From: Petr Skoda Date: Sun, 22 Nov 2009 12:42:51 +0000 (+0000) Subject: MDL-20930 fixed input validation X-Git-Url: http://git.mjollnir.org/gw?a=commitdiff_plain;h=b3e229f979cd2e0b9a1ac5cb03588cdd5348daeb;p=moodle.git MDL-20930 fixed input validation --- diff --git a/mod/glossary/approve.php b/mod/glossary/approve.php index 4164a287b7..cceb5e2326 100644 --- a/mod/glossary/approve.php +++ b/mod/glossary/approve.php @@ -3,48 +3,31 @@ require_once("../../config.php"); require_once("lib.php"); -$id = required_param('id', PARAM_INT); // Course Module ID -$eid = optional_param('eid', 0, PARAM_INT); // Entry ID +$eid = required_param('eid', PARAM_INT); // Entry ID -$mode = optional_param('mode','approval', PARAM_ALPHA); -$hook = optional_param('hook','ALL', PARAM_CLEAN); +$mode = optional_param('mode', 'approval', PARAM_ALPHA); +$hook = optional_param('hook', 'ALL', PARAM_CLEAN); -$url = new moodle_url($CFG->wwwroot.'/mod/glossary/approve.php', array('id'=>$id)); -if ($eid !== 0) { - $url->param('eid', $eid); -} -if ($mode !== 'approval') { - $url->param('mode', $mode); -} -if ($hook !== 'ALL') { - $url->param('hook', $hook); -} +$url = new moodle_url($CFG->wwwroot.'/mod/glossary/approve.php', array('eid'=>$eid,'mode'=>$mode, 'hook'=>$hook)); $PAGE->set_url($url); -if (! $cm = get_coursemodule_from_id('glossary', $id)) { - print_error('invalidcoursemodule'); -} - -if (! $course = $DB->get_record("course", array("id"=>$cm->course))) { - print_error('coursemisconf'); -} - -if (! $glossary = $DB->get_record("glossary", array("id"=>$cm->instance))) { - print_error('invalidid', 'glossary'); -} +$entry = $DB->get_record('glossary_entries', 'id', $eid, '*', MUST_EXIST); +$glossary = $DB->get_record('glossary', 'id', $entry->glossaryid, '*', MUST_EXIST); +$cm = get_coursemodule_from_instance('glossary', $glossary->id, 0, false, MUST_EXIST); +$course = $DB->get_record('course', 'id', $cm->course, '*', MUST_EXIST); -require_login($course->id, false, $cm); +require_login($course, false, $cm); $context = get_context_instance(CONTEXT_MODULE, $cm->id); require_capability('mod/glossary:approve', $context); -$newentry = new object(); -$newentry->id = $eid; -$newentry->approved = 1; -$newentry->timemodified = time(); // wee need this date here to speed up recent activity, TODO: use timestamp in approved field instead in 2.0 - -$DB->update_record("glossary_entries", $newentry); -add_to_log($course->id, "glossary", "approve entry", "showentry.php?id=$cm->id&eid=$eid", "$eid",$cm->id); -redirect("view.php?id=$cm->id&mode=$mode&hook=$hook",get_string("entryapproved","glossary"),1); -die; +if (!$entry->approved and confirm_sesskey()) { + $newentry = new object(); + $newentry->id = $entry->id; + $newentry->approved = 1; + $newentry->timemodified = time(); // wee need this date here to speed up recent activity, TODO: use timestamp in approved field instead in 2.0 + $DB->update_record("glossary_entries", $newentry); + add_to_log($course->id, "glossary", "approve entry", "showentry.php?id=$cm->id&eid=$eid", "$eid", $cm->id); +} +redirect("view.php?id=$cm->id&mode=$mode&hook=$hook"); diff --git a/mod/glossary/lib.php b/mod/glossary/lib.php index 28fdd9feb7..12795b436d 100644 --- a/mod/glossary/lib.php +++ b/mod/glossary/lib.php @@ -1092,7 +1092,7 @@ function glossary_print_entry_approval($cm, $entry, $mode, $align="right", $ins if ($insidetable) { echo '
'; } - echo ''.get_string('approve','glossary').''; + echo ''.get_string('approve','glossary').''; if ($insidetable) { echo '
'; }