From 6e73bd12e8b3077dc391e4837ed84848d8a5264e Mon Sep 17 00:00:00 2001
From: stronk7 <stronk7>
Date: Wed, 6 May 2009 09:25:54 +0000
Subject: [PATCH] MDL-18058 glossary rates - secured ; merged from 19_STABLE

---
 lang/en_utf8/glossary.php |  1 +
 mod/glossary/rate.php     | 10 ++++++++++
 2 files changed, 11 insertions(+)

diff --git a/lang/en_utf8/glossary.php b/lang/en_utf8/glossary.php
index 167f33afb2..c426781ce6 100644
--- a/lang/en_utf8/glossary.php
+++ b/lang/en_utf8/glossary.php
@@ -147,6 +147,7 @@ $string['importentriesfromxml'] = 'Import entries from XML file';
 $string['includegroupbreaks'] = 'Include group breaks';
 $string['invalidid'] = 'Incorrect glossary id';
 $string['invalidglossaryformat'] = 'Invalid Glossary Format';
+$string['invalidrate'] = 'Invalid glossary rate ($a)';
 $string['isglobal'] = 'Is this glossary global?';
 $string['letter'] = 'letter';
 $string['linkcategory'] = 'Automatically link this category';
diff --git a/mod/glossary/rate.php b/mod/glossary/rate.php
index 14375131c7..2523422b40 100644
--- a/mod/glossary/rate.php
+++ b/mod/glossary/rate.php
@@ -45,10 +45,15 @@
     }
 
     if ($data = data_submitted()) {    // form submitted
+
+    /// Calculate scale values
+        $scale_values = make_grades_menu($glossary->scale);
+
         foreach ((array)$data as $entryid => $rating) {
             if (!is_numeric($entryid)) {
                 continue;
             }
+
             if (!$entry = $DB->get_record('glossary_entries', array('id'=>$entryid))) {
                 continue;
             }
@@ -69,6 +74,11 @@
                 continue;
             }
 
+        /// Check rate is valid for that glossary scale values
+            if (!array_key_exists($rating, $scale_values) && $rating != -999) {
+                print_error('invalidrate', 'glossary', '', $rating);
+            }
+
             if ($oldrating = $DB->get_record("glossary_ratings", array("userid"=>$USER->id, "entryid"=>$entry->id))) {
                 //Check if we must delete the rate
                 if ($rating == -999) {
-- 
2.39.5