[WWcvs] webwork2: give user an error message if they can't act as another user.

SourceForge Headquarters 225 Broadway Suite 1600 San Diego, CA 92101 +1 (858) 422-6466

Log Message:
-----------
give user an error message if they can't act as another user.
see bug #846.

Modified Files:
--------------
    webwork2/lib:
        WeBWorK.pm

Revision Data
-------------
Index: WeBWorK.pm
===================================================================
RCS file: /webwork/cvs/system/webwork2/lib/WeBWorK.pm,v
retrieving revision 1.75
retrieving revision 1.76
diff -Llib/WeBWorK.pm -Llib/WeBWorK.pm -u -r1.75 -r1.76

--- lib/WeBWorK.pm
+++ lib/WeBWorK.pm
@@ -234,44 +234,41 @@
 			debug("Now we deal with the effective user:\n");
 			my $eUserID = $r->param("effectiveUser") || $userID;
 			debug("userID=$userID eUserID=$eUserID\n");
-			# FIXME: hasPermissions does nothing with $eUserID, and lately we want it to
-			# only accept two arguments, so we're removing $eUserID from this call.
-			#my $su_authorized = $authz->hasPermissions($userID, "become_student", $eUserID);
-			my $su_authorized = $authz->hasPermissions($userID, "become_student");
-			if ($su_authorized) {
-				debug("Ok, looks like you're allowed to become $eUserID. Whoopie!\n");
-			} else {
-				debug("Uh oh, you're not allowed to become $eUserID. Nice try!\n");
-				$eUserID = $userID;
+			if ($userID ne $eUserID) {
+				debug("userID and eUserID differ... seeing if userID has 'become_student' permission.\n");
+				my $su_authorized = $authz->hasPermissions($userID, "become_student");
+				if ($su_authorized) {
+					debug("Ok, looks like you're allowed to become $eUserID. Whoopie!\n");
+				} else {
+					debug("Uh oh, you're not allowed to become $eUserID. Nice try!\n");
+					$eUserID = $userID;
+					$r->notes("authen_error" => "You do not have permission to become another user.");
+					$displayModule = AUTHEN_MODULE;
+				}
 			}
+			
+			# set effectiveUser in case it was changed or not set to begin with
 			$r->param("effectiveUser" => $eUserID);
-       # if we're doing a proctored test, after the user has been authenticated
-       #    we need to also check on the proctor.  note that in the gateway quiz
-       #    module we double check this, to be sure that someone isn't taking a 
-       #    proctored quiz but calling the unproctored ContentGenerator
+			
+			# if we're doing a proctored test, after the user has been authenticated
+			# we need to also check on the proctor.  note that in the gateway quiz
+			# module we double check this, to be sure that someone isn't taking a 
+			# proctored quiz but calling the unproctored ContentGenerator
 			my $urlProducedPath = $urlPath->path();
-
 			if ( $urlProducedPath =~ /proctored_quiz_mode/i ) {
 			    my $procAuthOK = $authen->verifyProctor();
 
-			    if ( $procAuthOK ) {
-				my $proctorUserID = $r->param("proctor_user");
-				my $proctor_authorized = 
-				    $authz->hasPermissions($proctorUserID,
-							   "proctor_quiz", $userID);
-				if ( ! $proctor_authorized ) {
-				    $r->notes("authen_error", 
-					      "Proctor $proctorUserID is not " .
-					      "authorized to proctor tests in " .
-					      "this course.");
-				    $displayModule = PROCTOR_AUTHEN_MODULE;
+			    if ($procAuthOK) {
+					my $proctorUserID = $r->param("proctor_user");
+					my $proctor_authorized = $authz->hasPermissions($proctorUserID, "proctor_quiz");
+					unless ($proctor_authorized) {
+						$r->notes("authen_error", "User $proctorUserID is not authorized to proctor tests in this course.");
+					    $displayModule = PROCTOR_AUTHEN_MODULE;
+					}
+				} else {
+					$displayModule = PROCTOR_AUTHEN_MODULE;
 				}
-
-			    } else {
-				$displayModule = PROCTOR_AUTHEN_MODULE;
-			    }
 			}
-
 		} else {
 			debug("Bad news: authentication failed!\n");
 			$displayModule = AUTHEN_MODULE;


