docs/mods/_core/users/instructor_requests.php

   1 <?php
   2 /****************************************************************/
   3 /* ATutor                                                                                                               */
   4 /****************************************************************/
   5 /* Copyright (c) 2002-2010                                      */
   6 /* Inclusive Design Institute                                   */
   7 /* http://atutor.ca                                                                                             */
   8 /*                                                              */
   9 /* This program is free software. You can redistribute it and/or*/
  10 /* modify it under the terms of the GNU General Public License  */
  11 /* as published by the Free Software Foundation.                                */
  12 /****************************************************************/
  13 // $Id$
  14
  15 $_user_location = 'admin';
  16
  17 define('AT_INCLUDE_PATH', '../../../include/');
  18 require(AT_INCLUDE_PATH.'vitals.inc.php');
  19 admin_authenticate(AT_ADMIN_PRIV_USERS);
  20
  21 /**
  22  * A simple method to sign the request with the secret using HMAC.
  23  * @param   String      Use UTC time, gmdate("Y-m-d\TH:i:s\Z");
  24  * @param   String      Hashed secret.  Unique per user.
  25  */
  26 function at_sign_request($timestamp, $publicKey) {
  27     global $db;
  28     if (!isset($_SESSION['login'])) {
  29         return $url;
  30     }
  31     $sql = 'SELECT last_login FROM ' . TABLE_PREFIX . "admins WHERE login='$_SESSION[login]'";
  32     $result = mysql_query($sql, $db);
  33     $row = mysql_fetch_assoc($result);
  34     //This key should be unique often enough yet binds to the user only.
  35     //easier way is to create a key table
  36     $privateKey = hash_hmac('sha256', $row['last_login'], $row['password']);
  37
  38     /*
  39      * Our simple way to sign the key
  40      * include GET header, then sort query, add current timestamp, sign it.
  41      */
  42     $canonicalArray['publicKey'] = $publicKey;
  43     $canonicalArray['timestamp'] = $timestamp;
  44
  45     $str = "GET http/1.0\n";
  46     foreach ($canonicalArray as $k => $v) {
  47         $str .= "$k=" . rawurlencode($v) . "\n";
  48     }
  49     $hmacSignature = base64_encode(hash_hmac('sha512', $str, $privateKey, true));
  50     return rawurlencode($hmacSignature);
  51 }
  52
  53 /**
  54  * Verify request by the given signedUrl
  55  * @param   String      querystring without '?', usually the $_SERVER['QUERY_STRING']
  56  *
  57  */
  58 function at_verify_request($signature, $timestamp, $publicKey) {
  59     global $db;
  60     if ($signature == "" || $timestamp == "" || $publicKey == "") {
  61         //if parameters are empty, return false.
  62         return false;
  63     }
  64     $sql = 'SELECT last_login FROM ' . TABLE_PREFIX . "admins WHERE login='$_SESSION[login]'";
  65     $result = mysql_query($sql, $db);
  66     $row = mysql_fetch_assoc($result);
  67     $privateKey = hash_hmac('sha256', $row['last_login'], $row['password']);
  68
  69     $canonicalArray = array();
  70     $canonicalArray['publicKey'] = $publicKey;
  71     $canonicalArray['timestamp'] = $timestamp;
  72     //check expirary
  73     $timeDiff = time() - strtotime($canonicalArray['timestamp']);
  74     if ($timeDiff > 36000) {
  75         //more than 10mins, expired.
  76         //TODO: use constants.
  77         die('time expired');
  78         return false;
  79     }
  80     //check data integrity
  81     //generate our own hmac to check
  82     $str = "GET http/1.0\n";
  83     foreach ($canonicalArray as $k => $v) {
  84         $str .= "$k=" . rawurlencode($v) . "\n";
  85     }
  86     $hmacSignature = base64_encode(hash_hmac('sha512', $str, $privateKey, true));
  87     if (rawurldecode($signature) === $hmacSignature) {
  88         return true;
  89     }
  90     return false;
  91 }
  92
  93 if (isset($_GET['deny']) && isset($_GET['id'])) {
  94         header('Location: admin_deny.php?id='.$_GET['id']);
  95         exit;
  96         /*
  97         $sql = 'DELETE FROM '.TABLE_PREFIX.'instructor_approvals WHERE member_id='.intval($_GET['id']);
  98         $result = mysql_query($sql, $db);
  99
 100         write_to_log(AT_ADMIN_LOG_DELETE, 'instructor_approvals', mysql_affected_rows($db), $sql);
 101         */
 102
 103 } else if (isset($_GET['approve']) && isset($_GET['id'])) {
 104     //verify token first.
 105     if (!at_verify_request($_GET['auth_token'], $_GET['auth_timestamp'], $_GET['auth_publicKey'])) {
 106         $msg->addError('INVALID_AUTH_REQUEST');
 107         header('Location: instructor_requests.php');
 108         exit;
 109     }
 110
 111         $id = intval($_GET['id']);
 112
 113         $sql = 'DELETE FROM '.TABLE_PREFIX.'instructor_approvals WHERE member_id='.$id;
 114         $result = mysql_query($sql, $db);
 115
 116         write_to_log(AT_ADMIN_LOG_DELETE, 'instructor_approvals', mysql_affected_rows($db), $sql);
 117
 118         $sql = 'UPDATE '.TABLE_PREFIX.'members SET status='.AT_STATUS_INSTRUCTOR.', creation_date=creation_date, last_login=last_login WHERE member_id='.$id;
 119         $result = mysql_query($sql, $db);
 120
 121         write_to_log(AT_ADMIN_LOG_UPDATE, 'members', mysql_affected_rows($db), $sql);
 122
 123         /* notify the users that they have been approved: */
 124         $sql   = "SELECT email, first_name, last_name FROM ".TABLE_PREFIX."members WHERE member_id=$id";
 125         $result = mysql_query($sql, $db);
 126         if ($row = mysql_fetch_assoc($result)) {
 127                 $to_email = $row['email'];
 128
 129                 if ($row['first_name']!="" || $row['last_name']!="") {
 130                         $tmp_message  = $row['first_name'].' '.$row['last_name'].",\n\n";
 131                 }
 132                 $tmp_message .= _AT('instructor_request_reply', AT_BASE_HREF);
 133
 134                 if ($to_email != '') {
 135                         require(AT_INCLUDE_PATH . 'classes/phpmailer/atutormailer.class.php');
 136
 137                         $mail = new ATutorMailer;
 138
 139                         $mail->From     = $_config['contact_email'];
 140                         $mail->AddAddress($to_email);
 141                         $mail->Subject = _AT('instructor_request');
 142                         $mail->Body    = $tmp_message;
 143
 144                         if(!$mail->Send()) {
 145                            //echo 'There was an error sending the message';
 146                            $msg->addError('SENDING_ERROR');
 147                         }
 148
 149                         unset($mail);
 150                 }
 151         }
 152
 153         $msg->addFeedback('PROFILE_UPDATED_ADMIN');
 154 } else if (!empty($_GET) && !$_GET['submit']) {
 155         $msg->addError('NO_ITEM_SELECTED');
 156 }
 157
 158 /* Authentication info */
 159 $timestamp = gmdate("Y-m-d\TH:i:s\Z");
 160 $publicKey = hash('sha256', mt_rand());
 161
 162 require(AT_INCLUDE_PATH.'header.inc.php');
 163
 164 $sql    = "SELECT M.login, M.first_name, M.last_name, M.email, M.member_id, A.* FROM ".TABLE_PREFIX."members M, ".TABLE_PREFIX."instructor_approvals A WHERE A.member_id=M.member_id ORDER BY M.login";
 165 $result = mysql_query($sql, $db);
 166 $num_pending = mysql_num_rows($result);
 167 ?>
 168
 169 <form name="form" method="get" action="<?php echo $_SERVER['PHP_SELF']; ?>">
 170 <table class="data" summary="" rules="cols">
 171 <thead>
 172 <tr>
 173         <th scope="col">&nbsp;</th>
 174         <th scope="col"><?php echo _AT('login_name');     ?></th>
 175         <th scope="col"><?php echo _AT('first_name');   ?></th>
 176         <th scope="col"><?php echo _AT('last_name');    ?></th>
 177         <th scope="col"><?php echo _AT('email');        ?></th>
 178         <th scope="col"><?php echo _AT('notes');        ?></th>
 179 </tr>
 180 </thead>
 181 <tfoot>
 182 <tr>
 183         <td colspan="6">
 184         <input type="hidden" name="auth_publicKey" value="<?php echo $publicKey; ?>" />
 185         <input type="hidden" name="auth_timestamp" value="<?php echo $timestamp; ?>" />
 186         <input type="hidden" name="auth_token" value="<?php echo at_sign_request($timestamp, $publicKey); ?>" />
 187         <input type="submit" name="deny" value="<?php echo _AT('deny'); ?>" />
 188         <input type="submit" name="approve" value="<?php echo _AT('approve'); ?>" /></td>
 189 </tr>
 190 </tfoot>
 191 <tbody>
 192 <?php
 193         if ($row = mysql_fetch_assoc($result)) {
 194                 do {
 195                         echo '<tr onmousedown="document.form[\'i'.$row['member_id'].'\'].checked = true;rowselect(this);" id="r_'.$row['member_id'].'">';
 196                         echo '<td><input type="radio" name="id" value="'.$row['member_id'].'" id="i'.$row['member_id'].'" /></td>';
 197                         echo '<td><label for="i'.$row['member_id'].'">'.AT_print($row['login'], 'members.login').'</label></td>';
 198                         echo '<td>'.AT_print($row['first_name'], 'members.first_name').'</td>';
 199                         echo '<td>'.AT_print($row['last_name'], 'members.last_name').'</td>';
 200                         echo '<td>'.AT_print($row['email'], 'members.email').'</td>';
 201
 202                         echo '<td>'.AT_print($row['notes'], 'instructor_approvals.notes').'</td>';
 203
 204                         echo '</tr>';
 205                 } while ($row = mysql_fetch_assoc($result));
 206         } else {
 207                 echo '<tr><td colspan="6">'._AT('none_found').'</td></tr>';
 208         }
 209 ?>
 210 </tbody>
 211 </table>
 212 </form>
 213
 214 <?php require(AT_INCLUDE_PATH.'footer.inc.php'); ?>