From: moodler <moodler>
Date: Fri, 24 Mar 2006 14:48:54 +0000 (+0000)
Subject: Cleaned up approval script (more security ;-))
X-Git-Url: http://git.mjollnir.org/gw?a=commitdiff_plain;h=36a9cc4caf3328a4fae04a2047a836c76844dc59;p=moodle.git

Cleaned up approval script (more security ;-))
---

diff --git a/mod/data/approve.php b/mod/data/approve.php
index ff8bd69f12..5e9bcc86de 100755
--- a/mod/data/approve.php
+++ b/mod/data/approve.php
@@ -1,30 +1,39 @@
-<?php
-
-    require_once('../../config.php');
-    require_once('lib.php');
-    require_once($CFG->libdir.'/blocklib.php');
-
-    require_once('pagelib.php');
-    require_login();
-
-    if (!isteacher()) {
-        error(get_string('errormustbeteacher', 'data'));
-    }
-
-    if (confirm_sesskey()
-        && ($recordid = required_param('recordid',PARAM_INT))
-        && ($d = required_param('d',PARAM_INT))) {
-        data_approve_record($recordid);
-    }
-
-    $page=optional_param('page','0',PARAM_INT);
-    $rid = optional_param('rid','0', PARAM_INT);
-    $search =optional_param('search','',PARAM_ALPHA);
-    $sort= optional_param('sort','',PARAM_ALPHA);
-    $order=optional_param('order','',PARAM_ALPHA);
-
-    print_heading(get_string('recordapproved','data'));
-    redirect('view.php?d='.$d.'&amp;approved=1&amp;page='.$page.'&amp;rid='.$rid.'&amp;search='.$search.'&amp;sort='.$sort.'&amp;order='.$order.'&amp;');
-
-
-?>
+<?php // $Id$ 
+
+    require_once('../../config.php');
+    require_once('lib.php');
+
+    require_login();
+
+    $recordid = required_param('recordid',PARAM_INT);
+
+    $page     = optional_param('page','0',PARAM_INT);
+    $rid      = optional_param('rid','0', PARAM_INT);
+    $search   = optional_param('search','',PARAM_ALPHA);
+    $sort     = optional_param('sort','',PARAM_ALPHA);
+    $order    = optional_param('order','',PARAM_ALPHA);
+
+    if (! $record = get_record('data_records', 'id', $recordid)) {
+        error('Record ID is incorrect');
+    }
+    if (! $data = get_record('data', 'id', $record->dataid)) {
+        error('Data ID is incorrect');
+    }
+    if (! $course = get_record('course', 'id', $data->course)) {
+        error('Course is misconfigured');
+    }
+
+    if (!isteacher($course->id)) {
+        error(get_string('errormustbeteacher', 'data'));
+    }
+
+    if (confirm_sesskey()) {  /*  Approve it! */
+        $newrecord->id = $record->id;
+        $newrecord->approved = 1;
+        update_record('data_records', $newrecord);
+    }
+
+    redirect('view.php?d='.$d.'&amp;approved=1&amp;page='.$page.'&amp;rid='.$rid.'&amp;search='.$search.'&amp;sort='.$sort.'&amp;order='.$order.'&amp;', get_string('recordapproved','data'));
+
+
+?>
diff --git a/mod/data/lib.php b/mod/data/lib.php
index f3be3f7ebd..c1405a223f 100755
--- a/mod/data/lib.php
+++ b/mod/data/lib.php
@@ -963,12 +963,6 @@ function data_print_approve_button($recordid, $d, $page='0', $rid='0', $search='
     return $str;
 }
 
-//silly function that approves a record
-function data_approve_record($recordid) {
-    $record = get_record('data_records','id',$recordid);
-    $record->approved = 1;
-    update_record('data_records',$record);
-}
 
 //silly function that prints the a form to do ratings
 function data_print_ratings($data, $record) {