MDL-11267 - Anywone who can view quiz reports can delete student attempts. Merged from MOODLE_18_STABLE.

2025-01-19 06:18:28 +01:00 · 2007-09-17 16:17:24 +00:00 · 2007-09-17 16:17:24 +00:00 · 07a7d85924
commit 07a7d85924
parent dca9fc5346
5 changed files with 22 additions and 4 deletions
--- a/lang/en_utf8/quiz.php
+++ b/lang/en_utf8/quiz.php
@ -445,6 +445,7 @@ $string['regrade'] = 'Regrade all attempts';
 $string['regradecomplete'] = 'All attempts have been regraded';
 $string['regradecount'] = '$a->changed out of $a->attempt grades were changed';
 $string['regradedisplayexplanation'] = 'Attempts that change during regrading are displayed as hyperlinks to the question review window';
+$string['regradenotallowed'] = 'You do not have permission to regrade this quiz';
 $string['regradingquestion'] = 'Regrading \"$a\".';
 $string['regradingquiz'] = 'Regrading Quiz \"$a\"';
 $string['relative'] = 'Relative';
--- a/mod/quiz/db/access.php
+++ b/mod/quiz/db/access.php
@ -54,7 +54,7 @@ $mod_quiz_capabilities = array(
        )
    ),

-    // Manually grade and comment on student attempts at a question.
+    // Manually grade and comment on student attempts at a question, and regrade quizzes.
    'mod/quiz:grade' => array(

        'captype' => 'write',
--- a/mod/quiz/locallib.php
+++ b/mod/quiz/locallib.php
@ -144,6 +144,8 @@ function quiz_delete_attempt($attempt, $quiz) {
    } else {
        quiz_save_best_grade($quiz, $userid);
    }
+
+    quiz_update_grades($quiz, $userid);
 }

 /// Functions to do with quiz layout and pages ////////////////////////////////
--- a/mod/quiz/report/overview/report.php
+++ b/mod/quiz/report/overview/report.php
@ -23,6 +23,8 @@ class quiz_report extends quiz_default_report {
        $strtimeformat = get_string('strftimedatetime');
        $strreviewquestion = get_string('reviewresponse', 'quiz');

+        $context = get_context_instance(CONTEXT_MODULE, $cm->id);
+
        // Only print headers if not asked to download data
        if (!$download = optional_param('download', NULL)) {
            $this->print_header_and_tabs($cm, $course, $quiz, $reportmode="overview");
@ -33,11 +35,12 @@ class quiz_report extends quiz_default_report {

        switch($action) {
            case 'delete': // Some attempts need to be deleted
+                require_capability('mod/quiz:deleteattempts', $context);
                $attemptids = optional_param('attemptid', array(), PARAM_INT);

                foreach($attemptids as $attemptid) {
+                    add_to_log($course->id, 'quiz', 'delete attempt', 'report.php?id=' . $cm->id, $attemptid, $cm->id);
                    quiz_delete_attempt($attemptid, $quiz);
-                    quiz_update_grades($quiz, $USER->id);
                }
            break;
        }
@ -497,14 +500,19 @@ class quiz_report extends quiz_default_report {
                // Print table
                $table->print_html();

+                // Prepare list of available options.
+                $options = array();
+                if (has_capability('mod/quiz:deleteattempts', $context)) {
+                    $options['delete'] = get_string('delete');
+                }
+
                // Print "Select all" etc.
-                if (!empty($attempts)) {
+                if (!empty($attempts) && !empty($options)) {
                    echo '<table id="commands">';
                    echo '<tr><td>';
                    echo '<a href="javascript:select_all_in(\'DIV\',null,\'tablecontainer\');">'.get_string('selectall', 'quiz').'</a> / ';
                    echo '<a href="javascript:deselect_all_in(\'DIV\',null,\'tablecontainer\');">'.get_string('selectnone', 'quiz').'</a> ';
                    echo '&nbsp;&nbsp;';
-                    $options = array('delete' => get_string('delete'));
                    echo choose_from_menu($options, 'action', '', get_string('withselected', 'quiz'), 'if(this.selectedIndex > 0) submitFormById(\'attemptsform\');', '', true);
                    echo '<noscript id="noscriptmenuaction" style="display: inline;"><div>';
                    echo '<input type="submit" value="'.get_string('go').'" /></div></noscript>';
--- a/mod/quiz/report/regrade/report.php
+++ b/mod/quiz/report/regrade/report.php
@ -11,6 +11,13 @@ class quiz_report extends quiz_default_report {
        // Print header
        $this->print_header_and_tabs($cm, $course, $quiz, $reportmode="regrade");

+        // Check permissions
+        $context = get_context_instance(CONTEXT_MODULE, $cm->id);
+        if (!has_capability('mod/quiz:grade', $context)) {
+            notify(get_string('regradenotallowed', 'quiz'));
+            return true;
+        }
+
        // Fetch all attempts
        if (!$attempts = get_records_select('quiz_attempts', "quiz = '$quiz->id' AND preview = 0")) {
            print_heading(get_string('noattempts', 'quiz'));