<input type="hidden" name="action" value="insertpage">
<input type="hidden" name="pageid" value="<?PHP echo $pageid ?>" />
<input type="hidden" name="qtype" value="<?PHP echo LESSON_BRANCHTABLE ?>" />
+ <input type="hidden" name="sesskey" value="<?PHP echo $USER->sesskey ?>" />
<center><table cellpadding=5 border=1>
<tr><td align="center">
<tr valign="top">
error("Only teachers can look at this page");
}
+ confirm_sesskey();
+
// first get the preceeding page
$pageid = required_param('pageid', PARAM_INT);
if (!isteacher($course->id)) {
error("Only teachers can look at this page");
}
+
+ confirm_sesskey();
// first get the preceeding page
// if $pageid = 0, then we are inserting a new page at the beginning of the lesson
error("Only teachers can look at this page");
}
+ confirm_sesskey();
+
// first get the preceeding page
$pageid = required_param('pageid', PARAM_INT);
<input type="hidden" name="id" value="<?PHP echo $cm->id ?>">
<input type="hidden" name="action" value="insertpage">
<input type="hidden" name="pageid" value="<?PHP echo $pageid ?>">
+ <input type="hidden" name="sesskey" value="<?PHP echo $USER->sesskey ?>">
<center><table cellpadding=5 border=1>
<?php
echo "<tr><td align=\"center\"><b>";
echo get_string("questiontype", "lesson").":</b> \n";
echo helpbutton("questiontype", get_string("questiontype", "lesson"), "lesson")."<br>";
if (isset($_GET['qtype'])) {
- lesson_qtype_menu($LESSON_QUESTION_TYPE, $_GET['qtype'],
+ $qtype = clean_param($_GET['qtype'], PARAM_INT);
+ lesson_qtype_menu($LESSON_QUESTION_TYPE, $qtype,
"lesson.php?id=$cm->id&action=addpage&pageid=".$pageid.$linkadd);
// NoticeFix rearraged
- if ( $_GET['qtype'] == LESSON_SHORTANSWER || $_GET['qtype'] == LESSON_MULTICHOICE || !isset($_GET['qtype']) ) { // only display this option for Multichoice and shortanswer
- if ($_GET['qtype'] == LESSON_SHORTANSWER) {
+ if ( $qtype == LESSON_SHORTANSWER || $qtype == LESSON_MULTICHOICE ) { // only display this option for Multichoice and shortanswer
+ if ($qtype == LESSON_SHORTANSWER) {
echo "<br><br><b>".get_string("casesensitive", "lesson").":</b> \n";
} else {
echo "<br><br><b>".get_string("multianswer", "lesson").":</b> \n";
if (!isteacher($course->id)) {
error("Only teachers can look at this page");
}
+
+ confirm_sesskey();
$pageid = required_param('pageid', PARAM_INT);
if (!$thispage = get_record("lesson_pages", "id", $pageid)) {
}
}
notice_yesno(get_string("confirmdeletionofthispage","lesson"),
- "lesson.php?action=delete&id=$cm->id&pageid=$pageid",
+ "lesson.php?action=delete&id=$cm->id&pageid=$pageid&sesskey=".$USER->sesskey,
"view.php?id=$cm->id");
}
/****************** continue ************************************/
elseif ($action == 'continue' ) {
+
+ confirm_sesskey();
+
//CDC Chris Berri added this echo call for left menu. must match that in view.php for styles
if ($lesson->displayleft) {
echo '<div class="leftmenu1">';
if (!isteacher($course->id)) {
error("Only teachers can look at this page");
}
+
+ confirm_sesskey();
if (empty($_GET['pageid'])) {
error("Delete: pageid missing");
<input type="hidden" name="id" value="<?PHP echo $cm->id ?>">
<input type="hidden" name="action" value="updatepage">
<input type="hidden" name="pageid" value="<?PHP echo $pageid ?>">
+ <input type="hidden" name="sesskey" value="<?PHP echo $USER->sesskey ?>">
<input type="hidden" name="redisplay" value="0">
<center><table cellpadding=5 border=1>
<?php
lesson_choose_from_menu($jump, "jumpto[$i]", 0, "");
helpbutton("jumpto", get_string("jump", "lesson"), "lesson");
if($lesson->custom) {
- echo get_string("score", "lesson")." $iplus1: <input type=\"text\" name=\"score[$i]\" value=\"-1\" size=\"5\">";
+ echo get_string("score", "lesson")." $iplus1: <input type=\"text\" name=\"score[$i]\" value=\"0\" size=\"5\">";
}
echo "</td></tr>\n";
break;
error("Only teachers can look at this page");
}
+ confirm_sesskey();
+
$timenow = time();
$form = lesson_clean_data_submitted();
}
echo "<center><table cellpadding=\"5\" border=\"1\">\n";
- echo "<tr><td><a href=\"lesson.php?id=$cm->id&action=moveit&pageid=$pageid&after=0\"><small>".
+ echo "<tr><td><a href=\"lesson.php?id=$cm->id&sesskey=".$USER->sesskey."&action=moveit&pageid=$pageid&after=0\"><small>".
get_string("movepagehere", "lesson")."</small></a></td></tr>\n";
while (true) {
if ($page->id != $pageid) {
$title = "<< ".get_string("notitle", "lesson")." >>";
}
echo "<tr><td bgcolor=\"$THEME->cellheading2\"><b>$title</b></td></tr>\n";
- echo "<tr><td><a href=\"lesson.php?id=$cm->id&action=moveit&pageid=$pageid&after={$page->id}\"><small>".
+ echo "<tr><td><a href=\"lesson.php?id=$cm->id&sesskey=".$USER->sesskey."&action=moveit&pageid=$pageid&after={$page->id}\"><small>".
get_string("movepagehere", "lesson")."</small></a></td></tr>\n";
}
if ($page->nextpageid) {
error("Only teachers can look at this page");
}
+ confirm_sesskey();
+
$pageid = required_param('pageid', PARAM_INT); // page to move
if (!$page = get_record("lesson_pages", "id", $pageid)) {
error("Moveit: page not found");
error("Only teachers can look at this page");
}
+ confirm_sesskey();
+
$timenow = time();
$form = lesson_clean_data_submitted();
require_once('locallib.php');
require_once('lib.php');
- require_variable($id); // Course Module ID
- optional_variable($pageid); // Lesson Page ID
+ $id = required_param('id', PARAM_INT); // Course Module ID
+ $pageid = optional_param('pageid', NULL, PARAM_INT); // Lesson Page ID
if (! $cm = get_record('course_modules', 'id', $id)) {
error('Course Module ID was incorrect');
if (isteacheredit($course->id)) {
$button = '<table><tr><td>';
$button .= '<form target="'. $CFG->framename .'" method="get" action="'. $CFG->wwwroot .'/course/mod.php">'.
- '<input type="hidden" name="sesskey" value="'. $USER->sesskey .'" />'.
+ '<input type="hidden" name="sesskey" value="'. $USER->sesskey .'" />'.
'<input type="hidden" name="update" value="'. $cm->id .'" />'.
'<input type="hidden" name="return" value="true" />'.
'<input type="submit" value="'. get_string('editlessonsettings', 'lesson') .'" /></form>';
if ($lesson->usepassword && !isteacher($course->id)) {
$correctpass = false;
if (isset($_POST['userpassword'])) {
- if ($lesson->password == md5(trim($_POST['userpassword']))) {
+ if ($lesson->password == md5(trim(clean_param($_POST['userpassword'], PARAM_CLEAN)))) {
$USER->lessonloggedin[$lesson->id] = true;
$correctpass = true;
}
echo "<input type=\"hidden\" name=\"id\" value=\"$cm->id\" />";
echo "<input type=\"hidden\" name=\"action\" value=\"continue\" />";
echo "<input type=\"hidden\" name=\"pageid\" value=\"$pageid\" />";
+ echo "<input type=\"hidden\" name=\"sesskey\" value=\"".$USER->sesskey."\" />";
/// CDC-FLAG ///
if (!$lesson->slideshow || $page->qtype != 20) {
print_simple_box_start("center");
echo "</div>";
} else {
if(isset($_GET['display']) && !isset($_GET['viewAll'])) {
+ $display = clean_param($_GET['display'], PARAM_INT);
while(true)
{
- if($page->id == $_GET['display'] && $page->qtype == LESSON_BRANCHTABLE) {
+ if($page->id == $display && $page->qtype == LESSON_BRANCHTABLE) {
$branch = true;
$singlePage = false;
break;
- } elseif($page->id == $_GET['display']) {
+ } elseif($page->id == $display) {
$branch = false;
$singlePage = true;
break;
// last page reached
break;
}
- }
+ }
echo "<center><a href=\"view.php?id=$id&viewAll=1\">".get_string("viewallpages", "lesson")."</a><br />\n";
echo "<a href=\"view.php?id=$id\">".get_string("backtreeview", "lesson")."</a><br />\n";
echo "<table cellpadding=\"5\" border=\"0\" width=\"80%\">\n";
if (isteacheredit($course->id)) {
/// CDC-FLAG 6/16/04 ///
- echo "<tr><td align=\"
right\"><small><a href=\"import.php?id=$cm->id&pageid=$page->prevpageid\">".
+ echo "<tr><td align=\"
left\"><small><a href=\"import.php?id=$cm->id&pageid=$page->prevpageid\">".
get_string("importquestions", "lesson")."</a> | ".
- "<a href=\"lesson.php?id=$cm->id&action=addcluster&pageid=$page->prevpageid\">".
+ "<a href=\"lesson.php?id=$cm->id&sesskey=".$USER->sesskey."&action=addcluster&pageid=$page->prevpageid\">".
get_string("addcluster", "lesson")."</a> | ".
- "<a href=\"lesson.php?id=$cm->id&action=addendofcluster&pageid=$page->prevpageid\">".
+ "<a href=\"lesson.php?id=$cm->id&sesskey=".$USER->sesskey."&action=addendofcluster&pageid=$page->prevpageid\">".
get_string("addendofcluster", "lesson")."</a> | ".
"<a href=\"lesson.php?id=$cm->id&action=addbranchtable&pageid=$page->prevpageid\">".
get_string("addabranchtable", "lesson")."</a> | ".
if($lesson->tree) {
echo "<center><a href=\"view.php?id=$id\">".get_string("backtreeview", "lesson")."</a><br /></center>\n";
}
- echo "<center><table cellpadding=\"5\" border=\"0\" width=\"80%\">\n";
+ echo "<table align=\"center\" cellpadding=\"5\" border=\"0\" width=\"80%\">\n";
if (isteacheredit($course->id)) {
/// CDC-FLAG 6/16/04 ///
echo "<tr><td align=\"left\"><small><a href=\"import.php?id=$cm->id&pageid=0\">".
get_string("importquestions", "lesson")."</a> | ".
- "<a href=\"lesson.php?id=$cm->id&action=addcluster&pageid=0\">".
+ "<a href=\"lesson.php?id=$cm->id&sesskey=".$USER->sesskey."&action=addcluster&pageid=0\">".
get_string("addcluster", "lesson")."</a> | ".
"<a href=\"lesson.php?id=$cm->id&action=addbranchtable&pageid=0\">".
get_string("addabranchtable", "lesson")."</a> | ".
}
}
/// CDC-FLAG /// end tree code (note, there is an "}" below for an else above)
- echo "<tr><td>\n";
while (true) {
+ echo "<tr><td>\n";
echo "<table width=\"100%\" border=\"1\"><tr><td bgcolor=\"$THEME->cellheading2\" colspan=\"2\"><b>$page->title</b> \n";
if (isteacheredit($course->id)) {
if ($npages > 1) {
}
echo "<a title=\"".get_string("update")."\" href=\"lesson.php?id=$cm->id&action=editpage&pageid=$page->id\">\n".
"<img src=\"$pixpath/t/edit.gif\" hspace=\"2\" height=\"11\" width=\"11\" border=\"0\" alt=\"edit\" /></a>\n".
- "<a title=\"".get_string("delete")."\" href=\"lesson.php?id=$cm->id&action=confirmdelete&pageid=$page->id\">\n".
+ "<a title=\"".get_string("delete")."\" href=\"lesson.php?id=$cm->id&sesskey=".$USER->sesskey."&action=confirmdelete&pageid=$page->id\">\n".
"<img src=\"$pixpath/t/delete.gif\" hspace=\"2\" height=\"11\" width=\"11\" border=\"0\" alt=\"delete\" /></a>\n";
}
echo "</td></tr>\n";
echo "</td><td width=\"80%\">\n";
echo format_text($answer->answer);
echo "</td></tr>\n";
- echo "<tr><td align=\"right\" valign=\"top\"><b>".get_string("response", "lesson")." $i:</b> \n";
+ echo "<tr><td align=\"right\" valign=\"top\"><b>".get_string("response", "lesson")." $i:</b> \n";
echo "</td><td>\n";
echo format_text($answer->response);
echo "</td></tr>\n";
/// CDC-FLAG /// 6/16/04
echo "<tr><td align=\"left\"><small><a href=\"import.php?id=$cm->id&pageid=$page->id\">".
get_string("importquestions", "lesson")."</a> | ".
- "<a href=\"lesson.php?id=$cm->id&action=addcluster&pageid=$page->id\">".
+ "<a href=\"lesson.php?id=$cm->id&sesskey=".$USER->sesskey."&action=addcluster&pageid=$page->id\">".
get_string("addcluster", "lesson")."</a> | ".
- "<a href=\"lesson.php?id=$cm->id&action=addendofcluster&pageid=$page->id\">".
+ "<a href=\"lesson.php?id=$cm->id&sesskey=".$USER->sesskey."&action=addendofcluster&pageid=$page->id\">".
get_string("addendofcluster", "lesson")."</a> | ".
"<a href=\"lesson.php?id=$cm->id&action=addbranchtable&pageid=$page->id\">".
get_string("addabranchtable", "lesson")."</a><br />";
$nextqtype = get_field("lesson_pages", "qtype", "id", $page->nextpageid);
}
if (($page->qtype != LESSON_ENDOFBRANCH) and ($nextqtype != LESSON_ENDOFBRANCH)) {
- echo "<a href=\"lesson.php?id=$cm->id&action=addendofbranch&pageid=$page->id\">".
+ echo "<a href=\"lesson.php?id=$cm->id&sesskey=".$USER->sesskey."&action=addendofbranch&pageid=$page->id\">".
get_string("addanendofbranch", "lesson")."</a> | ";
}
echo "<a href=\"lesson.php?id=$cm->id&action=addpage&pageid=$page->id\">".
}
}
// email link for this user
- $emaillink = "<a href=\"view.php?id=$cm->id&action=emailessay&userid=".$id."\">".get_string("emailgradedessays", "lesson")."</a>";
+ $emaillink = "<a href=\"view.php?id=$cm->id&action=emailessay&userid=".$id."&sesskey=".$USER->sesskey."\">".get_string("emailgradedessays", "lesson")."</a>";
$table->data[] = array($studentname, implode(", ", $essaylinks), $emaillink);
}
// email link for all users
- $emailalllink = "<a href=\"view.php?id=$cm->id&action=emailessay\">".get_string("emailallgradedessays", "lesson")."</a>";
+ $emailalllink = "<a href=\"view.php?id=$cm->id&action=emailessay&sesskey=".$USER->sesskey."\">".get_string("emailallgradedessays", "lesson")."</a>";
$table->data[] = array(" ", " ", $emailalllink);
elseif ($action == 'essaygrade') {
print_heading_with_help($lesson->name, "overview", "lesson");
- require_variable($attemptid);
+ $attemptid = require_variable('attemptid');
if (!$essay = get_record("lesson_attempts", "id", $attemptid)) {
error("Error: could not find essay");
echo "<input type=\"hidden\" name=\"id\" value=\"$cm->id\" />\n";
echo "<input type=\"hidden\" name=\"action\" />\n";
echo "<input type=\"hidden\" name=\"attemptid\" value=\"$attemptid\" />\n";
+ echo "<input type=\"hidden\" name=\"sesskey\" value=\"".$USER->sesskey."\" />\n";
// all tables will have these
$table->align = array("left");
elseif ($action == 'updategrade') {
print_heading_with_help($lesson->name, "overview", "lesson");
- $form = data_submitted();
+ confirm_sesskey();
+
+ $form = lesson_clean_data_submitted();
if (!$essay = get_record("lesson_attempts", "id", $form->attemptid)) {
error("Error: could not find essay");
elseif ($action == 'emailessay') {
print_heading_with_help($lesson->name, "overview", "lesson");
- if (isset($_GET['userid'])) {
- $queryadd = " AND userid = ".$_GET['userid'];
- if (! $users = get_records("user", "id", $_GET['userid'])) {
+ confirm_sesskey();
+
+ if (isset($_GET['userid'])) {
+ $userid = clean_param($_GET['userid'], PARAM_INT);
+ $queryadd = " AND userid = ".$userid;
+ if (! $users = get_records("user", "id", $userid)) {
error("Error: could not find users");
}
} else {
/*******************update high scores **************************************/
elseif ($action == 'updatehighscores') {
print_heading_with_help($lesson->name, "overview", "lesson");
+
+ confirm_sesskey();
if (!$grades = get_records_select("lesson_grades", "lessonid = $lesson->id", "completed")) {
error("Error: could not find grades");
$newhighscore->userid = $USER->id;
$newhighscore->gradeid = $newgrade->id;
if (isset($_GET['name'])) {
- $newhighscore->nickname = $_GET['name'];
+ $newhighscore->nickname = clean_param($_GET['name'], PARAM_CLEAN);
}
if (!insert_record("lesson_high_scores", $newhighscore)) {
error("Insert of new high score Failed!");
print_heading_with_help($lesson->name, "overview", "lesson");
echo "<div align=\"center\">";
if (isset($_POST['name'])) {
- if (lesson_check_nickname(trim($_POST['name']))) {
- redirect("view.php?id=$cm->id&action=updatehighscores&name=".trim($_POST['name']), get_string("nameapproved", "lesson"));
+ $name = trim(param_clean($_POST['name'], PARAM_CLEAN));
+ if (lesson_check_nickname($name)) {
+ redirect("view.php?id=$cm->id&action=updatehighscores&name=$name&sesskey=".$USER->sesskey, get_string("nameapproved", "lesson"));
} else {
echo get_string("namereject", "lesson")."<br><br>";
}
projects / moodle.git / commitdiff