From 200514e282b4bf58146be111273b2ffc66658040 Mon Sep 17 00:00:00 2001 From: skodak Date: Mon, 17 Apr 2006 21:14:50 +0000 Subject: [PATCH] some bugfixing and proper conversion to new xxx_param() functions - SC#148 --- mod/exercise/assessments.php | 115 ++++++++++++++++++++--------------- mod/exercise/locallib.php | 10 +-- mod/exercise/submissions.php | 61 ++++++++++--------- mod/exercise/upload.php | 7 ++- mod/exercise/view.php | 10 ++- 5 files changed, 112 insertions(+), 91 deletions(-) diff --git a/mod/exercise/assessments.php b/mod/exercise/assessments.php index 52490efb81..6a3fce06db 100644 --- a/mod/exercise/assessments.php +++ b/mod/exercise/assessments.php @@ -1,4 +1,4 @@ -id)) { error("Only teachers can look at this page"); - } - if (empty($_GET['aid'])) { + } + if (empty($aid)) { error("Admin Amend Grading grade: assessment id missing"); - } + } - if (!$assessment = get_record("exercise_assessments", "id", $_GET['aid'])) { + if (!$assessment = get_record("exercise_assessments", "id", $aid)) { error("Amin Amend Grading grade: assessment not found"); } print_heading(get_string("amend", "exercise")." ".get_string("gradeforstudentsassessment", "exercise", $course->student)); echo "
\n"; - echo "\n"; + echo "\n"; echo "\n"; echo "id\" />\n"; echo "\n"; @@ -108,13 +111,13 @@ if (!isteacher($course->id)) { error("Only teachers can look at this page"); - } - if (empty($_GET['aid'])) { + } + if (empty($aid)) { error("Admin confirm delete: assessment id missing"); - } + } notice_yesno(get_string("confirmdeletionofthisitem","exercise", get_string("assessment", "exercise")), - "assessments.php?action=admindelete&id=$cm->id&aid=$_GET[aid]", + "assessments.php?action=admindelete&id=$cm->id&aid=$aid", "submissions.php?action=adminlist&id=$cm->id"); } @@ -124,16 +127,16 @@ if (!isteacher($course->id)) { error("Only teachers can look at this page"); - } - if (empty($_GET['aid'])) { + } + if (empty($aid)) { error("Admin delete: submission id missing"); - } + } print_string("deleting", "exercise"); // first delete all the associated records... - delete_records("exercise_grades", "assessmentid", $_GET['aid']); + delete_records("exercise_grades", "assessmentid", $aid); // ...now delete the assessment... - delete_records("exercise_assessments", "id", $_GET['aid']); + delete_records("exercise_assessments", "id", $aid); print_continue("submissions.php?id=$cm->id&action=adminlist"); } @@ -144,12 +147,12 @@ if (!isteacher($course->id)) { error("Only teachers can look at this page"); - } + } - if (empty($_GET['sid'])) { + if (empty($sid)) { error ("exercise asssessments: adminlist called with no sid"); - } - $submission = get_record("exercise_submissions", "id", $_GET['sid']); + } + $submission = get_record("exercise_submissions", "id", $sid); exercise_print_assessments_for_admin($exercise, $submission); print_continue("submissions.php?action=adminlist&id=$cm->id"); } @@ -160,12 +163,12 @@ if (!isteacher($course->id)) { error("Only teachers can look at this page"); - } + } - if (empty($_GET['userid'])) { + if (empty($userid)) { error ("exercise asssessments: adminlistbystudent called with no userid"); - } - $user = get_record("user", "id", $_GET['userid']); + } + $user = get_record("user", "id", $userid); exercise_print_assessments_by_user_for_admin($exercise, $user); print_continue("submissions.php?action=adminlist&id=$cm->id"); } @@ -174,7 +177,9 @@ /****************** Assess resubmission (by teacher) ***************************/ elseif ($action == 'assessresubmission') { - $sid = required_param('sid'); + if (empty($sid)) { + error ("exercise asssessments: assessresubmission called with no sid"); + } if (! $submission = get_record("exercise_submissions", "id", $sid)) { error("Assess submission is misconfigured - no submission record!"); @@ -212,7 +217,9 @@ /****************** Assess submission (by teacher or student) ***************************/ elseif ($action == 'assesssubmission') { - $sid = required_param('sid'); + if (empty($sid)) { + error ("exercise asssessments: assesssubmission called with no sid"); + } if (! $submission = get_record("exercise_submissions", "id", $sid)) { error("Assess submission is misconfigured - no submission record!"); @@ -466,7 +473,7 @@ unset($element); $element->description = $description; $element->exerciseid = $exercise->id; - $element->elementno = $key; + $element->elementno = clean_param($key, PARAM_INT); if (!$element->id = insert_record("exercise_elements", $element)) { error("Could not insert exercise element!"); } @@ -481,7 +488,7 @@ unset($element); $element->description = $description; $element->exerciseid = $exercise->id; - $element->elementno = $key; + $element->elementno = clean_param($key, PARAM_INT); if (isset($form->scale[$key])) { $element->scale = $form->scale[$key]; switch ($EXERCISE_SCALES[$form->scale[$key]]['type']) { @@ -508,7 +515,7 @@ foreach ($form->maxscore as $key => $themaxscore) { unset($element); $element->exerciseid = $exercise->id; - $element->elementno = $key; + $element->elementno = clean_param($key, PARAM_INT); $element->maxscore = $themaxscore; if (isset($form->description[$key])) { $element->description = $form->description[$key]; @@ -527,7 +534,7 @@ foreach ($form->description as $key => $description) { unset($element); $element->exerciseid = $exercise->id; - $element->elementno = $key; + $element->elementno = clean_param($key, PARAM_INT); $element->description = $description; $element->weight = $form->weight[$key]; for ($j=0;$j<5;$j++) { @@ -633,8 +640,12 @@ error("Only teachers can look at this page"); } - $aid = required_param('aid', PARAM_INT); - $sid = required_param('sid', PARAM_INT); + if (empty($aid)) { + error("assessment id missing"); + } + if (empty($sid)) { + error ("no sid"); + } if (!$assessment = get_record("exercise_assessments", "id", $aid)) { error("Teacher assessment: User's assessment record not found"); } @@ -663,7 +674,9 @@ $timenow = time(); $form = data_submitted(); - $aid = required_param('aid', PARAM_INT); + if (empty($aid)) { + error("assessment id missing"); + } if (! $assessment = get_record("exercise_assessments", "id", $aid)) { error("exercise assessment is misconfigured"); } @@ -689,7 +702,7 @@ unset($element); $element->exerciseid = $exercise->id; $element->assessmentid = $assessment->id; - $element->elementno = $key; + $element->elementno = clean_param($key, PARAM_INT); $element->feedback = $thefeedback; if (!$element->id = insert_record("exercise_grades", $element)) { error("Could not insert exercise element!"); @@ -704,7 +717,7 @@ unset($element); $element->exerciseid = $exercise->id; $element->assessmentid = $assessment->id; - $element->elementno = $key; + $element->elementno = clean_param($key, PARAM_INT); $element->feedback = $form->feedback[$key]; $element->grade = $thegrade; if (!$element->id = insert_record("exercise_grades", $element)) { @@ -801,7 +814,7 @@ unset($element); $element->exerciseid = $exercise->id; $element->assessmentid = $assessment->id; - $element->elementno = $key; + $element->elementno = clean_param($key, PARAM_INT); $element->feedback = $form->feedback[$key]; $element->grade = $thegrade; if (!$element->id = insert_record("exercise_grades", $element)) { @@ -908,7 +921,7 @@ unset($element); $element->exerciseid = $exercise->id; $element->assessmentid = $assessment->id; - $element->elementno = $key; + $element->elementno = clean_param($key, PARAM_INT); $element->feedback = $thefeedback; if (!$element->id = insert_record("exercise_grades", $element)) { error("Could not insert exercise element!"); @@ -923,7 +936,7 @@ unset($element); $element->exerciseid = $exercise->id; $element->assessmentid = $assessment->id; - $element->elementno = $key; + $element->elementno = clean_param($key, PARAM_INT); $element->feedback = $form->feedback[$key]; $element->grade = $thegrade; if (!$element->id = insert_record("exercise_grades", $element)) { @@ -1004,7 +1017,7 @@ unset($element); $element->exerciseid = $exercise->id; $element->assessmentid = $assessment->id; - $element->elementno = $key; + $element->elementno = clean_param($key, PARAM_INT); $element->feedback = $form->feedback[$key]; $element->grade = $thegrade; if (!$element->id = insert_record("exercise_grades", $element)) { @@ -1089,11 +1102,13 @@ error("Only teachers can look at this page"); } - $aid = required_param('aid', PARAM_INT); + if (empty($aid)) { + error("submission id missing"); + } // normalise gradinggrade $gradinggrade = $_POST['gradinggrade'] * 100 / $exercise->gradinggrade; if (!set_field("exercise_assessments", "gradinggrade", $gradinggrade, "id", - $_POST['aid'])) { + $aid)) { error("Update grading grade: asseesment not updated"); } redirect("submissions.php?id=$cm->id&action=adminlist", get_string("savedok", "exercise"), 1); @@ -1103,27 +1118,27 @@ /****************** user confirm delete ************************************/ elseif ($action == 'userconfirmdelete' ) { - if (empty($_GET['aid'])) { + if (empty($aid)) { error("User confirm delete: assessment id missing"); } notice_yesno(get_string("confirmdeletionofthisitem","exercise", get_string("assessment", "exercise")), - "assessments.php?action=userdelete&id=$cm->id&aid=$_GET[aid]", "view.php?id=$cm->id"); + "assessments.php?action=userdelete&id=$cm->id&aid=$aid", "view.php?id=$cm->id"); } /****************** user delete ************************************/ elseif ($action == 'userdelete' ) { - if (empty($_GET['aid'])) { + if (empty($aid)) { error("User delete: assessment id missing"); } print_string("deleting", "exercise"); // first delete all the associated records... - delete_records("exercise_grades", "assessmentid", $_GET['aid']); + delete_records("exercise_grades", "assessmentid", $aid); // ...now delete the assessment... - delete_records("exercise_assessments", "id", $_GET['aid']); + delete_records("exercise_assessments", "id", $aid); print_continue("view.php?id=$cm->id"); } @@ -1132,8 +1147,12 @@ /****************** view assessment ***********************/ elseif ($action == 'viewassessment') { + if (empty($aid)) { + error("assessment id missing"); + } + // get the assessment record - if (!$assessment = get_record("exercise_assessments", "id", $_GET['aid'])) { + if (!$assessment = get_record("exercise_assessments", "id", $aid)) { error("Assessment record not found"); } diff --git a/mod/exercise/locallib.php b/mod/exercise/locallib.php index dc5ebfb289..61042bbe19 100644 --- a/mod/exercise/locallib.php +++ b/mod/exercise/locallib.php @@ -1608,9 +1608,11 @@ function exercise_print_assessment_form($exercise, $assessment = false, $allowch } if ($assessment) { + $assessment->generalcomment = clean_text($assessment->generalcomment); //clean html first // get any previous grades... if ($gradesraw = get_records_select("exercise_grades", "assessmentid = $assessment->id", "elementno")) { foreach ($gradesraw as $grade) { + $grade->feedback = clean_text($grade->feedback); //clean the html first $grades[] = $grade; // to renumber index 0,1,2... } } @@ -1622,7 +1624,7 @@ function exercise_print_assessment_form($exercise, $assessment = false, $allowch $grades[$i]->grade = 0; } } - + // determine what sort of grading switch ($exercise->gradingstrategy) { case 0: // no grading @@ -2862,13 +2864,13 @@ function exercise_print_upload_form($exercise) { if (! $course = get_record("course", "id", $exercise->course)) { error("Course is misconfigured"); - } + } if (! $cm = get_coursemodule_from_instance("exercise", $exercise->id, $course->id)) { error("Course Module ID was incorrect"); - } + } echo "
"; - echo ""; + echo ""; echo " id\" />"; require_once($CFG->dirroot.'/lib/uploadlib.php'); upload_print_form_fragment(1,array('newfile'),null,true,array('title'),$course->maxbytes,$exercise->maxbytes,false); diff --git a/mod/exercise/submissions.php b/mod/exercise/submissions.php index 2e5d536fef..9f2b57b5d8 100644 --- a/mod/exercise/submissions.php +++ b/mod/exercise/submissions.php @@ -1,4 +1,4 @@ -id\">".format_string($exercise->name,true)." -> $strsubmissions", "", "", true); - //...get the action! - $action = required_param('action'); - /******************* admin amend title ************************************/ if ($action == 'adminamendtitle' ) { if (!isteacher($course->id)) { error("Only teachers can look at this page"); - } - if (empty($_GET['sid'])) { + } + if (empty($sid)) { error("Admin Amend Title: submission id missing"); - } + } - $submission = get_record("exercise_submissions", "id", $_GET['sid']); + $submission = get_record("exercise_submissions", "id", $sid); print_heading(get_string("amendtitle", "exercise")); ?> - +
id)) { error("Only teachers can look at this page"); } - if (empty($_GET['sid'])) { + if (empty($sid)) { error("Admin clear late flag: submission id missing"); } - if (!$submission = get_record("exercise_submissions", "id", $_GET['sid'])) { + if (!$submission = get_record("exercise_submissions", "id", $sid)) { error("Admin clear late flag: can not get submission record"); } - if (set_field("exercise_submissions", "late", 0, "id", $_GET['sid'])) { + if (set_field("exercise_submissions", "late", 0, "id", $sid)) { print_heading(get_string("clearlateflag", "exercise")." ".get_string("ok")); } @@ -116,13 +117,13 @@ if (!isteacher($course->id)) { error("Only teachers can look at this page"); - } - if (empty($_GET['sid'])) { + } + if (empty($sid)) { error("Admin confirm delete: submission id missing"); - } - if (!$submission = get_record("exercise_submissions", "id", $_GET['sid'])) { + } + if (!$submission = get_record("exercise_submissions", "id", $sid)) { error("Admin delete: can not get submission record"); - } + } if (isteacher($course->id, $submission->userid)) { if (!isteacheredit($course->id)) { @@ -134,7 +135,7 @@ } } notice_yesno(get_string("confirmdeletionofthisitem","exercise", get_string("submission", "exercise")), - "submissions.php?action=admindelete&id=$cm->id&sid=$_GET[sid]", "submissions.php?id=$cm->id&action=adminlist"); + "submissions.php?action=admindelete&id=$cm->id&sid=$sid", "submissions.php?id=$cm->id&action=adminlist"); } @@ -144,11 +145,11 @@ if (!isteacher($course->id)) { error("Only teachers can look at this page"); } - if (empty($_GET['sid'])) { + if (empty($sid)) { error("Admin delete: submission id missing"); } - if (!$submission = get_record("exercise_submissions", "id", $_GET['sid'])) { + if (!$submission = get_record("exercise_submissions", "id", $sid)) { error("Admin delete: can not get submission record"); } print_string("deleting", "exercise"); @@ -178,15 +179,15 @@ if (!isteacher($course->id)) { error("Only teachers can look at this page"); } - if (empty($_GET['sid'])) { + if (empty($sid)) { error("Admin confirm late flag: submission id missing"); } - if (!$submission = get_record("exercise_submissions", "id", $_GET['sid'])) { + if (!$submission = get_record("exercise_submissions", "id", $sid)) { error("Admin confirm late flag: can not get submission record"); } notice_yesno(get_string("clearlateflag","exercise")."?", - "submissions.php?action=adminclearlate&id=$cm->id&sid=$_GET[sid]", + "submissions.php?action=adminclearlate&id=$cm->id&sid=$sid", "submissions.php?id=$cm->id&action=adminlist"); } @@ -211,11 +212,11 @@ if (!isteacher($course->id)) { error("Only teachers can look at this page"); } - if (empty($_POST['sid'])) { + if (empty($sid)) { error("Admin Update Title: submission id missing"); } - if (set_field("exercise_submissions", "title", $_POST['title'], "id", $_POST['sid'])) { + if (set_field("exercise_submissions", "title", $title, "id", $sid)) { print_heading(get_string("amendtitle", "exercise")." ".get_string("ok")); } redirect("submissions.php?id=$cm->id&action=adminlist"); @@ -378,23 +379,23 @@ /******************* user confirm delete ************************************/ elseif ($action == 'userconfirmdelete' ) { - if (empty($_GET['sid'])) { + if (empty($sid)) { error("User Confirm Delete: submission id missing"); } notice_yesno(get_string("confirmdeletionofthisitem","exercise", get_string("submission", "exercise")), - "submissions.php?action=userdelete&id=$cm->id&sid=$_GET[sid]", "view.php?id=$cm->id"); + "submissions.php?action=userdelete&id=$cm->id&sid=$sid", "view.php?id=$cm->id"); } /******************* user delete ************************************/ elseif ($action == 'userdelete' ) { - if (empty($_GET['sid'])) { + if (empty($sid)) { error("User Delete: submission id missing"); } - if (!$submission = get_record("exercise_submissions", "id", $_GET['sid'])) { + if (!$submission = get_record("exercise_submissions", "id", $sid)) { error("User Delete: can not get submission record"); } print_string("deleting", "exercise"); diff --git a/mod/exercise/upload.php b/mod/exercise/upload.php index 9dacfa8ea0..9c6c160b24 100644 --- a/mod/exercise/upload.php +++ b/mod/exercise/upload.php @@ -1,10 +1,11 @@ -id\">$strexercises -> ".format_string($exercise->name), "", "", true, update_module_button($cm->id, $course->id, $strexercise), navmenu($course, $cm)); - // ...and if necessary set default action - - $action = optional_param('action', '', PARAM_ALPHA); if (isteacher($course->id)) { if (empty($action)) { // no action specified, either go straight to elements page else the admin page // has the assignment any elements @@ -335,7 +334,6 @@ /// Check to see if groups are being used in this exercise /// and if so, set $currentgroup to reflect the current group - $changegroup = isset($_GET['group']) ? $_GET['group'] : -1; // Group change requested? $groupmode = groupmode($course, $cm); // Groups are being used? $currentgroup = get_and_set_current_group($course, $groupmode, $changegroup); -- 2.39.5