This is an access callback. Can the user view the advising session specified in the REQUEST?

File

modules/advise/advise.module, line 470

Code

function advise_user_can_view_advising_session_access_callback() {
  global $user;

  if (user_has_permission("view_any_advising_session")) {
    return TRUE;
  }

  if (user_has_permission("view_own_advising_session")) {
    // The user is only allowed to view their OWN advising sessions.
    // So, make sure this advising session belongs to them!
    $advising_session_id = $_REQUEST ["advising_session_id"];
    // make sure this belongs to $user->cwid;
    // First, what was the student's CWID associated with that advising_session_id?
    $res = db_query("SELECT student_id FROM advising_sessions
                     WHERE advising_session_id = '?' ", $advising_session_id);
    $cur = db_fetch_array($res);
    if ($user->cwid == $cur ["student_id"]) {
      return TRUE;
    }
  }

  return FALSE;
}