From 097579f09cfcb3d1a1636799d708b1600c0e1679 Mon Sep 17 00:00:00 2001 From: cap2501 Date: Sun, 27 Aug 2006 22:58:51 +0000 Subject: [PATCH] Fixed to eliminate use of 'GET' and 'POST' --- course/format/topicsajax/commands.php | 279 +++++++++++++------------- 1 file changed, 137 insertions(+), 142 deletions(-) diff --git a/course/format/topicsajax/commands.php b/course/format/topicsajax/commands.php index ec750697e8..5d1eba9e2f 100644 --- a/course/format/topicsajax/commands.php +++ b/course/format/topicsajax/commands.php @@ -1,149 +1,144 @@ id); - - if (!isteacher($course->id)){ - error("Not authorized to edit page!"); - } - - - switch($_SERVER['REQUEST_METHOD']){ - - - case POST: - switch($_GET['class']){ - case block: switch($_GET[field]){ - - case visible: - $dataobject->id = $_POST[instanceId]; - $dataobject->visible = $_POST[value]; - update_record('block_instance',$dataobject); - break; - - case position: - $dataobject->id = $_POST[instanceId]; - $dataobject->position = $_POST[value]; - $dataobject->weight = $_POST[weight]; - update_record('block_instance',$dataobject); - //echo("Got ".$_GET['class'].",".$_GET[field]."Posted id=".$dataobject->id." position=".$dataobject->position." weight=".$dataobject->weight); - break; - } - break; - - - case section: switch($_GET[field]){ - - case visible: - $dataobject->id = get_field('course_sections','id','course',$course->id,'section',(int)$_POST[id]); - $dataobject->visible = $_POST[value]; - update_record('course_sections',$dataobject); - break; - - - case sequence: - $dataobject->id = get_field('course_sections','id','course',$course->id,'section',(int)$_POST[id]); - $dataobject->sequence = $_POST[value]; - update_record('course_sections',$dataobject); - break; - - case all: - $dataobject->id = get_field('course_sections','id','course',$course->id,'section',(int)$_POST[id]); - $dataobject->summary = make_dangerous($_POST[summary]); - $dataobject->sequence = $_POST[sequence]; - $dataobject->visible = $_POST[visible]; - update_record('course_sections',$dataobject); - break; - - - - } - break; - - - - - case resource: switch($_GET[field]){ - - case visible: - $dataobject->id = $_POST[id]; - $dataobject->visible = $_POST[value]; - update_record('course_modules',$dataobject); - break; - - case groupmode: - $dataobject->id = $_POST[id]; - $dataobject->groupmode = $_POST[value]; - update_record('course_modules',$dataobject); - break; - - case section: - $dataobject->id = $_POST[id]; - $dataobject->section = $_POST[value]; - update_record('course_modules',$dataobject); - break; - - } - break; - - case course: switch($_GET[field]){ - - case marker: - $dataobject = NULL; - $dataobject->id = $course->id; - $dataobject->marker = $_POST[value]; - update_record('course',$dataobject); - break; - - - } - break; - - } - - - break; - case DELETE: - switch($_GET['class']){ - case block: - delete_records('block_instance','id',$_GET[instanceId]); - break; - - case section: - $dataobject->id = get_field('course_sections','id','course',$course->id,'section',(int)$_GET[id]); - $dataobject->summary = ''; - $dataobject->sequence = ''; - $dataobject->visible = '1'; - update_record('course_sections',$dataobject); - break; - - case resource: - delete_records('course_modules','id',$_GET[id]); - break; - - } - break; - } - - function make_dangerous($input){ - //the compliment to the javascript function 'make_safe' - return str_replace("_.amp._","&",$input); - } + + //verify user is authorized + require_login(); + if(!isteacher($course->id)){ + echo("Not authorized to edit page!"); + die; + } + + if(!optional_param('courseId')){ + echo("No ID presented!"); + die; + } + + + switch($_SERVER['REQUEST_METHOD']){ + + + case POST: + switch(optional_param('class')){ + case block: switch(optional_param('field')){ + + case visible: + $dataobject->id = optional_param('instanceId'); + $dataobject->visible =optional_param('value'); + update_record('block_instance',$dataobject); + break; + + case position: + $dataobject->id = optional_param('instanceId'); + $dataobject->position = optional_param('value'); + $dataobject->weight = optional_param('weight'); + update_record('block_instance',$dataobject); + break; + } + break; + + + case section: + + $dataobject->id = get_field('course_sections','id','course',optional_param('courseId'),'section',(int)optional_param('id')); + + switch(optional_param(field)){ + + case visible: + $dataobject->visible = optional_param(value); + update_record('course_sections',$dataobject); + break; + + + case sequence: + $dataobject->sequence = optional_param(value); + update_record('course_sections',$dataobject); + break; + + case all: + $dataobject->summary = make_dangerous(optional_param('summary')); + $dataobject->sequence = optional_param('sequence'); + $dataobject->visible = optional_param('visible'); + update_record('course_sections',$dataobject); + break; + + + + } + break; + + + + + case resource: switch(optional_param(field)){ + + case visible: + $dataobject->id = optional_param('id'); + $dataobject->visible = optional_param('value'); + update_record('course_modules',$dataobject); + break; + + case groupmode: + $dataobject->id = optional_param('id'); + $dataobject->groupmode = optional_param('value'); + update_record('course_modules',$dataobject); + break; + + case section: + $dataobject->id =optional_param('id'); + $dataobject->section = optional_param('value'); + update_record('course_modules',$dataobject); + break; + + } + break; + + case course: switch(optional_param(field)){ + + case marker: + $dataobject->id = optional_param('courseId'); + $dataobject->marker = optional_param('value'); + update_record('course',$dataobject); + break; + + + } + break; + + } + + + break; + case DELETE: + switch(optional_param('class')){ + case block: + delete_records('block_instance','id',optional_param('instanceId')); + break; + + case section: + $dataobject->id = get_field('course_sections','id','course',optional_param('courseId'),'section',(int)optional_param('id')); + $dataobject->summary = ''; + $dataobject->sequence = ''; + $dataobject->visible = '1'; + update_record('course_sections',$dataobject); + break; + + case resource: + delete_records('course_modules','id',optional_param('id')); + break; + + } + break; + } + + function make_dangerous($input){ + //the compliment to the javascript function 'make_safe' + return str_replace("_.amp._","&",$input); + } ?> -- 2.39.5