--- loncom/interface/spreadsheet/lonspreadsheet.pm 2003/06/18 19:44:22 1.11 +++ loncom/interface/spreadsheet/lonspreadsheet.pm 2003/07/16 13:52:19 1.16 @@ -1,5 +1,5 @@ # -# $Id: lonspreadsheet.pm,v 1.11 2003/06/18 19:44:22 matthew Exp $ +# $Id: lonspreadsheet.pm,v 1.16 2003/07/16 13:52:19 matthew Exp $ # # Copyright Michigan State University Board of Trustees # @@ -238,32 +238,53 @@ sub handler { $name = $ENV{'form.sname'}; $domain = $ENV{'form.sdomain'}; } - # - # Open page, try to prevent browser cache. - # - $r->content_type('text/html'); - $r->header_out('Cache-control','no-cache'); - $r->header_out('Pragma','no-cache'); - $r->send_http_header; ## ## Check permissions my $allowed_to_edit = &Apache::lonnet::allowed('mgr', $ENV{'request.course.id'}); + # Only those instructors/tas/whatevers with complete access + # (not section restricted) are able to modify spreadsheets. my $allowed_to_view = &Apache::lonnet::allowed('vgr', $ENV{'request.course.id'}); - + if (! $allowed_to_view) { + $allowed_to_view = &Apache::lonnet::allowed('vgr', + $ENV{'request.course.id'}.'/'.$ENV{'request.course.sec'}); + # Those who are restricted by section are allowed to view. + # The routines in lonstatistics which decide which students' + # will be shown take care of the restriction by section. + } # # Only those able to view others grades will be allowed to continue # if they are not requesting their own. - if (($sheettype eq 'classcalc') || - ($name ne $ENV{'user.name'} ) || - ($domain ne $ENV{'user.domain'})) { + if ($sheettype eq 'classcalc') { if (! $allowed_to_view) { - $r->print('

Access Permission Denied

'. - ''); - return OK; + $ENV{'user.error.msg'}= + $r->uri.":vgr:0:0:Access Permission Denied"; + return HTTP_NOT_ACCEPTABLE; + } + } + if ((($name ne $ENV{'user.name'} ) || + ($domain ne $ENV{'user.domain'})) && $sheettype ne 'classcalc') { + # Check that the student is in their section? + if (exists($ENV{'request.course.sec'}) && + $ENV{'request.course.sec'} ne '' ) { + my $stu_sec = &Apache::lonnet::usection($domain,$name, + $ENV{'request.course.id'}); + if ($stu_sec ne $ENV{'request.course.sec'}) { + $ENV{'user.error.msg'}= + $r->uri.":vgr:0:0:Requested student not in your section."; + return HTTP_NOT_ACCEPTABLE; + } } } + + # + # Open page, try to prevent browser cache. + # + $r->content_type('text/html'); + &Apache::loncommon::no_cache($r); + $r->send_http_header; + # # Header.... # @@ -376,7 +397,8 @@ ENDSCRIPT } $r->print(''. '
'.$spreadsheet->html_header().''.$html."
\n"); - $r->print(<print(< Last Action:   @@ -384,6 +406,7 @@ ENDSCRIPT END + } $r->rflush(); } else { $r->print('
'.$spreadsheet->html_header(). @@ -391,7 +414,7 @@ END } $r->rflush(); # - if (! exists($ENV{'form.not_first_run'}) && $sheettype eq 'classcalc') { + if ($sheettype eq 'classcalc') { $r->print('
'); } # @@ -406,6 +429,7 @@ END if ($allowed_to_view || $allowed_to_edit) { $r->print($spreadsheet->parent_link()); } + $r->rflush(); $spreadsheet->display($r); } $r->print('');