Error adding '$roletype' role: $result"; @@ -1538,4 +1555,128 @@ function user_invite($username, $password, $email, $roles_id){ } +// uninvite the user with the specified user id. +// Returns the user object on success, error message otherwise +function user_uninvite($uid, $roles_id){ + global $roles, $conference; + + // idiot proofing + if(!is_numeric($uid)) return "Invalid user id"; + if(!is_numeric($roles_id)) return "Invalid role id"; + + $u = user_load($_SESSION['users_id']); + $returnval = null; + + $roletype = null; + foreach($roles as $t => $r){ + if($r['id'] == $roles_id){ + $roletype = $t; + break; + } + } + + if($roletype === null){ + $returnval = 'Invalid roles_id parameter'; + }else if(!user_has_authority($u, $roletype)){ + $returnval = 'You can not modify users of ' . $roletype . ' role'; + } + + if($returnval == null){ + $user = user_load($uid); + if($user == false){ + $returnval = 'Could not load specified user'; + } + } + + if($returnval == null){ + if($user['schools_id'] != $u['schools_id']){ + $returnval = 'You can not uninvite students form other schools'; + } + } + + if($returnval == null){ + // ok, looks like all of the data checks out. Let's remove this user's role + mysql_query("DELETE FROM user_roles WHERE users_id = $uid AND roles_id = $roles_id"); + $returnval = mysql_error(); + } + + if($returnval == null) $returnval = user_load($uid); + + return $returnval; +} + +// returns an array of users of the specified role that the currently logged in user has permission to modify +function user_list_modifiable($roles_id){ + global $roles; + $returnval = null; + $u = user_load($_SESSION['users_id']); + + // idiot proofing + if(!is_numeric($roles_id)) return "Invalid role id"; + + $roletype = null; + foreach($roles as $t => $r){ + if($r['id'] == $roles_id){ + $roletype = $t; + break; + } + } + + if($roletype === null){ + $returnval = 'Invalid roles_id parameter'; + }else if(!user_has_authority($u, $roletype)){ + $returnval = array(); + } + + if($returnval == null){ + $returnval = array(); + // ok, if we've gotten here, then they have the necessary permissions and such. Let's + // go ahead and generate some data + + // first we'll assemble our WHERE conditions + $conditions = array(); + $conditions[] = "users.conferences_id = " . $u['conferences_id']; + $conditions[] = "user_roles.roles_id = " . $roles_id; + if(array_key_exists('admin', $u['roles'])){ + // all is allowed + }else if(array_key_exists('teacher', $u['roles'])){ + $conditions[] = 'schools_id = ' . $u['schools_id']; + } + + $role_fields = 'users.' . implode(', users.', user_get_role_fields($roletype)); + $query = "SELECT users.firstname, users.lastname, accounts.username, $role_fields FROM users"; + $query .= " JOIN accounts ON users.accounts_id = accounts.id"; + $query .= " JOIN user_roles ON user_roles.users_id = users.id"; + $query .= " WHERE (" . implode(') AND (', $conditions) . ")"; + $query .= " ORDER BY users.id"; + $q = mysql_query($query); + while($row = mysql_fetch_assoc($q)){ + $returnval[] = $row; + } + } + + return $returnval; +} + + +// determine whethor or not the user $u has the authority to modify users with the specified role +function user_has_authority($u, $role){ + // find out if this user has the necessary permission to modify another one + $returnval = false; + + if(is_array($u['roles'])){ + if(array_key_exists('admin', $u['roles'])){ + // This is an administrative user; they can modify people of any role they want. + $returnval = true; + }else if(array_key_exists('teacher', $u['roles'])){ + if(array_key_exists('schools_id', $u) && $u['schools_id'] > 0){ + if($role == 'participant'){ + $returnval = true; + } + } + } + } + return $returnval; +} + ?>
".i18n("Last Name")."".i18n("First Name")."