From: skodak Date: Thu, 7 Dec 2006 20:06:11 +0000 (+0000) Subject: MDL-7839 Fixed use of capabilities in database entry rating X-Git-Url: http://git.mjollnir.org/gw?a=commitdiff_plain;h=3b827a7e753654e90101440621494c8d3c1b98ed;p=moodle.git MDL-7839 Fixed use of capabilities in database entry rating --- diff --git a/mod/data/lib.php b/mod/data/lib.php index 1fe7b9e7d7..c513aeb5a9 100755 --- a/mod/data/lib.php +++ b/mod/data/lib.php @@ -933,47 +933,36 @@ function data_print_ratings($data, $record) { $cm = get_coursemodule_from_instance('data', $data->id); $context = get_context_instance(CONTEXT_MODULE, $cm->id); - $ratingsmenuused = false; - if ($data->assessed and !empty($USER->id)) { - if ($ratings->scale = make_grades_menu($data->scale)) { - $ratings->allow = ($data->assessed and has_capability('mod/data:rate', $context)); - if ($ratings->allow) { - echo '
'; - echo '
'; - $useratings = true; - - if ($useratings) { - if (has_capability('mod/data:rate', $context) and !data_isowner($record->id)) { - data_print_ratings_mean($record->id, $ratings->scale, has_capability('mod/data:rate', $context)); - if (!empty($ratings->allow)) { - echo ' '; - data_print_rating_menu($record->id, $USER->id, $ratings->scale); - $ratingsmenuused = true; - } + if ($data->assessed and !empty($USER->id) + and (has_capability('mod/data:rate', $context) or has_capability('mod/data:viewrating', $context) or data_isowner($record->id))) { + if ($ratingsscale = make_grades_menu($data->scale)) { + $ratingsmenuused = false; - } else if (data_isowner($record->id)) { - data_print_ratings_mean($record->id, $ratings->scale, true); + echo '
'; + echo ''; - } else if (!empty($ratings->allow) ) { - data_print_rating_menu($record->id, $USER->id, $ratings->scale); - $ratingsmenuused = true; - } - } + if (has_capability('mod/data:rate', $context) and !data_isowner($record->id)) { + data_print_ratings_mean($record->id, $ratingsscale, has_capability('mod/data:viewrating', $context)); + echo ' '; + data_print_rating_menu($record->id, $USER->id, $ratingsscale); + $ratingsmenuused = true; - if ($data->scale < 0) { - if ($scale = get_record("scale", "id", abs($data->scale))) { - print_scale_menu_helpbutton($data->course, $scale ); - } - } + } else { + data_print_ratings_mean($record->id, $ratingsscale, true); + } - if ($ratingsmenuused) { - echo ''; - echo ''; - echo ""; + if ($data->scale < 0) { + if ($scale = get_record('scale', 'id', abs($data->scale))) { + print_scale_menu_helpbutton($data->course, $scale ); } - echo ""; - echo '
'; } + + if ($ratingsmenuused) { + echo ''; + echo ''; + } + echo ''; + echo '
'; } } } diff --git a/mod/data/rate.php b/mod/data/rate.php index 618ef77c87..bb89516250 100755 --- a/mod/data/rate.php +++ b/mod/data/rate.php @@ -1,54 +1,90 @@ wwwroot.'/mod/data/view.php')) or !confirm_sesskey()) { + error("This page was not accessed correctly"); } - require_login($course->id); + $count = 0; - if (isguest()) { - error("Guests are not allowed to rate posts.", $_SERVER["HTTP_REFERER"]); - } + foreach ((array)$data as $recordid => $rating) { + if (!is_numeric($recordid)) { + continue; + } + + if (!$record = get_record('data_records', 'id', $recordid)) { + error("Record ID is incorrect"); + } + if (!$data = get_record('data', 'id', $record->dataid)) { + error("Data ID is incorrect"); + } + if (!$course = get_record('course', 'id', $data->course)) { + error("Course is misconfigured"); + } + if (!$cm = get_coursemodule_from_instance('data', $data->id, $course->id)) { + error("Course Module ID was incorrect"); + } - $returntoview = false; + require_login($course->id, false, $cm); - if (($data = data_submitted($CFG->wwwroot.'/mod/data/view.php')) and confirm_sesskey()) { + $context = get_context_instance(CONTEXT_MODULE, $cm->id); - $lastrecordid = 0; + if (isguest()) { + error("Guests are not allowed to rate posts"); + } - foreach ((array)$data as $recordid => $rating) { - if (($recordid == 'id') || ($recordid=='sesskey')) { - continue; - } + if (!$data->assessed or !has_capability('mod/data:rate', $context)) { + error("Not allowed to rate."); + } - $recordid = (int)$recordid; - $lastrecordid = $recordid; - if ($oldrating = get_record("data_ratings", "userid", $USER->id, "recordid", $recordid)) { - if ($rating != $oldrating->rating) { - $oldrating->rating = $rating; - if (! update_record("data_ratings", $oldrating)) { - error("Could not update an old rating ($recordid = $rating)"); - } - } - } else if ($rating) { - unset($newrating); - $newrating->userid = $USER->id; - $newrating->recordid = $recordid; - $newrating->rating = $rating; - if (! insert_record("data_ratings", $newrating)) { - error("Could not insert a new rating ($recordid = $rating)"); + if ($record->userid == $USER->id) { + error("You can not rate your own data"); + } + + if (!$scale = make_grades_menu($data->scale)) { + error("Icorrect scale"); + } + + if (!array_key_exists($rating, $scale)) { + error("Icorrect rating value"); + } + + // input validation ok + + $count++; + + if ($oldrating = get_record('data_ratings', 'userid', $USER->id, 'recordid', $record->id)) { + if ($rating != $oldrating->rating) { + $oldrating->rating = $rating; + if (! update_record('data_ratings', $oldrating)) { + error("Could not update an old rating ($record->id = $rating)"); } } + } else if ($rating) { + $newrating = new object(); + $newrating->userid = $USER->id; + $newrating->recordid = $record->id; + $newrating->rating = $rating; + if (! insert_record('data_ratings', $newrating)) { + error("Could not insert a new rating ($record->id = $rating)"); + } } + } - redirect($_SERVER["HTTP_REFERER"], get_string("ratingssaved", "data")); - } else { - error("This page was not accessed correctly"); + if ($count == 0) { + error("Incorrect submitted ratings data"); } + if (!empty($_SERVER['HTTP_REFERER'])) { + redirect($_SERVER['HTTP_REFERER'], get_string('ratingssaved', 'data')); + } else { + // try to guess where to return + if ($count == 1) { + redirect('view.php?mode=single&rid='.$record->id, get_string('ratingssaved', 'data')); + } else { + redirect('view.php?d='.$data->id, get_string('ratingssaved', 'data')); + } + } ?> diff --git a/mod/data/report.php b/mod/data/report.php index 2e0098d1e3..197a399447 100755 --- a/mod/data/report.php +++ b/mod/data/report.php @@ -6,14 +6,27 @@ require_once("lib.php"); $id = required_param('id',PARAM_INT); - $sort = optional_param('sort', '', PARAM_RAW); + $sort = optional_param('sort', '', PARAM_ALPHA); - if (!$record = get_record('data_records','id',$id)) { - error("rating ID was incorrect"); + if (!$record = get_record('data_records', 'id', $id)) { + error("Record ID is incorrect"); } - - if (!$data = get_record('data','id',$record->dataid)) { - error("rating ID was incorrect"); + if (!$data = get_record('data', 'id', $record->dataid)) { + error("Data ID is incorrect"); + } + if (!$course = get_record('course', 'id', $data->course)) { + error("Course is misconfigured"); + } + if (!$cm = get_coursemodule_from_instance('data', $data->id, $course->id)) { + error("Course Module ID was incorrect"); + } + + require_login($course->id, false, $cm); + + $context = get_context_instance(CONTEXT_MODULE, $cm->id); + + if (!data_isowner($record->id) and !has_capability('mod/data:viewrating', $context) and !has_capability('mod/data:rate', $context)) { + error("You can not view ratings"); } switch ($sort) {