--- loncom/interface/groupsort.pm	2015/03/12 02:12:40	1.68.6.7
+++ loncom/interface/groupsort.pm	2016/11/22 15:55:40	1.68.6.8
@@ -2,7 +2,7 @@
 # The LON-CAPA group sort handler
 # Allows for sorting prior to import into RAT.
 #
-# $Id: groupsort.pm,v 1.68.6.7 2015/03/12 02:12:40 raeburn Exp $
+# $Id: groupsort.pm,v 1.68.6.8 2016/11/22 15:55:40 raeburn Exp $
 # 
 # Copyright Michigan State University Board of Trustees
 #
@@ -32,7 +32,7 @@ package Apache::groupsort;
 
 use strict;
 
-use Apache::Constants qw(:common);
+use Apache::Constants qw(:common :http);
 use GDBM_File;
 use Apache::loncommon;
 use Apache::lonlocal;
@@ -203,16 +203,79 @@ sub handler {
     $r->send_http_header;
     return OK if $r->header_only;
 
+# permissions checking
+    my ($allowed,$canedit,$context,$cid);
+    if ($env{'form.readfile'} =~ m{^/uploaded/($match_domain)/($match_courseid)/}) {
+        my ($cdom,$cnum) = ($1,$2);
+        $cid = $cdom.'_'.$cnum;
+        $context = 'course';
+        if ((&Apache::lonnet::allowed('mdc',$cid)) ||
+            (&Apache::lonnet::allowed('cev',$cid))) {
+            $allowed = 1;
+        }
+    } elsif ($env{'form.readfile'} =~ m{^/res/}) {
+        $context = 'res';
+        if ((&Apache::lonnet::allowed('bre',$env{'form.readfile'})) ||
+            (&Apache::lonnet::allowed('bro',$env{'form.readfile'}))) {
+            $allowed = 1;
+        }
+    } elsif (($env{'form.readfile'} eq '') && ($env{'form.acts'} ne '')) {
+        $allowed = 1;
+    }
+    if ($allowed) {
+        if ($env{'form.mode'} eq 'rat') {
+            if (&Apache::lonnet::allowed('are',$env{'request.role.domain'})) {
+                $canedit = 1;
+            }
+        } elsif (($env{'form.mode'} eq 'simple') || ($env{'form.mode'} eq '')) {
+            if ($context eq 'course') {
+                if (&Apache::lonnet::allowed('mdc',$cid)) {
+                    $canedit = 1;
+                }
+            } elsif (($env{'request.course.id'}) &&
+                     (&Apache::lonnet::allowed('mdc',$env{'request.course.id'}))) {
+                $canedit = 1;
+            } elsif (&Apache::lonnet::allowed('are',$env{'request.role.domain'})) {
+                $canedit = 1;
+            }
+        }
+    }
+
+    unless ($allowed) {
+        if ($context eq 'course') {
+            if ($env{'request.course.id'} eq $cid) {
+                $env{'user.error.msg'}=
+                    "/adm/groupsort::0:1:Course environment gone, reinitialize the course";
+            } else {
+                $env{'user.error.msg'}=
+                    "/adm/groupsort:bre:0:0:Cannot view folder contents";
+            }
+        } else {
+            $env{'user.error.msg'}=
+                "/adm/groupsort:bre:0:0:Cannot view map contents";
+        }
+        return HTTP_NOT_ACCEPTABLE;
+    }
+
 # finish_import looks different for graphical or "simple" RAT
     my $finishimport='';
     my $begincondition='';
     my $endcondition='';
+    my $noedit;
+    unless ($canedit) {
+        if ($context eq 'course') {
+            $noedit = &js_escape(&mt('You do not have rights to edit the course.'));
+        } else {
+            $noedit = &js_escape(&mt('You do not have rights to edit map contents.'));
+        }
+    }
     if (($env{'form.readfile'}))  {
         $begincondition='if (eval("document.forms.groupsort.include"+num+".checked")) {';
 	$endcondition='}';
     }
     if ($env{'form.mode'} eq 'simple' || $env{'form.mode'} eq '') {
-        $finishimport=(<<ENDSMP);
+        if ($canedit) {
+            $finishimport=(<<ENDSMP);
 function finish_import() {
     opener.document.forms.simpleedit.importdetail.value='';
     for (var num=0; num<document.forms.groupsort.fnum.value; num++) {
@@ -227,8 +290,16 @@ function finish_import() {
     self.close();
 }
 ENDSMP
+        } else {
+            $finishimport=(<<ENDNO);
+function finish_import() {
+    alert('$noedit');
+}
+ENDNO
+        }
     } else {
-        $finishimport=(<<ENDADV);
+        if ($canedit) {
+            $finishimport=(<<ENDADV);
 function finish_import() {
     var linkflag=false;
     for (var num=0; num<document.forms.groupsort.fnum.value; num++) {
@@ -250,6 +321,13 @@ function finish_import() {
     self.close();
 }
 ENDADV
+        } else {
+            $finishimport=(<<ENDNONE);
+function finish_import() {
+    alert('$noedit');
+}
+ENDNONE
+        }
     }
 
 # output start of web page
@@ -303,6 +381,10 @@ END
     } else {
         $title = 'Sort Imported Resources';
     }
+    my $disabled;
+    unless ($canedit) {
+        $disabled = ' disabled="disabled"';
+    }
     if (($clen > 1) || ($env{'form.readfile'})) {
 	my %lt=&Apache::lonlocal::texthash(
 		'fin'=> 'Finalize order of resources',
@@ -339,7 +421,7 @@ END
         if ($env{'form.recover'}) {
 	    $r->print(<<END);
 <input type="button" name="alter" value="$buttontext"
- onclick="finish_import()" />&nbsp;
+ onclick="finish_import()"$disabled />&nbsp;
 <input type="button" name="alter" value="$lt{'ca'}" onclick="self.close()" />
 END
 	} else {
@@ -354,7 +436,7 @@ END
 <input type="button" name="altersearch" value="$lt{'cs'}"
  onclick="window.location='/adm/searchcat?inhibitmenu=yes&amp;catalogmode=import'" />&nbsp;
 <input type="button" name="alter" value="$lt{'fi'}"
- onclick="finish_import()" />&nbsp;
+ onclick="finish_import()"$disabled />&nbsp;
 <input type="button" name="alter" value="$lt{'ca'}" onclick="self.close()" />
 </div>
 <br />
@@ -404,7 +486,7 @@ END
 	    $r->print(&Apache::loncommon::start_data_table_row()
                      ."<td>");
             if (($env{'form.readfile'})) {
-		$r->print(&checkbox($ctr-1));
+		$r->print(&checkbox($ctr-1,$disabled));
 	    } else {
 		$r->print(&movers($clen,$ctr));
 	    }
@@ -415,7 +497,7 @@ END
 	    $r->print("</td>");
             unless (($env{'form.readfile'})) {
 		$r->print("<td>".
-			  &select_box($clen,$ctr).
+			  &select_box($clen,$ctr,$disabled).
 			  "</td>");
 	    }
 	    $r->print("<td>");
@@ -485,10 +567,10 @@ END
 
 # ------------------------------------------ Select box (returns scalar string)
 sub select_box {
-    my ($total,$sel) = @_;
+    my ($total,$sel,$disabled) = @_;
     my $string;
     $string = '<select name="alt'.$sel.'"';
-    $string .= " onchange='selectchange($sel)'>";
+    $string .= " onchange='selectchange($sel)'.$disabled.'>";
     $string .= "<option name='o0' value='0'>".&mt('discard')."</option>";
     for my $cur (1..$total) {
 	$string .= "<option name='o$cur' value='$cur'";
@@ -504,10 +586,10 @@ sub select_box {
 # ------------------------------------------------------------------- Checkbox
 
 sub checkbox {
-    my $sel=shift;
+    my ($sel,$disabled) = @_;
     return "<label><input type='checkbox' name='include$sel'".
        ($env{"form.include$sel"}?' checked="checked"':'').
-       ' />'.&mt('Include').'</label>';
+       $disabled.' />'.&mt('Include').'</label>';
 }
 
 1;
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>500 Internal Server Error</title>
</head><body>
<h1>Internal Server Error</h1>
<p>The server encountered an internal error or
misconfiguration and was unable to complete
your request.</p>
<p>Please contact the server administrator at 
 root@localhost to inform them of the time this error occurred,
 and the actions you performed just before this error.</p>
<p>More information about this error may be available
in the server error log.</p>
</body></html>