Removing $is_allowed_in_course already checked in api_protect_course

main/blog/blog_admin.php

@@ -23,7 +23,7 @@ $blog_table_attachment 	= Database::get_course_table(TABLE_BLOGS_ATTACHMENT);
 api_protect_course_script(true);
 
 //	 ONLY USERS REGISTERED IN THE COURSE
-if((!$is_allowed_in_course || !$is_courseMember) && !api_is_allowed_to_edit()) {
+if((!$is_courseMember) && !api_is_allowed_to_edit()) {
 	api_not_allowed(true);//print headers/footers
 }
 

main/document/create_audio.php

@@ -27,6 +27,7 @@ $nameTools = get_lang('CreateAudio');
 
 api_protect_course_script();
 api_block_anonymous_users();
+
 if (api_get_setting('enabled_text2audio') == 'false') {
     api_not_allowed(true);
 }
@@ -92,11 +93,6 @@ $interbreadcrumb[] = array(
     "name" => get_lang('Documents')
 );
 
-if (!$is_allowed_in_course) {
-    api_not_allowed(true);
-}
-
-
 if (!($is_allowed_to_edit || $_SESSION['group_member_with_upload_rights'] || is_my_shared_folder(
     api_get_user_id(),
     Security::remove_XSS($dir),

main/document/create_document.php

@@ -15,11 +15,12 @@ $language_file = array('document', 'gradebook');
 
 require_once '../inc/global.inc.php';
 
+api_protect_course_script();
+
 $_SESSION['whereami'] = 'document/create';
 $this_section = SECTION_COURSES;
 
-$htmlHeadXtra[] = '
-<script>
+$htmlHeadXtra[] = '<script>
 
 var hide_bar = function() {
     $("#template_col").hide();
@@ -293,10 +294,6 @@ if (!$is_certificate_mode) {
 } else {
     $interbreadcrumb[] = array('url' => '../gradebook/'.$_SESSION['gradebook_dest'], 'name' => get_lang('Gradebook'));
 }
-
-if (!$is_allowed_in_course) {
-    api_not_allowed(true);
-}
 if (!($is_allowed_to_edit || $_SESSION['group_member_with_upload_rights'] || is_my_shared_folder(
     $_user['user_id'],
     Security::remove_XSS($dir),
@@ -306,8 +303,6 @@ if (!($is_allowed_to_edit || $_SESSION['group_member_with_upload_rights'] || is_
     api_not_allowed(true);
 }
 
-/*	Header */
-
 event_access_tool(TOOL_DOCUMENT);
 
 $display_dir = $dir;
@@ -691,6 +686,7 @@ if ($form->validate()) {
         Display :: display_footer();
     }
 } else {
+
     // Interbreadcrumb for the current directory root path
     // Copied from document.php
     $dir_array = explode('/', $dir);
@@ -709,7 +705,7 @@ if ($form->validate()) {
     }
 
     Display :: display_header($nameTools, "Doc");
-    //api_display_tool_title($nameTools);
+
     // actions
     echo '<div class="actions">';
 
@@ -757,4 +753,4 @@ if ($form->validate()) {
             </div>
           </div>';
     Display :: display_footer();
-}
+}

main/document/create_draw.php

@@ -93,10 +93,6 @@ if (isset ($_SESSION['_gid']) && $_SESSION['_gid'] != 0) {
 
 $interbreadcrumb[] = array ("url" => "./document.php?id=".$parent_id.$req_gid, "name" => get_lang('Documents'));
 
-if (!$is_allowed_in_course) {
-	api_not_allowed(true);
-}
-
 if (!($is_allowed_to_edit || $_SESSION['group_member_with_upload_rights'] || is_my_shared_folder(api_get_user_id(), Security::remove_XSS($dir), api_get_session_id()))) {
 	api_not_allowed(true);
 }

main/document/create_paint.php

@@ -33,7 +33,7 @@ if (api_get_setting('enabled_support_paint') == 'false') {
 $document_data = DocumentManager::get_document_data_by_id($_GET['id'], api_get_course_id(), true);
 if (empty($document_data)) {
     if (api_is_in_group()) {
-        $group_properties   = GroupManager::get_group_properties(api_get_group_id());        
+        $group_properties   = GroupManager::get_group_properties(api_get_group_id());
         $document_id        = DocumentManager::get_document_id(api_get_course_info(), $group_properties['directory']);
         $document_data      = DocumentManager::get_document_data_by_id($document_id, api_get_course_id());
     }
@@ -92,10 +92,6 @@ if (isset ($_SESSION['_gid']) && $_SESSION['_gid'] != 0) {
 
 $interbreadcrumb[] = array ("url" => "./document.php?curdirpath=".urlencode($dir).$req_gid, "name" => get_lang('Documents'));
 
-if (!$is_allowed_in_course) {
-	api_not_allowed(true);
-}
-
 if (!($is_allowed_to_edit || $_SESSION['group_member_with_upload_rights'] || is_my_shared_folder($_user['user_id'], Security::remove_XSS($dir),api_get_session_id()))) {
 	api_not_allowed(true);
 }

main/document/document.php

@@ -32,6 +32,7 @@
 
 // Language files that need to be included
 $language_file = array('document', 'slideshow', 'gradebook', 'create_course');
+
 require_once '../inc/global.inc.php';
 
 $current_course_tool = TOOL_DOCUMENT;

main/document/download.php

@@ -37,7 +37,8 @@ if (strpos($doc_url,'../') OR strpos($doc_url,'/..')) {
 // survey while not being authenticated on the plateform.
 // The administrator should probably be able to disable this code through admin
 // inteface.
-$refer_script = strrchr($_SERVER["HTTP_REFERER"], '/');
+
+$refer_script = isset($_SERVER["HTTP_REFERER"]) ? strrchr($_SERVER["HTTP_REFERER"], '/') : null;
 
 $sys_course_path = api_get_path(SYS_COURSE_PATH).$_course['path'].'/document';
 
@@ -62,11 +63,11 @@ if (substr($refer_script, 0, 15) == '/fillsurvey.php') {
 		$document_explorer = api_get_path(WEB_CODE_PATH).'document/document.php?curdirpath='.urlencode($doc_url).'&cidReq='.Security::remove_XSS($_GET['cidReq']).$gid_req;
 		// Redirect
 		header('Location: '.$document_explorer);
-	}	
+	}
 }
 
-        
-//Fixes swf upload problem in chamilo 1.8.x. When uploading a file with 
+
+//Fixes swf upload problem in chamilo 1.8.x. When uploading a file with
 //the character "-" the filename was changed from "-" to "_" in the DB for no reason
 $path_info = pathinfo($doc_url);
 
@@ -79,22 +80,21 @@ if (isset($path_info['extension']) && $path_info['extension'] == 'swf') {
     }
 }
 
-
 if (Security::check_abs_path($sys_course_path.$doc_url, $sys_course_path.'/')) {
-    $full_file_name = $sys_course_path.$doc_url;    
+    $full_file_name = $sys_course_path.$doc_url;
     if ($fix_file_name) {
         $doc_url = $fixed_url;
     }
     // Check visibility of document and paths
     $is_visible = DocumentManager::is_visible($doc_url, $_course, api_get_session_id());
-    
+
 	//Documents' slideshow thumbnails
 	//correct $is_visible used in below and ??. Now the students can view the thumbnails too
-	if ( preg_match('/\.thumbs\/\./',  $doc_url)){ 
+	if ( preg_match('/\.thumbs\/\./',  $doc_url)){
 		$doc_url_thumbs = str_replace('.thumbs/.', '', $doc_url);
 		$is_visible = DocumentManager::is_visible($doc_url_thumbs, $_course, api_get_session_id());
 	}
-	
+
     if (!api_is_allowed_to_edit() && !$is_visible) {
     	Display::display_error_message(get_lang('ProtectedDocument'));//api_not_allowed backbutton won't work.
     	exit; // You shouldn't be here anyway.

main/document/record_audio.php

@@ -84,10 +84,6 @@ if (isset ($_SESSION['_gid']) && $_SESSION['_gid'] != 0) {
 
 $interbreadcrumb[] = array ("url" => "./document.php?id=".$document_id.$req_gid, "name" => get_lang('Documents'));
 
-if (!$is_allowed_in_course) {
-	api_not_allowed(true);
-}
-
 if (!($is_allowed_to_edit || $_SESSION['group_member_with_upload_rights'] || is_my_shared_folder(api_get_user_id(), Security::remove_XSS($dir),api_get_session_id()))) {
 	api_not_allowed(true);
 }

main/document/record_audio_wami.php

@@ -92,10 +92,6 @@ if (isset ($_SESSION['_gid']) && $_SESSION['_gid'] != 0) {
 
 $interbreadcrumb[] = array ("url" => "./document.php?id=".$document_id.$req_gid, "name" => get_lang('Documents'));
 
-if (!$is_allowed_in_course) {
-	api_not_allowed(true);
-}
-
 if (!($is_allowed_to_edit || $_SESSION['group_member_with_upload_rights'] || is_my_shared_folder(api_get_user_id(), Security::remove_XSS($dir),api_get_session_id()))) {
 	api_not_allowed(true);
 }

main/document/show_content.php

@@ -58,14 +58,6 @@ if (is_dir($file_url_sys)) {
     api_not_allowed(true);
 }
 
-//fix the screen when you try to access a protected course through the url
-$is_allowed_in_course = $_SESSION ['is_allowed_in_course'];
-
-if ($is_allowed_in_course == false) {
-    api_not_allowed(true);
-}
-
-
 
 //Check user visibility
 //$is_visible = DocumentManager::is_visible_by_id($document_id, $course_info, api_get_session_id(), api_get_user_id());

main/document/showinframes.php

@@ -73,13 +73,6 @@ if (is_dir($file_url_sys)) {
     api_not_allowed(true);
 }
 
-//fix the screen when you try to access a protected course through the url
-$is_allowed_in_course = $_SESSION ['is_allowed_in_course'];
-
-if ($is_allowed_in_course == false) {
-    api_not_allowed(true);
-}
-
 //Check user visibility
 //$is_visible = DocumentManager::is_visible_by_id($document_id, $course_info, api_get_session_id(), api_get_user_id());
 $is_visible = DocumentManager::check_visibility_tree($document_id, api_get_course_id(), api_get_session_id(), api_get_user_id());

main/document/showinframesmin.php

@@ -57,14 +57,6 @@ if (!file_exists($file_url_sys)) {
 if (is_dir($file_url_sys)) {
     api_not_allowed(true);
 }
-
-//fix the screen when you try to access a protected course through the url
-$is_allowed_in_course = $_SESSION ['is_allowed_in_course'];
-
-if ($is_allowed_in_course == false) {
-    api_not_allowed(true);
-}
-
 //Check user visibility
 //$is_visible = DocumentManager::is_visible_by_id($document_id, $course_info, api_get_session_id(), api_get_user_id());
 $is_visible = DocumentManager::check_visibility_tree($document_id, api_get_course_id(), api_get_session_id(), api_get_user_id());

main/document/webcam_clip.php

@@ -91,10 +91,6 @@ if (isset ($_SESSION['_gid']) && $_SESSION['_gid'] != 0) {
 
 $interbreadcrumb[] = array ("url" => "./document.php?id=".$document_id.$req_gid, "name" => get_lang('Documents'));
 
-if (!$is_allowed_in_course) {
-	api_not_allowed(true);
-}
-
 if (!($is_allowed_to_edit || $_SESSION['group_member_with_upload_rights'] || is_my_shared_folder(api_get_user_id(), Security::remove_XSS($dir),api_get_session_id()))) {
 	api_not_allowed(true);
 }

main/group/group.php

@@ -55,9 +55,6 @@ if (api_get_setting('allow_group_categories') == 'false') {
 if (!isset ($_GET['origin']) || $_GET['origin'] != 'learnpath') {
 	// So we are not in learnpath tool
 	event_access_tool(TOOL_GROUP);
-	if (!$is_allowed_in_course) {
-		api_not_allowed(true);
-	}
 }
 
 Display::display_header(get_lang('Groups'));

main/group/group_overview.php

@@ -61,10 +61,6 @@ if (isset($_GET['action'])) {
 
 $interbreadcrumb[] = array('url' => 'group.php', 'name' => get_lang('Groups'));
 if (!isset ($_GET['origin']) || $_GET['origin'] != 'learnpath') {
-	// So we are not in learnpath tool
-	if (!$is_allowed_in_course) {
-		api_not_allowed(true);
-	}
 	if (!api_is_allowed_to_edit(false, true)) {
 		api_not_allowed(true);
 	} else {

main/metadata/phpdig/search.php

@@ -1,4 +1,4 @@
-<?php 
+<?php
 /**
  * Chamilo phpdig/search.php
  * 2006/12/14
@@ -26,8 +26,8 @@ If you modify code and redistribute, you may ADD your copyright to this notice.
 
 // name of the language file that needs to be included
 $language_file = "md_mix";
-include('../../../main/inc/global.inc.php');
-if (! $is_allowed_in_course) api_not_allowed();
+require_once '../../../main/inc/global.inc.php';
+api_protect_course_script();
 
 // start of part copied (with some changes) from standard PhpDig search.php
 $relative_script_path = '.';