From: skodak Date: Sat, 2 Jun 2007 15:56:52 +0000 (+0000) Subject: MDL-10010 improved data validation in glossary rate.php X-Git-Url: http://git.mjollnir.org/gw?a=commitdiff_plain;h=b83ed1acb9cf39cf679f9a48e8fbab122be6f48e;p=moodle.git MDL-10010 improved data validation in glossary rate.php --- diff --git a/mod/glossary/rate.php b/mod/glossary/rate.php index c7c0d7cd92..7c26818df0 100644 --- a/mod/glossary/rate.php +++ b/mod/glossary/rate.php @@ -13,19 +13,63 @@ error("Course ID was incorrect"); } - require_login($course->id); + require_login($course); - if (isguest()) { - error("Guests are not allowed to rate entries.", $_SERVER["HTTP_REFERER"]); + if (isguestuser()) { + error("Guests are not allowed to rate entries."); } + $returnurl = isset($_SERVER["HTTP_REFERER"]) ? $_SERVER["HTTP_REFERER"] : null; + + $glossary = false; if ($data = data_submitted("$CFG->wwwroot/mod/glossary/view.php")) { // form submitted - print_object($data); - foreach ((array)$data as $entry => $rating) { - if ($entry == "id") { + foreach ((array)$data as $entryid => $rating) { + if (!is_numeric($entryid)) { + continue; + } + if (!$entry = get_record('glossary_entries', 'id', $entryid)) { + continue; + } + if (!$glossary) { + if (!$glossary = get_record('glossary', 'id', $entry->glossaryid)) { + error('Incorrect glossary id'); + } + if (!$cm = get_coursemodule_from_instance('glossary', $glossary->id)) { + error("Course Module ID was incorrect"); + } + $context = get_context_instance(CONTEXT_MODULE, $cm->id); + + require_login($course, false, $cm); + + if (!$glossary->assessed) { + error('Rating of items not allowed!'); + } + if ($glossary->assessed == 2 and !has_capability('mod/glossary:rate', $context)) { + error('You can not rate items!'); + } + + if (empty($returnurl)) { + $returnurl = $CFG->wwwroot.'/mod/glossary/view.php?id='.$cm->id; + } + } + + if ($entry->glossaryid != $glossary->id) { + error('This is not valid entry!!'); + } + + if ($glossary->assesstimestart and $glossary->assesstimefinish) { + if ($entry->timecreated < $glossary->assesstimestart or $entry->timecreated > $glossary->assesstimefinish) { + // we can not grade this, ignore it - this should not happen anyway unless teachr changes setting + continue; + } + } + + if ($entry->userid == $USER->id) { + //can not rate own entry continue; } - if ($oldrating = get_record("glossary_ratings", "userid", $USER->id, "entryid", $entry)) { + + if ($oldrating = get_record("glossary_ratings", "userid", $USER->id, "entryid", $entry->id)) { //Check if we must delete the rate if ($rating == -999) { delete_records('glossary_ratings','userid',$oldrating->userid, 'entryid',$oldrating->entryid); @@ -37,18 +81,24 @@ } } } else if ($rating >= 0) { - unset($newrating); - $newrating->userid = $USER->id; - $newrating->time = time(); - $newrating->entryid = $entry; - $newrating->rating = $rating; + $newrating = new object(); + $newrating->userid = $USER->id; + $newrating->time = time(); + $newrating->entryid = $entry->id; + $newrating->rating = $rating; if (! insert_record("glossary_ratings", $newrating)) { - error("Could not insert a new rating ($entry = $rating)"); + error("Could not insert a new rating ($entry->id = $rating)"); } } } - redirect($_SERVER["HTTP_REFERER"], get_string("ratingssaved", "glossary")); + + if (!$glossary) { + // something wrong happended - no rating changed/added + error('Incorrect ratings submitted'); + } + + redirect($returnurl, get_string("ratingssaved", "glossary")); } else { error("This page was not accessed correctly");