MDL-18059 database rates - secured ; merged from 19_STABLE

diff --git a/lang/en_utf8/data.php b/lang/en_utf8/data.php
index 823fcc75f6c2236ac45f45bdac9058112779c1c8..cd9aa964076bfc26395eaff66d0ea266b9bd43b5 100644 (file)
--- a/lang/en_utf8/data.php
+++ b/lang/en_utf8/data.php
@@ -147,6 +147,7 @@ $string['invalidfieldname'] = 'Please choose another name for this field';
 $string['invalidfieldtype'] = 'Field Type is incorrect';
 $string['invalidid'] = 'Incorrect data ID';
 $string['invalidpreset'] = '$a is not a preset.';
+$string['invalidrate'] = 'Invalid database rate ($a)';
 $string['invalidratedata'] = 'Incorrect submitted ratings data';
 $string['invalidrecord'] = 'Incorrect record';
 $string['invalidurl'] = 'The URL you just entered is not valid';

diff --git a/mod/data/rate.php b/mod/data/rate.php
index 45155a25cfeefb406e12db8ff09901d74d72367a..4faaf5d48674abc285290c1172d94ff34eb29e9f 100755 (executable)
--- a/mod/data/rate.php
+++ b/mod/data/rate.php
@@ -33,6 +33,9 @@
         print_error('invalidaccess', 'data');
     }
 
+/// Calculate scale values
+    $scale_values = make_grades_menu($data->scale);
+
     $count = 0;
 
     foreach ((array)$frmdata as $recordid => $rating) {
@@ -52,6 +55,11 @@
             continue;
         }
 
+    /// Check rate is valid for that database scale values
+        if (!array_key_exists($rating, $scale_values) && $rating != -999) {
+            print_error('invalidrate', 'data', '', $rating);
+        }
+
         // input validation ok
 
         $count++;