DRH can login as user. see BT#6770

main/admin/user_list.php

@@ -15,6 +15,8 @@ global $_configuration;
 
 $current_access_url_id = api_get_current_access_url_id();
 
+$action = isset($_REQUEST["action"]) ? $_REQUEST["action"] : null;
+
 // Blocks the possibility to delete a user
 $delete_user_available = true;
 if (isset($_configuration['deny_delete_users']) &&  $_configuration['deny_delete_users']) {
@@ -102,13 +104,13 @@ function clear_session_list (div_session) {
 }
 
 function display_advanced_search_form () {
-        if ($("#advanced_search_form").css("display") == "none") {
-                $("#advanced_search_form").css("display","block");
-                $("#img_plus_and_minus").html(\' '.Display::return_icon('div_hide.gif',get_lang('Hide'),array('style'=>'vertical-align:middle')).' '.get_lang('AdvancedSearch').'\');
-        } else {
-                $("#advanced_search_form").css("display","none");
-                $("#img_plus_and_minus").html(\' '.Display::return_icon('div_show.gif',get_lang('Show'),array('style'=>'vertical-align:middle')).' '.get_lang('AdvancedSearch').'\');
-        }
+    if ($("#advanced_search_form").css("display") == "none") {
+            $("#advanced_search_form").css("display","block");
+            $("#img_plus_and_minus").html(\' '.Display::return_icon('div_hide.gif',get_lang('Hide'),array('style'=>'vertical-align:middle')).' '.get_lang('AdvancedSearch').'\');
+    } else {
+            $("#advanced_search_form").css("display","none");
+            $("#img_plus_and_minus").html(\' '.Display::return_icon('div_show.gif',get_lang('Show'),array('style'=>'vertical-align:middle')).' '.get_lang('AdvancedSearch').'\');
+    }
 }
 
 $(document).ready(function() {
@@ -125,7 +127,6 @@ $(document).ready(function() {
         }
     }
 
-
     $(".agenda_opener").live("click", function() {
         var url = this.href;
         var dialog = $("#dialog");
@@ -135,12 +136,12 @@ $(document).ready(function() {
         }
         // load remote content
         dialog.load(
-                url,
-                {},
-                function(responseText, textStatus, XMLHttpRequest) {
-                    dialog.dialog({width:720, height:550, modal:true});
-                }
-            );
+            url,
+            {},
+            function(responseText, textStatus, XMLHttpRequest) {
+                dialog.dialog({width:720, height:550, modal:true});
+            }
+        );
         //prevent the browser to follow the link
         return false;
     });
@@ -155,6 +156,17 @@ function load_calendar(user_id, month, year) {
 
 $this_section = SECTION_PLATFORM_ADMIN;
 
+if ($action == 'login_as') {
+    $check = Security::check_token('get');
+
+    if (isset($_GET['user_id']) && api_can_login_as($_GET['user_id']) && $check) {
+        login_user($_GET['user_id']);
+    } else {
+        api_not_allowed(true);
+    }
+    Security::clear_token();
+}
+
 api_protect_admin_script(true);
 
 /**
@@ -168,21 +180,17 @@ api_protect_admin_script(true);
 */
 function login_user($user_id) {
     $user_id = intval($user_id);
+    $user_info = api_get_user_info($user_id);
 
-    if (empty($user_id)) {
-        return false;
-    }
-    if ($user_id != strval(intval($user_id))) {
-    	return false;
-    }
+    // Check if the user is allowed to 'login_as'
+    $can_login_as = api_can_login_as($user_id);
 
-    //Only superadmins can login to admin accounts
-    if (!api_global_admin_can_edit_admin($user_id)) {
+    if (!$can_login_as) {
         return false;
     }
 
     //Load $_user to be sure we clean it before logging in
-	global $uidReset, $loginFailed, $_configuration, $_user;
+	global $uidReset, $loginFailed, $_user;
 
 	$main_user_table      = Database::get_main_table(TABLE_MAIN_USER);
 	$main_admin_table     = Database::get_main_table(TABLE_MAIN_ADMIN);
@@ -190,11 +198,6 @@ function login_user($user_id) {
 
 	unset($_user['user_id']); // uid not in session ? prevent any hacking
 
-    $user_info = api_get_user_info($user_id);
-
-    // check if the user is allowed to 'login_as'
-    $can_login_as = (api_is_platform_admin() OR (api_is_session_admin() && $user_info['status'] == 5 ));
-    if (!$can_login_as) { return false; }
 
 	$firstname  = $user_info['firstname'];
 	$lastname   = $user_info['lastname'];
@@ -261,7 +264,6 @@ function login_user($user_id) {
 			$_SESSION['login_as']               = true; // will be useful later to know if the user is actually an admin or not (example reporting)s
 
 			$target_url = api_get_path(WEB_PATH)."user_portal.php";
-			//$message .= "<br/>Login successful. Go to <a href=\"$target_url\">$target_url</a>";
 			$message .= '<br />'.sprintf(get_lang('LoginSuccessfulGoToX'),'<a href="'.$target_url.'">'.$target_url.'</a>');
 			Display :: display_header(get_lang('UserList'));
 			Display :: display_normal_message($message,false);
@@ -561,16 +563,15 @@ function modify_filter($user_id, $url_params, $row) {
     if (api_is_platform_admin() || (api_is_session_admin() && $current_user_status_label == $statusname[STUDENT])) {
     	if (!$user_is_anonymous) {
             if (api_global_admin_can_edit_admin($user_id)) {
-                $result .= '<a href="user_list.php?action=login_as&amp;user_id='.$user_id.'&amp;sec_token='.$_SESSION['sec_token'].'">'.Display::return_icon('login_as.gif', get_lang('LoginAs')).'</a>&nbsp;&nbsp;';
+                $result .= '<a href="user_list.php?action=login_as&amp;user_id='.$user_id.'&amp;sec_token='.$_SESSION['sec_token'].'">'.Display::return_icon('login_as.png', get_lang('LoginAs')).'</a>&nbsp;&nbsp;';
             } else {
-                $result .= Display::return_icon('login_as_na.gif', get_lang('LoginAs')).'&nbsp;&nbsp;';
+                $result .= Display::return_icon('login_as_na.png', get_lang('LoginAs')).'&nbsp;&nbsp;';
             }
-            //$result .= '<a href="user_list.php?action=login_as&amp;user_id='.$user_id.'&amp;sec_token='.$_SESSION['sec_token'].'">'.Display::return_icon('login_as.gif', get_lang('LoginAs')).'</a>&nbsp;&nbsp;';
     	} else {
-    		$result .= Display::return_icon('login_as_na.gif', get_lang('LoginAs')).'&nbsp;&nbsp;';
+    		$result .= Display::return_icon('login_as_na.png', get_lang('LoginAs')).'&nbsp;&nbsp;';
     	}
     } else {
-    	$result .= Display::return_icon('login_as_na.gif', get_lang('LoginAs')).'&nbsp;&nbsp;';
+    	$result .= Display::return_icon('login_as_na.png', get_lang('LoginAs')).'&nbsp;&nbsp;';
     }
 
 	if ($current_user_status_label != $statusname[STUDENT]) {
@@ -588,14 +589,12 @@ function modify_filter($user_id, $url_params, $row) {
 		}
 	}
 
-
 	if ($is_admin) {
 		$result .= Display::return_icon('admin_star.png', get_lang('IsAdministrator'),array('width'=> ICON_SIZE_SMALL, 'heigth'=> ICON_SIZE_SMALL));
 	} else {
 		$result .= Display::return_icon('admin_star_na.png', get_lang('IsNotAdministrator'));
 	}
 
-
 	// actions for assigning sessions, courses or users
 	if (api_is_session_admin()) {
 		/*if ($row[0] == api_get_user_id()) {
@@ -673,8 +672,6 @@ function status_filter($status) {
 	return $statusname[$status];
 }
 
-$action = isset($_REQUEST["action"]) ? $_REQUEST["action"] : null;
-
 if (isset($_GET['keyword']) || isset($_GET['keyword_firstname'])) {
     $interbreadcrumb[] = array ("url" => 'index.php', "name" => get_lang('PlatformAdmin'));
     $interbreadcrumb[] = array ("url" => 'user_list.php', "name" => get_lang('UserList'));
@@ -687,7 +684,7 @@ if (isset($_GET['keyword']) || isset($_GET['keyword_firstname'])) {
 $message = '';
 
 if (!empty($action)) {
-	$check = Security::check_token('get');
+    $check = Security::check_token('get');
 	if ($check) {
 		switch ($action) {
             case 'add_user_to_my_url':
@@ -698,12 +695,6 @@ if (!empty($action)) {
                     $message = get_lang('UserAdded').' '.$user_info['firstname'].' '.$user_info['lastname'].' ('.$user_info['username'].')';
                     $message  = Display::return_message($message, 'confirmation');
                 }
-                break;
-            case 'login_as':
-                $login_as_user_id = $_GET["user_id"];
-                if (isset ($login_as_user_id)) {
-                    login_user($login_as_user_id);
-                }
                 break;
 			case 'show_message' :
                 if (!empty($_GET['message'])) {

main/inc/lib/main_api.lib.php

@@ -5490,7 +5490,14 @@ function api_is_global_platform_admin($user_id = null) {
     return false;
 }
 
-function api_global_admin_can_edit_admin($admin_id_to_check, $my_user_id = null, $allow_session_admin = false) {
+/**
+ * @param int $admin_id_to_check
+ * @param int  $my_user_id
+ * @param bool $allow_session_admin
+ * @return bool
+ */
+function api_global_admin_can_edit_admin($admin_id_to_check, $my_user_id = null, $allow_session_admin = false)
+{
     if (empty($my_user_id)) {
         $my_user_id = api_get_user_id();
     }
@@ -5499,10 +5506,10 @@ function api_global_admin_can_edit_admin($admin_id_to_check, $my_user_id = null,
     $user_is_global_admin   = api_is_global_platform_admin($admin_id_to_check);
 
     if ($iam_a_global_admin) {
-        //global admin can edit everything
+        // Global admin can edit everything
         return true;
     } else {
-        //If i'm a simple admin
+        // If i'm a simple admin
         $is_platform_admin = api_is_platform_admin_by_id($my_user_id);
 
         if ($allow_session_admin) {
@@ -6655,3 +6662,53 @@ function api_get_default_tool_setting($tool, $setting, $defaultValue)
     return $defaultValue;
 
 }
+
+/**
+ * Checks if user can login as another user
+ *
+ * @param int $loginAsUserId the user id to log in
+ * @param int $userId my user id
+ * @return bool
+ */
+function api_can_login_as($loginAsUserId, $userId = null)
+{
+    if (empty($userId)) {
+        $userId = api_get_user_id();
+    }
+
+    if (empty($loginAsUserId)) {
+        return false;
+    }
+
+    if ($loginAsUserId != strval(intval($loginAsUserId))) {
+        return false;
+    }
+    // Check if the user to login is an admin
+
+    if (api_is_platform_admin_by_id($loginAsUserId)) {
+        // Only super admins can login to admin accounts
+        if (!api_global_admin_can_edit_admin($loginAsUserId)) {
+            return false;
+        }
+    }
+
+    $user_info = api_get_user_info($userId);
+
+    $isDrh = function() use($loginAsUserId) {
+        if (api_is_drh()) {
+            if (api_drh_can_access_all_session_content()) {
+                $users = SessionManager::getAllUsersFromCoursesFromAllSessionFromDrh(api_get_user_id());
+                if (in_array($loginAsUserId, $users)) {
+                    return true;
+                }
+            } else {
+                if (api_is_drh() && UserManager::is_user_followed_by_drh($loginAsUserId, api_get_user_id())) {
+                    return true;
+                }
+            }
+        }
+        return false;
+    };
+
+    return (api_is_platform_admin() OR (api_is_session_admin() && $user_info['status'] == 5) OR $isDrh());
+}

main/mySpace/course.php

@@ -95,7 +95,7 @@ if (api_is_drh() || api_is_session_admin() || api_is_platform_admin()) {
         $menu_items[] = Display::url(Display::return_icon('teacher.png', get_lang('Trainers'), array(), ICON_SIZE_MEDIUM), 'teachers.php');
         $menu_items[] = Display::url(Display::return_icon('course_na.png', get_lang('Courses'), array(), ICON_SIZE_MEDIUM), '#');
         $menu_items[] = Display::url(Display::return_icon('session.png', get_lang('Sessions'), array(), ICON_SIZE_MEDIUM), 'session.php');
-        if (api_is_platform_admin()) {
+        if (api_can_login_as($user_id)) {
             $link = '<a href="'.api_get_path(WEB_CODE_PATH).'admin/user_list.php?action=login_as&amp;user_id='.$user_id.'&amp;sec_token='.Security::get_existing_token().'">'.
                     Display::return_icon('login_as.png', get_lang('LoginAs'), null, ICON_SIZE_MEDIUM).'</a>&nbsp;&nbsp;';
             $menu_items[] = $link;

main/mySpace/myStudents.php

@@ -180,8 +180,10 @@ if (empty($session_id)) {
 
 $student_id = intval($_GET['student']);
 
+$token = Security::get_token();
+
 // Action behaviour
-$check= Security::check_token('get');
+$check = Security::check_token('get');
 
 if ($check) {
 	switch ($_GET['action']) {
@@ -203,6 +205,7 @@ if ($check) {
 	Security::clear_token();
 }
 
+
 // user info
 $user_info = api_get_user_info($student_id);
 
@@ -280,11 +283,11 @@ if (!empty($student_id)) {
     if (api_drh_can_access_all_session_content()) {
         $users = SessionManager::getAllUsersFromCoursesFromAllSessionFromDrh(api_get_user_id());
         if (!in_array($student_id, $users)) {
-            api_not_allowed();
+            api_not_allowed(true);
         }
     } else {
         if (api_is_drh() && !UserManager::is_user_followed_by_drh($student_id, api_get_user_id())) {
-            api_not_allowed();
+            api_not_allowed(true);
         }
     }
 }
@@ -312,6 +315,11 @@ if (!empty($student_id)) {
 	if (!empty($student_id) && !empty ($_GET['course'])) { //only show link to connection details if course and student were defined in the URL
 		echo '<a href="access_details.php?student=' . $student_id . '&course=' . Security :: remove_XSS($_GET['course']) . '&amp;origin=' . Security :: remove_XSS($_GET['origin']) . '&amp;cidReq='.Security::remove_XSS($_GET['course']).'&amp;id_session='.$session_id.'">' . Display :: return_icon('statistics.png', get_lang('AccessDetails'),'',ICON_SIZE_MEDIUM).'</a>';
 	}
+    if (api_can_login_as($student_id)) {
+        echo '<a href="'.api_get_path(WEB_CODE_PATH).'admin/user_list.php?action=login_as&amp;user_id='.$student_id.'&amp;sec_token='.$token.'">'.
+            Display::return_icon('login_as.png', get_lang('LoginAs'), null, ICON_SIZE_MEDIUM).'</a>&nbsp;&nbsp;';
+    }
+
 	echo '</div>';
 
 	// is the user online ?
@@ -708,7 +716,6 @@ if (empty($_GET['details'])) {
     	$sql_lp = " SELECT lp.name, lp.id FROM $t_lp lp WHERE c_id = {$info_course['real_id']}  ORDER BY lp.display_order";
     }
     $rs_lp = Database::query($sql_lp);
-    $token = Security::get_token();
 
     if (Database :: num_rows($rs_lp) > 0) {
     ?>