From db313fec5322911a30f1cf3df75a8d7fa2aafb25 Mon Sep 17 00:00:00 2001 From: toyomoyo Date: Mon, 2 Jul 2007 08:57:04 +0000 Subject: [PATCH] MDL-10288, adding some fields for grade item edit and security fixes for grader report --- grade/report/grader/edit_item.php | 35 ++--------------- grade/report/grader/edit_item_form.php | 54 ++++++++++++++++++++++++++ grade/report/grader/index.php | 11 ++++-- 3 files changed, 64 insertions(+), 36 deletions(-) create mode 100644 grade/report/grader/edit_item_form.php diff --git a/grade/report/grader/edit_item.php b/grade/report/grader/edit_item.php index a9a2918aea..1da18656a6 100644 --- a/grade/report/grader/edit_item.php +++ b/grade/report/grader/edit_item.php @@ -1,8 +1,8 @@ libdir.'/gradelib.php'; require_once $CFG->libdir.'/formslib.php'; +require_once ('edit_item_form.php'); $courseid = required_param('courseid', PARAM_INT); $id = optional_param('id', 0, PARAM_INT); @@ -19,8 +19,7 @@ $context = get_context_instance(CONTEXT_COURSE, $course->id); // default return url $returnurl = 'category.php?id='.$course->id; - -$mform = new edit_item_form(); +$mform = new edit_item_form(qualified_me(), array('id'=>$id)); if ($item = get_record('grade_items', 'id', $id, 'courseid', $course->id)) { $mform->set_data($item); } else { @@ -44,7 +43,6 @@ if ($mform->is_cancelled()) { redirect($returnurl); } - $strgrades = get_string('grades'); $strgraderreport = get_string('graderreport', 'grades'); $stritemsedit = get_string('itemsedit', 'grades'); @@ -60,31 +58,4 @@ print_header_simple($strgrades . ': ' . $strgraderreport, ': ' . $stritemsedit, $mform->display(); -print_footer($course); -die; - - -class edit_item_form extends moodleform { - function definition() { - $mform =& $this->_form; - - // visible elements - $mform->addElement('text', 'itemname', get_string('itemname', 'grades')); - - //TODO: add other elements - - // hidden params - $mform->addElement('hidden', 'id', 0); - $mform->setType('id', PARAM_INT); - - $mform->addElement('hidden', 'courseid', 0); - $mform->setType('courseid', PARAM_INT); - - $mform->addElement('hidden', 'itemtype', 0); - $mform->setType('itemtype', PARAM_ALPHA); - -//------------------------------------------------------------------------------- - // buttons - $this->add_action_buttons(); - } -} \ No newline at end of file +print_footer($course); \ No newline at end of file diff --git a/grade/report/grader/edit_item_form.php b/grade/report/grader/edit_item_form.php new file mode 100644 index 0000000000..d933762917 --- /dev/null +++ b/grade/report/grader/edit_item_form.php @@ -0,0 +1,54 @@ +_form; + + if ($id = $this->_customdata['id']) { // grade item id, if known + $item = get_record('grade_items', 'id', $id); + } else { + $item = NULL; + } + + $mform->addElement('header', 'general', get_string('gradeitem', 'form')); + // visible elements + $mform->addElement('text', 'itemname', get_string('itemname', 'grades')); + $mform->addElement('text', 'iteminfo', get_string('iteminfo', 'grades')); + $mform->addElement('text', 'idnumber', get_string('idnumber')); + $mform->addElement('text', 'grademax', get_string('grademax', 'grades')); + $mform->addElement('text', 'grademin', get_string('grademin', 'grades')); + $mform->addElement('text', 'gradepass', get_string('gradepass', 'grades')); + $mform->addElement('text', 'multfactor', get_string('multfactor', 'grades')); + $mform->addElement('text', 'plusfactor', get_string('plusfactor', 'grades')); + $mform->addElement('checkbox', 'locked', get_string('locked', 'grades')); + + // new grade item, or existing manual grade item(?) + if (!$id || (!empty($item->scaleid) && $item->type == 'manual')) { + if ($scales = get_records('scale')) { + $soptions = array(0=>get_string('usenoscale', 'grades')); + foreach ($scales as $scale) { + $soptions[$scale->id] = $scale->name; + } + $mform->addElement('select', 'scaleid', get_string('scale'), $soptions); + } + } + + $mform->addElement('date_time_selector', 'locktime', get_string('locktime', 'grades'), array('optional'=>true)); + + // TOOD: outcomeid/calculations (only for new/manual/category?) + + // hidden params + $mform->addElement('hidden', 'id', 0); + $mform->setType('id', PARAM_INT); + + $mform->addElement('hidden', 'courseid', 0); + $mform->setType('courseid', PARAM_INT); + + $mform->addElement('hidden', 'itemtype', 0); + $mform->setType('itemtype', PARAM_ALPHA); + +//------------------------------------------------------------------------------- + // buttons + $this->add_action_buttons(); + } +} +?> \ No newline at end of file diff --git a/grade/report/grader/index.php b/grade/report/grader/index.php index fad4bf4ca2..4598209a25 100644 --- a/grade/report/grader/index.php +++ b/grade/report/grader/index.php @@ -13,18 +13,21 @@ $strsortdesc = get_string('sortdesc', 'grades'); if ($data = data_submitted()) { foreach ($data as $varname => $postedgrade) { + + // clean posted values + $postedgrade = clean_param($postedgrade, PARAM_NUMBER); + $varname = clean_param($varname, PARAM_RAW); + // skip, not a grade if (!strstr($varname, 'grade')) { continue; } - // clean - $postedgrade = clean_param($postedgrade, PARAM_NUMBER); $gradeinfo = explode("_", $varname); $grade = new object(); - $grade->userid = $gradeinfo[1]; - $gradeitemid = $gradeinfo[2]; + $grade->userid = clean_param($gradeinfo[1], PARAM_INT); + $gradeitemid = clean_param($gradeinfo[2], PARAM_INT); $grade->rawgrade = $postedgrade; // put into grades array -- 2.39.5