mirror_php/moodle
1
0
Fork 0
mirror of https://github.com/moodle/moodle.git synced 2025-01-17 21:49:15 +01:00
Code Issues Projects Releases Wiki Activity

MDL-26198 fix CSRF and missing access control + fix xhtml strict

Browse Source
This commit is contained in:
Petr Skoda 2011-01-30 21:50:04 +01:00
parent ff03c5b6b5
commit 9cedb80c5d
2 changed files with 16 additions and 10 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
course/report/completion/index.php
View File

@ -632,7 +632,7 @@ foreach ($progress as $user) {
$describe = get_string('completion-alt-auto-'.$completiontype,'completion');
print '<td class="completion-progresscell">'.
'<a href="'.$CFG->wwwroot.'/course/togglecompletion.php?user='.$user->id.'&course='.$course->id.'&rolec='.$allow_marking_criteria.'">'.
'<a href="'.$CFG->wwwroot.'/course/togglecompletion.php?user='.$user->id.'&amp;course='.$course->id.'&amp;rolec='.$allow_marking_criteria.'&amp;sesskey='.sesskey().'">'.
'<img src="'.$OUTPUT->pix_url('i/completion-manual-'.($is_complete ? 'y' : 'n')).
'" alt="'.$describe.'" class="icon" title="Mark as complete" /></a></td>'; //TODO: localize
} else {

12
course/togglecompletion.php
View File

@ -41,6 +41,7 @@ if ($courseid) {
// Check user is logged in
$course = $DB->get_record('course', array('id' => $courseid), '*', MUST_EXIST);
$context = get_context_instance(CONTEXT_COURSE, $course->id);
require_login($course);
$completion = new completion_info($course);
@ -50,8 +51,12 @@ if ($courseid) {
$rolec = optional_param('rolec', 0, PARAM_INT);
if ($user && $rolec) {
require_sesskey();
$criteria = completion_criteria::factory((object) array('id'=>$rolec, 'criteriatype'=>COMPLETION_CRITERIA_TYPE_ROLE));
completion_criteria::factory((object) array('id'=>$rolec, 'criteriatype'=>COMPLETION_CRITERIA_TYPE_ROLE)); //TODO: this is dumb, because it does not fetch the data?!?!
$criteria = completion_criteria_role::fetch(array('id'=>$rolec));
if ($criteria and user_has_role_assignment($USER->id, $criteria->role, $context->id)) {
$criteria_completions = $completion->get_completions($user, COMPLETION_CRITERIA_TYPE_ROLE);
foreach ($criteria_completions as $criteria_completion) {
@ -60,6 +65,7 @@ if ($courseid) {
break;
}
}
}
// Return to previous page
if (!empty($_SERVER['HTTP_REFERER'])) {
@ -71,7 +77,7 @@ if ($courseid) {
} else {
// Confirm with user
if ($confirm) {
if ($confirm and confirm_sesskey()) {
$completion = $completion->get_completion($USER->id, COMPLETION_CRITERIA_TYPE_SELF);
if (!$completion) {
@ -94,7 +100,7 @@ if ($courseid) {
$PAGE->set_heading($course->fullname);
$PAGE->navbar->add($strconfirm);
echo $OUTPUT->header();
$buttoncontinue = new single_button(new moodle_url('/course/togglecompletion.php', array('course'=>$courseid, 'confirm'=>1)), get_string('yes'), 'post');
$buttoncontinue = new single_button(new moodle_url('/course/togglecompletion.php', array('course'=>$courseid, 'confirm'=>1, 'sesskey'=>sesskey())), get_string('yes'), 'post');
$buttoncancel = new single_button(new moodle_url('/course/view.php', array('id'=>$courseid)), get_string('no'), 'get');
echo $OUTPUT->confirm($strconfirm, $buttoncontinue, $buttoncancel);
echo $OUTPUT->footer();