moodle/question/toggleflag.php

<?php
/**
 * Used by ajax calls to toggle the flagged state of a question in an attempt.
 * @license http://www.gnu.org/copyleft/gpl.html GNU Public License
 * @package questionbank
 */

require_once('../config.php');
require_once($CFG->libdir.'/questionlib.php');

// Parameters
$sessionid = required_param('qsid', PARAM_INT);
$attemptid = required_param('aid', PARAM_INT);
$questionid = required_param('qid', PARAM_INT);
$newstate = required_param('newstate', PARAM_BOOL);
$checksum = required_param('checksum', PARAM_ALPHANUM);

// Check user is logged in.
require_login();

// Check the sesskey.
if (!confirm_sesskey()) {
    echo 'sesskey failure';
}

// Check the checksum - it is very hard to know who a question session belongs
// to, so we require that checksum parameter is matches an md5 hash of the
// three ids and the users username. Since we are only updating a flag, that
// probably makes it sufficiently difficult for malicious users to toggle
// other users flags.
if ($checksum != md5($attemptid . "_" . $USER->secret . "_" . $questionid . "_" . $sessionid)) {
    echo 'checksum failure';
}

// Check that the requested session really exists
$questionsession = $DB->get_record('question_sessions', array('id' => $sessionid,
        'attemptid' => $attemptid, 'questionid' => $questionid));
if (!$questionsession) {
    echo 'invalid ids';
}

// Now change state
if (!question_update_flag($sessionid, $newstate)) {
    echo 'update failed';
}

echo 'OK';
MDL-20700 coding style cleanup - cvs keywords removed, closign php tag removed, trailing whitespace cleanup 2009-11-04 11:57:52 +00:00			`<?php`
MDL-16263 A way for students to flag/bookmark, particular questions during a quiz attempt for later review. This is an initial implementation that is now at a working state, but with a few things left to do. It seemed like a good idea to commit it before leaving work on Friday night. 2008-08-29 10:08:27 +00:00			`/**`
			`* Used by ajax calls to toggle the flagged state of a question in an attempt.`
			`* @license http://www.gnu.org/copyleft/gpl.html GNU Public License`
			`* @package questionbank`
			`*/`

			`require_once('../config.php');`
			`require_once($CFG->libdir.'/questionlib.php');`

			`// Parameters`
			`$sessionid = required_param('qsid', PARAM_INT);`
			`$attemptid = required_param('aid', PARAM_INT);`
			`$questionid = required_param('qid', PARAM_INT);`
			`$newstate = required_param('newstate', PARAM_BOOL);`
			`$checksum = required_param('checksum', PARAM_ALPHANUM);`

			`// Check user is logged in.`
			`require_login();`

			`// Check the sesskey.`
			`if (!confirm_sesskey()) {`
			`echo 'sesskey failure';`
			`}`

			`// Check the checksum - it is very hard to know who a question session belongs`
MDL-20700 coding style cleanup - cvs keywords removed, closign php tag removed, trailing whitespace cleanup 2009-11-04 11:57:52 +00:00			`// to, so we require that checksum parameter is matches an md5 hash of the`
MDL-16263 A way for students to flag/bookmark, particular questions during a quiz attempt for later review. This is an initial implementation that is now at a working state, but with a few things left to do. It seemed like a good idea to commit it before leaving work on Friday night. 2008-08-29 10:08:27 +00:00			`// three ids and the users username. Since we are only updating a flag, that`
			`// probably makes it sufficiently difficult for malicious users to toggle`
			`// other users flags.`
			`if ($checksum != md5($attemptid . "_" . $USER->secret . "_" . $questionid . "_" . $sessionid)) {`
			`echo 'checksum failure';`
			`}`

			`// Check that the requested session really exists`
			`$questionsession = $DB->get_record('question_sessions', array('id' => $sessionid,`
			`'attemptid' => $attemptid, 'questionid' => $questionid));`
			`if (!$questionsession) {`
			`echo 'invalid ids';`
			`}`

			`// Now change state`
			`if (!question_update_flag($sessionid, $newstate)) {`
			`echo 'update failed';`
			`}`

			`echo 'OK';`