From 449e6414e5d506a190a80a3e89f59bbd8c55e9b0 Mon Sep 17 00:00:00 2001 From: skodak Date: Fri, 8 Dec 2006 19:36:00 +0000 Subject: [PATCH] MDL-7823 Fixed hardcoded strings and xhtml compliance, code cleanup, improved access control in mod/data/preset.php minor changes in language pack, should not cause legacy problems --- lang/en_utf8/data.php | 4 +- mod/data/preset.php | 324 ++++++++++++++++++++++-------------------- 2 files changed, 173 insertions(+), 155 deletions(-) diff --git a/lang/en_utf8/data.php b/lang/en_utf8/data.php index 540f7aae3b..ff345ce16c 100644 --- a/lang/en_utf8/data.php +++ b/lang/en_utf8/data.php @@ -92,7 +92,7 @@ $string['file'] = 'File'; $string['filtername'] = 'Database Auto-linking'; $string['footer'] = 'Footer'; $string['forcelinkname'] = 'Forced name for the link'; -$string['fromfile'] = 'from zip file'; +$string['fromfile'] = 'Import from zip file'; $string['header'] = 'Header'; $string['headeraddtemplate'] = 'Defines the interface when editing entries'; $string['headercsstemplate'] = 'Defines local CSS styles for the other templates'; @@ -206,7 +206,7 @@ $string['updatefield'] = 'Update an existing field'; $string['uploadfile'] = 'Upload file'; $string['uploadrecords'] = 'Upload entries from a file'; $string['url'] = 'Url'; -$string['usestandard'] = 'use a preset'; +$string['usestandard'] = 'Use a preset'; $string['viewfromdate'] = 'Viewable from'; $string['viewtodate'] = 'Viewable to'; diff --git a/mod/data/preset.php b/mod/data/preset.php index eec50c0eb1..33e1aab44a 100644 --- a/mod/data/preset.php +++ b/mod/data/preset.php @@ -1,6 +1,6 @@ libdir.'/uploadlib.php'); require_once($CFG->libdir.'/xmlize.php'); -$id = optional_param('id', 0, PARAM_INT); // course module id -$d = optional_param('d', 0, PARAM_INT); // database activity id -$action = optional_param('action', 'base', PARAM_RAW); // current action -$userid = optional_param('userid', 0, PARAM_INT); // owner of the preset -$shortname = optional_param('shortname', '', PARAM_FILE); // directory the preset is in -$file = optional_param('file', '', PARAM_FILE); // uploaded file +$id = optional_param('id', 0, PARAM_INT); // course module id +$d = optional_param('d', 0, PARAM_INT); // database activity id +$action = optional_param('action', 'base', PARAM_ALPHANUM); // current action +$fullname = optional_param('fullname', '', PARAM_PATH); // directory the preset is in +$file = optional_param('file', '', PARAM_FILE); // uploaded file + +// find out preset owner userid and shortname +$parts = explode('/', $fullname); +$userid = empty($parts[0]) ? 0 : (int)$parts[0]; +$shortname = empty($parts[1]) ? '' : $parts[1]; +unset($parts); +unset($fullname); if ($id) { if (! $cm = get_coursemodule_from_id('data', $id)) { @@ -61,27 +67,32 @@ $sesskey = sesskey(); /* Output */ data_print_header($course, $cm, $data, 'presets'); -echo '
'; switch ($action) { /***************** Deleting *****************/ case 'confirmdelete' : - if (!confirm_sesskey()) { + if (!confirm_sesskey()) { // GET request ok here error("Sesskey Invalid"); } + + if ($userid > 0 and ($userid == $USER->id || has_capability('mod/data:manageuserpresets', $context))) { + //ok can delete + } else { + error("Invalid request"); + } + $path = data_preset_path($course, $userid, $shortname); $strwarning = get_string('deletewarning', 'data').'
'. data_preset_name($shortname, $path); - $options = new object; - $options->shortname = $shortname; - $options->userid = $userid; - $options->action = 'delete'; - $options->d = $data->id; - $options->sesskey = sesskey(); + $options = new object(); + $options->fullname = $userid.'/'.$shortname; + $options->action = 'delete'; + $options->d = $data->id; + $options->sesskey = sesskey(); - $optionsno = new object; + $optionsno = new object(); $optionsno->d = $data->id; notice_yesno($strwarning, 'preset.php', 'preset.php', $options, $optionsno, 'post', 'get'); print_footer($course); @@ -89,8 +100,14 @@ switch ($action) { break; case 'delete' : - if (!confirm_sesskey()) { - error('Sesskey Invalid'); + if (!data_submitted() and !confirm_sesskey()) { + error("Invalid request"); + } + + if ($userid > 0 and ($userid == $USER->id || has_capability('mod/data:manageuserpresets', $context))) { + //ok can delete + } else { + error("Invalid request"); } $presetpath = data_preset_path($course, $userid, $shortname); @@ -101,15 +118,15 @@ switch ($action) { @rmdir($presetpath); $strdeleted = get_string('deleted', 'data'); - notify("$shortname $strdeleted"); + notify("$shortname $strdeleted", 'notifysuccess'); break; /***************** Importing *****************/ case 'importpreset' : - if (!confirm_sesskey()) { - error("Sesskey Invalid"); + if (!data_submitted() or !confirm_sesskey()) { + error("Invalid request"); } $pimporter = new PresetImporter($course, $cm, $data, $userid, $shortname); @@ -121,8 +138,8 @@ switch ($action) { /* Imports a zip file. */ case 'importzip' : - if (!confirm_sesskey()) { - error("Sesskey Invalid"); + if (!data_submitted() or !confirm_sesskey()) { + error("Invalid request"); } if (!make_upload_directory('temp/data/'.$USER->id)) { @@ -144,8 +161,8 @@ switch ($action) { break; case 'finishimport': - if (!confirm_sesskey()) { - error('Sesskey Invalid'); + if (!data_submitted() or !confirm_sesskey()) { + error("Invalid request"); } $pimporter = new PresetImporter($course, $cm, $data, $userid, $shortname); @@ -163,8 +180,13 @@ switch ($action) { /* Exports as a zip file ready for download. */ case 'export': + if (!data_submitted() or !confirm_sesskey()) { + error("Invalid request"); + } + + echo '
'; $file = data_presets_export($course, $cm, $data); - echo get_string('exportedtozip', 'data')."
"; + echo get_string('exportedtozip', 'data')."
"; $perminantfile = $CFG->dataroot."/$course->id/moddata/data/$data->id/preset.zip"; @unlink($perminantfile); /* is this created elsewhere? sometimes its not present... */ @@ -173,67 +195,70 @@ switch ($action) { /* now just move the zip into this folder to allow a nice download */ if (!rename($file, $perminantfile)) error("Can't move zip"); echo "".get_string('download', 'data').""; + echo '
'; break; /***************** Exporting *****************/ case 'save1': - if (!confirm_sesskey()) { - error("Sesskey Invalid"); + if (!data_submitted() or !confirm_sesskey()) { + error("Invalid request"); } $strcontinue = get_string('continue'); $strwarning = get_string('presetinfo', 'data'); - - echo "
"; - echo "

$strwarning

"; - echo "
"; - echo "Name: name\" />"; - echo ""; - echo ""; - echo ""; - echo "
"; + $strname = get_string('shortname'); + + echo '
'; + echo '

'.$strwarning.'

'; + echo '
'; + echo ' '; + echo ''; + echo ''; + echo ''; + echo '
'; print_footer($course); exit; break; case 'save2': - if (!confirm_sesskey()) { - error("Sesskey Invalid"); + if (!data_submitted() or !confirm_sesskey()) { + error("Invalid request"); } $strcontinue = get_string('continue'); - $stroverwrite = get_string('overwrite'); + $stroverwrite = get_string('overwrite', 'data'); + $strname = get_string('shortname'); $name = optional_param('name', $data->name, PARAM_FILE); if (is_directory_a_preset("$CFG->dataroot/data/preset/$USER->id/$name")) { notify("Preset already exists: Pick another name or overwrite"); - echo "
"; - echo "
"; - echo "New name: "; - echo ""; - echo ""; - echo ""; - echo "
"; - - echo "
"; - echo ""; - echo ""; - echo ""; - echo ""; - echo "
"; - echo "
"; + echo '
'; + echo '
'; + echo ' '; + echo ''; + echo ''; + echo ''; + echo '
'; + + echo '
'; + echo ''; + echo ''; + echo ''; + echo ''; + echo '
'; + echo '
'; print_footer($course); exit; break; } case 'save3': - if (!confirm_sesskey()) { - error("Sesskey Invalid"); + if (!data_submitted() or !confirm_sesskey()) { + error("Invalid request"); } $name = optional_param('name', $data->name, PARAM_FILE); @@ -252,111 +277,104 @@ switch ($action) { $presets = data_get_available_presets($context); -$strimport = get_string('import'); -$strfromfile = get_string('fromfile', 'data'); +$strimport = get_string('import'); +$strfromfile = get_string('fromfile', 'data'); $strchooseorupload = get_string('chooseorupload', 'data'); -$strok = get_string('ok'); -$strusestandard = get_string('usestandard', 'data'); -$strchoose = get_string('choose'); -$strexport = get_string('export', 'data'); -$strexportaszip = get_string('exportaszip', 'data'); -$strsaveaspreset = get_string('saveaspreset', 'data'); -$strdelete = get_string('delete'); - -echo ''; -echo '
'; -echo '

'.$strexport.'

'; -echo '		'; - -echo ''; -echo ''; -echo ''; + +echo ''; -echo ''; echo '
'; -$options = new object; +$strusestandard = get_string('usestandard', 'data'); +$strchoose = get_string('choose'); +$strexport = get_string('export', 'data'); +$strexportaszip = get_string('exportaszip', 'data'); +$strsaveaspreset = get_string('saveaspreset', 'data'); +$strsave = get_string('save', 'data'); +$strdelete = get_string('delete'); + +echo '
'; +echo ''; +echo ''; + +echo ''; -echo '

'.$strexport.'

'; +helpbutton('exportzip', '', 'data'); +echo ''; +$options = new object(); $options->action = 'export'; $options->d = $data->id; $options->sesskey = sesskey(); -helpbutton('exportzip', '', 'data'); -echo ''; -print_single_button('preset.php', $options, $strexportaszip, 'post'); +print_single_button('preset.php', $options, $strexport, 'post'); +echo '
'; -$options = new object; +echo '
'; +helpbutton('savepreset', '', 'data'); +echo ''; +$options = new object(); $options->action = 'save1'; $options->d = $data->id; $options->sesskey = sesskey(); -helpbutton('savepreset', '', 'data'); -echo ''; -print_single_button('preset.php', $options, $strsaveaspreset, 'post'); -echo '
'; - +print_single_button('preset.php', $options, $strsave, 'post'); echo '
'; -echo '

'.$strimport.'

'; -echo '		'; + +echo '

'.$strimport.'

'; helpbutton('importfromfile', '', 'data'); -echo $strfromfile.':'; echo ''; -echo '
'; + +echo ''; echo ''; echo ''; echo ''; -echo ''; -echo ''; +echo ''; +echo ''; echo '
'; echo '
'; -echo ''; + +echo '
'; helpbutton('usepreset', '', 'data'); -echo $strusestandard.':'; echo ''; -echo ''; +echo ''; +echo ''; +echo ''; +echo ''; + +$i = 0; foreach ($presets as $id => $preset) { - echo ''; - echo ''; -} -echo '
'; - if (!empty($preset->screenshot)) { - echo ''.get_string('screenshot').''; - } - echo ''.$preset->name; + $screenshot = ''; if (!empty($preset->userid)) { $user = get_record('user', 'id', $preset->userid); - echo ' ('.fullname($user, has_capability('moodle/site:viewfullnames', $context)).')'; + $desc = $preset->name.' ('.fullname($user, true).')'; + } else { + $desc = $preset->name; } - echo ''; - $options = new object; - $options->shortname = $preset->shortname; - $options->userid = $preset->userid; - $options->action = 'importpreset'; - $options->d = $data->id; - $options->sesskey = sesskey(); - print_single_button('preset.php', $options, $strchoose, 'post'); - echo ''; - if ($preset->userid > 0 && - ($preset->userid == $USER->id || has_capability('mod/data:manageuserpresets', $context))) { - $options = new object; - $options->shortname = $preset->shortname; - $options->userid = $preset->userid; - $options->action = 'confirmdelete'; - $options->d = $data->id; - $options->sesskey = sesskey(); - print_single_button('preset.php', $options, $strdelete, 'post'); + + if (!empty($preset->screenshot)) { + $screenshot = ''.get_string('screenshot').' '.$desc.' '; } - echo '
'; + $fullname = $preset->userid.'/'.$preset->shortname; + + $dellink = ''; + if ($preset->userid > 0 and ($preset->userid == $USER->id || has_capability('mod/data:manageuserpresets', $context))) { + $dellink = ' '. + ''.$strdelete.' '.$desc.''; + } + + echo ''.$dellink.'
'; +} +echo '
'; +echo ''; +echo ''; echo '
'; +echo ''; print_footer($course); - - function is_directory_a_preset($directory) { - $directory = rtrim($directory, '/\\') . '/'; + $directory = rtrim($directory, '/\\') . '/'; if (file_exists($directory.'singletemplate.html') && file_exists($directory.'listtemplate.html') && file_exists($directory.'listtemplateheader.html') && @@ -364,14 +382,13 @@ function is_directory_a_preset($directory) { file_exists($directory.'addtemplate.html') && file_exists($directory.'rsstemplate.html') && file_exists($directory.'rsstitletemplate.html') && - file_exists($directory.'csstemplate.css') && - file_exists($directory.'jstemplate.js') && + file_exists($directory.'csstemplate.css') && + file_exists($directory.'jstemplate.js') && file_exists($directory.'preset.xml')) return true; else return false; } - function clean_preset($folder) { if (@unlink($folder.'/singletemplate.html') && @unlink($folder.'/listtemplate.html') && @@ -429,7 +446,7 @@ function data_presets_export($course, $cm, $data) { $presetxml = "\n\n"; /* Database settings first. Name not included? */ - $settingssaved = array('intro', 'comments', + $settingssaved = array('intro', 'comments', 'requiredentries', 'requiredentriestoview', 'maxentries', 'rssarticles', 'approval', 'scale', 'assessed', 'defaultsort', 'defaultsortdir', 'editany'); @@ -487,7 +504,7 @@ function data_presets_export($course, $cm, $data) { -class PresetImporter { +class PresetImporter { function PresetImporter($course, $cm, $data, $userid, $shortname) { global $CFG; $this->course = $course; @@ -502,7 +519,7 @@ class PresetImporter { global $CFG; if (!is_directory_a_preset($this->folder)) { - error("$this->folder Not a preset"); + error("$this->userid/$this->shortname Not a preset"); } /* Grab XML */ @@ -557,56 +574,57 @@ class PresetImporter { $strblank = get_string('blank', 'data'); $strnofields = get_string('nofields', 'data'); - $strcontinue = get_string("continue"); - $sesskey = sesskey(); + $strcontinue = get_string('continue'); $strwarning = get_string('mappingwarning', 'data'); $strfieldmappings = get_string('fieldmappings', 'data'); - $strnew = get_string("new"); - $strold = get_string("old"); + $strnew = get_string('new'); + $strold = get_string('old'); + + $sesskey = sesskey(); list($settings, $newfields, $currentfields) = $this->get_settings(); - echo '
'; + echo '
'; echo ''; echo ''; echo ''; - echo ''; - echo ''; + echo ''; if ($currentfields != array() && $newfields != array()) { echo "

$strfieldmappings "; - echo helpbutton('fieldmappings', '', 'data'); - echo "

"; + helpbutton('fieldmappings', '', 'data'); + echo '
'; foreach ($newfields as $nid => $newfield) { - echo ""; - echo ""; + echo '"; + echo ''; + echo ''; } - echo "
$newfield->name
"; + echo '
'; echo "

$strwarning

"; } else if ($newfields == array()) { error("New preset has no defined fields!"); } - echo ""; + echo ''; } @@ -659,7 +677,7 @@ class PresetImporter { foreach ($currentfields as $cid => $currentfield) { if (!array_key_exists($cid, $preservedfields)) { /* Data not used anymore so wipe! */ - print "Deleting field $currentfield->name
"; + print "Deleting field $currentfield->name
"; $id = $currentfield->id; if ($content = get_records('data_content', 'fieldid', $id)) { @@ -677,7 +695,7 @@ class PresetImporter { data_update_instance(addslashes_object($settings)); - if (strstr($this->folder, "/temp/")) clean_preset($this->folder); /* Removes the temporary files */ + if (strstr($this->folder, '/temp/')) clean_preset($this->folder); /* Removes the temporary files */ return true; } } -- 2.39.5