From c11f2e4c155b09c0930b31da81d6eabd2e4d0b81 Mon Sep 17 00:00:00 2001
From: stronk7 <stronk7>
Date: Wed, 6 May 2009 10:22:17 +0000
Subject: [PATCH] MDL-18059 database rates - secured ; merged from 19_STABLE

---
 lang/en_utf8/data.php | 1 +
 mod/data/rate.php     | 8 ++++++++
 2 files changed, 9 insertions(+)

diff --git a/lang/en_utf8/data.php b/lang/en_utf8/data.php
index 823fcc75f6..cd9aa96407 100644
--- a/lang/en_utf8/data.php
+++ b/lang/en_utf8/data.php
@@ -147,6 +147,7 @@ $string['invalidfieldname'] = 'Please choose another name for this field';
 $string['invalidfieldtype'] = 'Field Type is incorrect';
 $string['invalidid'] = 'Incorrect data ID';
 $string['invalidpreset'] = '$a is not a preset.';
+$string['invalidrate'] = 'Invalid database rate ($a)';
 $string['invalidratedata'] = 'Incorrect submitted ratings data';
 $string['invalidrecord'] = 'Incorrect record';
 $string['invalidurl'] = 'The URL you just entered is not valid';
diff --git a/mod/data/rate.php b/mod/data/rate.php
index 45155a25cf..4faaf5d486 100755
--- a/mod/data/rate.php
+++ b/mod/data/rate.php
@@ -33,6 +33,9 @@
         print_error('invalidaccess', 'data');
     }
 
+/// Calculate scale values
+    $scale_values = make_grades_menu($data->scale);
+
     $count = 0;
 
     foreach ((array)$frmdata as $recordid => $rating) {
@@ -52,6 +55,11 @@
             continue;
         }
 
+    /// Check rate is valid for that database scale values
+        if (!array_key_exists($rating, $scale_values) && $rating != -999) {
+            print_error('invalidrate', 'data', '', $rating);
+        }
+
         // input validation ok
 
         $count++;
-- 
2.39.5