The PARAM_TEXT has been misused in certain cases here. The 'action'
parameter seems to always be alphabetic, with values like
savesubmission, editsubmission and others as handled in assign::view().
Fixing the action handling fixes the reported XSS issue. While working
on it, I spotted two more places where PARAM_TEXT does not seem
appropriate. I include changes for them too, even if they are no
strictly related to the reported bug and there are no known ways to
abuse it.
* The 'plugin' looks like PARAM_PLUGIN and is even declared as such in
some other parts of the assignment code (such as feedback forms).
* The 'workflowstate' is one of the ASSIGN_MARKING_WORKFLOW_STATE
constants and is supposed to be alpha in external function input
parameters handling, too.
Before this patch it was possible for the student displayed on the grading page to
not be the student that the user selected to grade. This would occur if:
1) The user had the table ordered by a value that could be modified,
for example Last modified (submission), Grade, Last modified (grade)
2) Another user performed an action that was recorded in Moodle in the time
between the user generating the table and clicking on a grade link.
If a user did not notice a different user had been loaded it could result in them giving
a grade to the incorrect user.
This patch ensures that the state of the table is cached every time it is viewed by a user
who has the capability to grade.
Updated code to restrict list of users. Also includes changes to
ensure that a cm_info object is available (required for availability
checks).
There is a tweak to upgradelib to reflect the different fields used.
(Note that upgradelib is not used during upgrade, but only when
converting assignments from the old assignment module.)
This means that the $PAGE->url is properly set for all pages and is required to fix some edge cases with the comments api when
javascript is disabled. It also means logging in after a timeout will work nicely and other Good Things (tm).
