mirror of
https://github.com/moodle/moodle.git
synced 2025-05-10 18:27:20 +02:00
MDL-10010 improved data validation in glossary rate.php
This commit is contained in:
skodak
parent
d08e1a0b82
commit
b83ed1acb9
@ -13,19 +13,63 @@
|
||||
error("Course ID was incorrect");
|
||||
}
|
||||
|
||||
require_login($course->id);
|
||||
require_login($course);
|
||||
|
||||
if (isguest()) {
|
||||
error("Guests are not allowed to rate entries.", $_SERVER["HTTP_REFERER"]);
|
||||
if (isguestuser()) {
|
||||
error("Guests are not allowed to rate entries.");
|
||||
}
|
||||
|
||||
$returnurl = isset($_SERVER["HTTP_REFERER"]) ? $_SERVER["HTTP_REFERER"] : null;
|
||||
|
||||
$glossary = false;
|
||||
if ($data = data_submitted("$CFG->wwwroot/mod/glossary/view.php")) { // form submitted
|
||||
print_object($data);
|
||||
foreach ((array)$data as $entry => $rating) {
|
||||
if ($entry == "id") {
|
||||
foreach ((array)$data as $entryid => $rating) {
|
||||
if (!is_numeric($entryid)) {
|
||||
continue;
|
||||
}
|
||||
if ($oldrating = get_record("glossary_ratings", "userid", $USER->id, "entryid", $entry)) {
|
||||
if (!$entry = get_record('glossary_entries', 'id', $entryid)) {
|
||||
continue;
|
||||
}
|
||||
if (!$glossary) {
|
||||
if (!$glossary = get_record('glossary', 'id', $entry->glossaryid)) {
|
||||
error('Incorrect glossary id');
|
||||
}
|
||||
if (!$cm = get_coursemodule_from_instance('glossary', $glossary->id)) {
|
||||
error("Course Module ID was incorrect");
|
||||
}
|
||||
$context = get_context_instance(CONTEXT_MODULE, $cm->id);
|
||||
|
||||
require_login($course, false, $cm);
|
||||
|
||||
if (!$glossary->assessed) {
|
||||
error('Rating of items not allowed!');
|
||||
}
|
||||
if ($glossary->assessed == 2 and !has_capability('mod/glossary:rate', $context)) {
|
||||
error('You can not rate items!');
|
||||
}
|
||||
|
||||
if (empty($returnurl)) {
|
||||
$returnurl = $CFG->wwwroot.'/mod/glossary/view.php?id='.$cm->id;
|
||||
}
|
||||
}
|
||||
|
||||
if ($entry->glossaryid != $glossary->id) {
|
||||
error('This is not valid entry!!');
|
||||
}
|
||||
|
||||
if ($glossary->assesstimestart and $glossary->assesstimefinish) {
|
||||
if ($entry->timecreated < $glossary->assesstimestart or $entry->timecreated > $glossary->assesstimefinish) {
|
||||
// we can not grade this, ignore it - this should not happen anyway unless teachr changes setting
|
||||
continue;
|
||||
}
|
||||
}
|
||||
|
||||
if ($entry->userid == $USER->id) {
|
||||
//can not rate own entry
|
||||
continue;
|
||||
}
|
||||
|
||||
if ($oldrating = get_record("glossary_ratings", "userid", $USER->id, "entryid", $entry->id)) {
|
||||
//Check if we must delete the rate
|
||||
if ($rating == -999) {
|
||||
delete_records('glossary_ratings','userid',$oldrating->userid, 'entryid',$oldrating->entryid);
|
||||
@ -37,18 +81,24 @@
|
||||
}
|
||||
}
|
||||
} else if ($rating >= 0) {
|
||||
unset($newrating);
|
||||
$newrating->userid = $USER->id;
|
||||
$newrating->time = time();
|
||||
$newrating->entryid = $entry;
|
||||
$newrating->rating = $rating;
|
||||
$newrating = new object();
|
||||
$newrating->userid = $USER->id;
|
||||
$newrating->time = time();
|
||||
$newrating->entryid = $entry->id;
|
||||
$newrating->rating = $rating;
|
||||
|
||||
if (! insert_record("glossary_ratings", $newrating)) {
|
||||
error("Could not insert a new rating ($entry = $rating)");
|
||||
error("Could not insert a new rating ($entry->id = $rating)");
|
||||
}
|
||||
}
|
||||
}
|
||||
redirect($_SERVER["HTTP_REFERER"], get_string("ratingssaved", "glossary"));
|
||||
|
||||
if (!$glossary) {
|
||||
// something wrong happended - no rating changed/added
|
||||
error('Incorrect ratings submitted');
|
||||
}
|
||||
|
||||
redirect($returnurl, get_string("ratingssaved", "glossary"));
|
||||
|
||||
} else {
|
||||
error("This page was not accessed correctly");
|
||||
|
||||
Loading…
x
Reference in New Issue
Block a user