* Disclaimer the contents of this post allude to specific code and functions in the application that Angie is developing. Some of the functions and files mentioned in this post are not part of the Xataface distribution *
Hi Angie,
After puzzling over the code I have found the problem. You added this in the Application Delegate class:
- Code: Select all
/*Add this function in to let instructors edit the courses that they are
teaching (March 18, 2009)*/
function getPermissions(&$record) {
return Dataface_PermissionsTool::getRolePermissions('MEMBER');
}
This circumvented all of the permissions for the entire application so that all users get the same privileges. What you meant to do was add this to the courses delegate class, and even then you would need something more refined in order to make it do what you want.
What this method says is that EVERYONE gets the permissions assigned to the MEMBER role which is defined in your permissions.ini file as having all of the permissions as the ADMIN role except a few key ones.
What you want is to make it so that instructors can edit their own courses, but nobody else.
This is a bit tricky, since you don't want to hit the database every time the getPermissions() method is called and a simple approach to this might tempt you to do this.
Thus the best course of action is to create a function to load the current user's courses, and cache that information so that it only hits the database once. Then in the getPermissions() method of the courses table you would figure out whether the current user should be able to edit the course based on whether he is an instructor of the course.
So we will make 3 changes:
1. In the includes/functions.inc.php file we add some functions to figure out if the current user is an instructor (or TA) for a given course:
- Code: Select all
/*
* Gets an associative array of the courses that the current user is teaching or is a TA for.
*/
function &getUserCourses(){
static $courses = -1;
if ( $courses == -1 ){
$user =& getUser();
if ( $user and $user->val('username') ){
$res = mysql_query("select course_id from course_tas ct inner join people p on ct.person_id=p.person_id where p.username='".addslashes($user->val('username'))."'", df_db());
$courses = array();
while ($row = mysql_fetch_row($res) ){
$courses[$row[0]] = true;
}
} else {
$courses = array();
}
}
return $courses;
}
/**
* Checks if the user is an instructor for the current course.
*/
function isInstructorForCourse($courseid){
$c =& getUserCourses();
return @$c[$courseid];
}
2. In the permissions.ini file for our application we create a role called 'COURSE INSTRUCTOR' which extends the EDIT role (so it includes permissions necessary to edit a record).
- Code: Select all
[COURSE INSTRUCTOR extends EDIT]
3. In the courses delegate class (tables/courses/courses.php) we add the following getPermissions() method:
- Code: Select all
function getPermissions(&$record){
if ( !isAdmin() and $record and isCourseInstructor($record->val('course_id') ){
return Dataface_PermissionsTool::getRolePermissions('COURSE INSTRUCTOR');
}
return null;
}
Notice that this method returns null unless the current user is NOT an admin and is a course instructor. This is because if the current user is not an instructor (or is an admin) then we just want to use the default permissions defined in the application delegate class.
3. We remove the getPermissions() method that you added to the application delegate class as this opened the application up so everyone could edit anything. The application delegate class already has a getRoles() method defined that works well for global application permissions.
-Steve
