MDL-10288, adding some fields for grade item edit and security fixes for grader report

diff --git a/grade/report/grader/edit_item.php b/grade/report/grader/edit_item.php
index a9a2918aea0adf9e22d14e224392af9f82394b63..1da18656a6ca0b6ed665d6a3fc3ad985a4d55eeb 100644 (file)
--- a/grade/report/grader/edit_item.php
+++ b/grade/report/grader/edit_item.php
@@ -1,8 +1,8 @@
 <?php  //$Id$
-
 require_once '../../../config.php';
 require_once $CFG->libdir.'/gradelib.php';
 require_once $CFG->libdir.'/formslib.php';
+require_once ('edit_item_form.php');
 
 $courseid = required_param('courseid', PARAM_INT);
 $id       = optional_param('id', 0, PARAM_INT);
@@ -19,8 +19,7 @@ $context = get_context_instance(CONTEXT_COURSE, $course->id);
 // default return url
 $returnurl = 'category.php?id='.$course->id;
 
-
-$mform = new edit_item_form();
+$mform = new edit_item_form(qualified_me(), array('id'=>$id));
 if ($item = get_record('grade_items', 'id', $id, 'courseid', $course->id)) {
     $mform->set_data($item);
 } else {
@@ -44,7 +43,6 @@ if ($mform->is_cancelled()) {
     redirect($returnurl);
 }
 
-
 $strgrades       = get_string('grades');
 $strgraderreport = get_string('graderreport', 'grades');
 $stritemsedit    = get_string('itemsedit', 'grades');
@@ -60,31 +58,4 @@ print_header_simple($strgrades . ': ' . $strgraderreport, ': ' . $stritemsedit,
 
 $mform->display();
 
-print_footer($course);
-die;
-
-
-class edit_item_form extends moodleform {
-    function definition() {
-        $mform =& $this->_form;
-
-        // visible elements
-        $mform->addElement('text', 'itemname', get_string('itemname', 'grades'));
-
-        //TODO: add other elements
-
-        // hidden params
-        $mform->addElement('hidden', 'id', 0);
-        $mform->setType('id', PARAM_INT);
-
-        $mform->addElement('hidden', 'courseid', 0);
-        $mform->setType('courseid', PARAM_INT);
-
-        $mform->addElement('hidden', 'itemtype', 0);
-        $mform->setType('itemtype', PARAM_ALPHA);
-
-//-------------------------------------------------------------------------------
-        // buttons
-        $this->add_action_buttons();
-    }
-}
\ No newline at end of file
+print_footer($course);
\ No newline at end of file

diff --git a/grade/report/grader/edit_item_form.php b/grade/report/grader/edit_item_form.php
new file mode 100644 (file)
index 0000000..d933762
--- /dev/null
+++ b/grade/report/grader/edit_item_form.php
@@ -0,0 +1,54 @@
+<?php
+class edit_item_form extends moodleform {
+    function definition() {
+        $mform =& $this->_form;
+    
+        if ($id = $this->_customdata['id']) { // grade item id, if known
+            $item = get_record('grade_items', 'id', $id);
+        } else {
+            $item = NULL;
+        }
+              
+        $mform->addElement('header', 'general', get_string('gradeitem', 'form'));
+        // visible elements
+        $mform->addElement('text', 'itemname', get_string('itemname', 'grades'));
+        $mform->addElement('text', 'iteminfo', get_string('iteminfo', 'grades'));
+        $mform->addElement('text', 'idnumber', get_string('idnumber'));
+        $mform->addElement('text', 'grademax', get_string('grademax', 'grades'));
+        $mform->addElement('text', 'grademin', get_string('grademin', 'grades'));
+        $mform->addElement('text', 'gradepass', get_string('gradepass', 'grades'));
+        $mform->addElement('text', 'multfactor', get_string('multfactor', 'grades'));
+        $mform->addElement('text', 'plusfactor', get_string('plusfactor', 'grades'));
+        $mform->addElement('checkbox', 'locked', get_string('locked', 'grades'));
+        
+        // new grade item, or existing manual grade item(?)
+        if (!$id || (!empty($item->scaleid) && $item->type == 'manual')) {
+            if ($scales = get_records('scale')) {
+                $soptions = array(0=>get_string('usenoscale', 'grades'));
+                foreach ($scales as $scale) {
+                    $soptions[$scale->id] = $scale->name;
+                }
+                $mform->addElement('select', 'scaleid', get_string('scale'), $soptions);
+            }
+        }
+
+        $mform->addElement('date_time_selector', 'locktime', get_string('locktime', 'grades'), array('optional'=>true));
+
+        // TOOD: outcomeid/calculations (only for new/manual/category?)
+
+        // hidden params
+        $mform->addElement('hidden', 'id', 0);
+        $mform->setType('id', PARAM_INT);
+
+        $mform->addElement('hidden', 'courseid', 0);
+        $mform->setType('courseid', PARAM_INT);
+
+        $mform->addElement('hidden', 'itemtype', 0);
+        $mform->setType('itemtype', PARAM_ALPHA);
+
+//-------------------------------------------------------------------------------
+        // buttons
+        $this->add_action_buttons();
+    }
+}
+?>
\ No newline at end of file

diff --git a/grade/report/grader/index.php b/grade/report/grader/index.php
index fad4bf4ca238a5744686badc91d182e7747f9dd4..4598209a250249752f4a9006514e8f4ac48c74fa 100644 (file)
--- a/grade/report/grader/index.php
+++ b/grade/report/grader/index.php
@@ -13,18 +13,21 @@ $strsortdesc = get_string('sortdesc', 'grades');
 
 if ($data = data_submitted()) {
     foreach ($data as $varname => $postedgrade) {
+        
+        // clean posted values
+        $postedgrade = clean_param($postedgrade, PARAM_NUMBER);      
+        $varname = clean_param($varname, PARAM_RAW);
+        
         // skip, not a grade
         if (!strstr($varname, 'grade')) {
             continue;
         }
-        // clean
-        $postedgrade = clean_param($postedgrade, PARAM_NUMBER);
 
         $gradeinfo = explode("_", $varname);
 
         $grade = new object();
-        $grade->userid = $gradeinfo[1];
-        $gradeitemid = $gradeinfo[2];
+        $grade->userid = clean_param($gradeinfo[1], PARAM_INT);
+        $gradeitemid = clean_param($gradeinfo[2], PARAM_INT);
         $grade->rawgrade = $postedgrade;
 
         // put into grades array