From 64143437a294aa4e0e94d60e79ba3ac677c40e5b Mon Sep 17 00:00:00 2001 From: cassio Date: Mon, 7 Sep 2015 17:26:39 +0100 Subject: security fix and staff restrictions --- src/staff/task.php | 47 ++++++++++++++++++++++++++++++++++++++++++++--- 1 file changed, 44 insertions(+), 3 deletions(-) (limited to 'src/staff/task.php') diff --git a/src/staff/task.php b/src/staff/task.php index 640eae1..a447429 100644 --- a/src/staff/task.php +++ b/src/staff/task.php @@ -15,7 +15,7 @@ // You should have received a copy of the GNU General Public License // along with this program. If not, see . //////////////////////////////////////////////////////////////////////////////// -// Last modified 05/aug/2012 by cassio@ime.usp.br +// Last modified 07/sep/2015 by cassio@ime.usp.br require('header.php'); if(($ct = DBContestInfo($_SESSION["usertable"]["contestnumber"])) == null) @@ -67,8 +67,49 @@ if (($s=DBSiteInfo($_SESSION["usertable"]["contestnumber"],$_SESSION["usertable" $task = DBOpenTasksInSites($_SESSION["usertable"]["contestnumber"], $s["sitetasking"]); +$ds = DIRECTORY_SEPARATOR; +if($ds=="") $ds = "/"; +$limittasks=false; +if(is_readable($_SESSION["locr"] . $ds . 'private' . $ds . 'score.sep')) { + $limittasks=true; + $rf=file($_SESSION["locr"] . $ds . 'private' . $ds . 'score.sep'); + for($rfi=1;$rfi<=count($rf);$rfi++) { + $lin = explode('#',trim($rf[$rfi-1])); + if(isset($lin[1]) && $_SESSION["usertable"]["usertype"]!='admin') { + $arr=explode(' ',trim($lin[1])); + for($arri=0;$arri=count($arr)) continue; + } + $lin = trim($lin[0]); + if($lin=='') continue; + $grname=explode(' ',$lin); + + for ($i=0; $i= 1) { + $u1 = explode('/',$grname[$k]); + if(isset($u1[1]) && $task[$i]["user"] >= $u1[0] && $task[$i]["user"] <= $u1[1]) { + if(!isset($u1[2]) || $u1[2]==$task[$i]["site"]) { + $task[$i]["ok"]=true; + break; + } + } + } + } + } + } +} + +$anyprinted=false; for ($i=0; $i\n"; } echo ""; -if (count($task) == 0) echo "
NO TASKS FOUND
"; +if (!$anyprinted) echo "
NO TASKS FOUND
"; ?> -- cgit v1.2.3