if(is_bool($users) && is_bool($groups) && is_bool($courses)) {
return false;
}
+
if(is_array($users) && !empty($users)) {
// Events from a number of users
if(!empty($whereclause)) $whereclause .= ' OR';
// No user at all
// No need to do anything
}
+
if(is_array($groups) && !empty($groups)) {
// Events from a number of groups
if(!empty($whereclause)) $whereclause .= ' OR';
if(!empty($whereclause)) $whereclause .= ' OR ';
$whereclause .= ' groupid != 0';
}
+ // boolean false (no groups at all): we don't need to do anything
+
if(is_array($courses)) {
// A number of courses (maybe none at all!)
if(!empty($courses)) {
$whereclause .= ' groupid = 0 AND courseid != 0';
}
+ // Security check: if, by now, we have NOTHING in $whereclause, then it means
+ // that NO event-selecting clauses were defined. Thus, we won't be returning ANY
+ // events no matter what. Allowing the code to proceed might return a completely
+ // valid query with only time constraints, thus selecting ALL events in that time frame!
+ if(empty($whereclause)) {
+ return false;
+ }
+
if ($ignorehidden) {
if (!empty($whereclause)) $whereclause .= ' AND';
$whereclause .= ' visible = 1';
require_once($CFG->dirroot.'/course/lib.php');
require_once($CFG->dirroot.'/calendar/lib.php');
- optional_variable($_GET['view'], 'upcoming');
optional_variable($_GET['course'], 0);
- optional_variable($_GET['cal_d']);
- optional_variable($_GET['cal_m']);
- optional_variable($_GET['cal_y']);
if(!$site = get_site()) {
redirect($CFG->wwwroot.'/'.$CFG->admin.'/index.php');
$nav = calendar_get_link_tag(get_string('calendar', 'calendar'), CALENDAR_URL.'view.php?view=upcoming&', $now['mday'], $now['mon'], $now['year']);
- // Make sure that the GET variables are correct
- $day = intval($_GET['cal_d']);
- $mon = intval($_GET['cal_m']);
- $yr = intval($_GET['cal_y']);
+ optional_param('view', 'upcoming');
+ optional_param('cal_d', 0, PARAM_INT);
+ optional_param('cal_m', 0, PARAM_INT);
+ optional_param('cal_y', 0, PARAM_INT);
+ $day = $cal_d;
+ $mon = $cal_m;
+ $yr = $cal_y;
+
if(!checkdate($mon, $day, $yr)) {
$day = intval($now['mday']);
$mon = intval($now['mon']);
}
$time = mktime(0, 0, 0, $mon, $day, $yr);
- switch($_GET['view']) {
+ switch($view) {
case 'day':
$text = strftime(get_string('strftimedate'), $time);
if($text[0] == '0') {
echo '<td style="vertical-align: top; width: 100%;">';
- switch($_GET['view']) {
+ switch($view) {
case 'day':
calendar_show_day($day, $mon, $yr, $courses, $groups, $users);
break;
list($prevmon, $prevyr) = calendar_sub_month($mon, $yr);
list($nextmon, $nextyr) = calendar_add_month($mon, $yr);
$getvars = 'cal_d='.$day.'&cal_m='.$mon.'&cal_y='.$yr; // For filtering
- echo calendar_filter_controls($_GET['view'], $getvars);
+ echo calendar_filter_controls($view, $getvars);
echo '<div style="margin: 10px 0px;">';
echo calendar_top_controls('display', array('m' => $prevmon, 'y' => $prevyr));
echo calendar_get_mini($courses, $groups, $users, $prevmon, $prevyr);
projects / moodle.git / commitdiff