MDL-11951 - supplemental - need capability checks in the outer if of the file too...
[moodle.git] / grade / edit / tree / grade.php
CommitLineData
20544755 1<?php //$Id$
739196ba 2
8ad36f4c 3///////////////////////////////////////////////////////////////////////////
4// //
5// NOTICE OF COPYRIGHT //
6// //
7// Moodle - Modular Object-Oriented Dynamic Learning Environment //
8// http://moodle.com //
9// //
10// Copyright (C) 1999 onwards Martin Dougiamas http://moodle.com //
11// //
12// This program is free software; you can redistribute it and/or modify //
13// it under the terms of the GNU General Public License as published by //
14// the Free Software Foundation; either version 2 of the License, or //
15// (at your option) any later version. //
16// //
17// This program is distributed in the hope that it will be useful, //
18// but WITHOUT ANY WARRANTY; without even the implied warranty of //
19// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the //
20// GNU General Public License for more details: //
21// //
22// http://www.gnu.org/copyleft/gpl.html //
23// //
24///////////////////////////////////////////////////////////////////////////
25
78ad5f3f 26require_once '../../../config.php';
3af29899 27require_once $CFG->dirroot.'/grade/lib.php';
76317c73 28require_once $CFG->dirroot.'/grade/report/lib.php';
6fb39a98 29require_once 'grade_form.php';
20544755 30
31$courseid = required_param('courseid', PARAM_INT);
23207a1a 32$id = optional_param('id', 0, PARAM_INT);
33$itemid = optional_param('itemid', 0, PARAM_INT);
34$userid = optional_param('userid', 0, PARAM_INT);
20544755 35
36if (!$course = get_record('course', 'id', $courseid)) {
37 print_error('nocourseid');
38}
39
20544755 40require_login($course);
41$context = get_context_instance(CONTEXT_COURSE, $course->id);
27b1735b 42if (!has_capability('moodle/grade:manage', $context)) {
a5b8be62 43 require_capability('moodle/grade:edit', $context);
27b1735b 44}
20544755 45
46// default return url
3af29899 47$gpr = new grade_plugin_return();
48$returnurl = $gpr->get_return_url($CFG->wwwroot.'/grade/report.php?id='.$course->id);
20544755 49
23207a1a 50// security checks!
51if (!empty($id)) {
52 if (!$grade = get_record('grade_grades', 'id', $id)) {
53 error('Incorrect grade id');
54 }
55
56 if (!empty($itemid) and $itemid != $grade->itemid) {
57 error('Incorrect itemid');
58 }
59 $itemid = $grade->itemid;
60
61 if (!empty($userid) and $userid != $grade->userid) {
62 error('Incorrect userid');
63 }
64 $userid = $grade->userid;
79eabc2a 65
23207a1a 66 unset($grade);
9c25957a 67
23207a1a 68} else if (empty($userid) or empty($itemid)) {
69 error('Missing userid and itemid');
70}
71
72if (!$grade_item = grade_item::fetch(array('id'=>$itemid, 'courseid'=>$courseid))) {
73 error('Can not find grade_item');
74}
75
dc3ca94c 76// now verify grading user has access to all groups or is member of the same group when separate groups used in course
b2bc96d1 77if (groups_get_course_groupmode($COURSE) == SEPARATEGROUPS and !has_capability('moodle/site:accessallgroups', $context)) {
2c386f82 78 if ($groups = groups_get_all_groups($COURSE->id, $userid)) {
dc3ca94c 79 $ok = false;
80 foreach ($groups as $group) {
81 if (groups_is_member($group->id, $USER->id)) {
82 $ok = true;
83 }
84 }
85 if (!$ok) {
86 error('Can not grade this user');
87 }
88 } else {
89 error('Can not grade this user');
90 }
91}
23207a1a 92
93$mform = new edit_grade_form(null, array('grade_item'=>$grade_item, 'gpr'=>$gpr));
94
15a51159 95if ($grade = get_record('grade_grades', 'itemid', $grade_item->id, 'userid', $userid)) {
3f2b0c8a 96
97 // always clean existing feedback - grading should not have XSS risk
98 if (can_use_html_editor()) {
99 $options = new object();
100 $options->smiley = false;
101 $options->filter = false;
102 $options->noclean = false;
103 $grade->feedback = format_text($grade->feedback, $grade->feedbackformat, $options);
104 $grade->feedbackformat = FORMAT_HTML;
105 } else {
106 $grade->feedback = clean_text($grade->feedback, $grade->feedbackformat);
920a0fb2 107 }
108
15a51159 109 $grade->locked = $grade->locked > 0 ? 1:0;
110 $grade->overridden = $grade->overridden > 0 ? 1:0;
111 $grade->excluded = $grade->excluded > 0 ? 1:0;
112
113 if ($grade->hidden > 1) {
114 $grade->hiddenuntil = $grade->hidden;
f60c61b1 115 $grade->hidden = 1;
15a51159 116 } else {
117 $grade->hiddenuntil = 0;
118 }
23207a1a 119
f60c61b1 120 if ($grade_item->is_hidden()) {
121 $grade->hidden = 1;
122 }
123
fb0e3570 124 if ($grade_item->is_locked()) {
125 $grade->locked = 1;
126 }
127
76317c73 128 // normalize the final grade value
129 if ($grade_item->gradetype == GRADE_TYPE_SCALE) {
130 if (empty($grade->finalgrade)) {
131 $grade->finalgrade = -1;
132 } else {
133 $grade->finalgrade = (int)$grade->finalgrade;
134 }
135 } else if ($grade_item->gradetype == GRADE_TYPE_VALUE) {
31a6c06c 136 $grade->finalgrade = format_float($grade->finalgrade, $grade_item->get_decimals());
76317c73 137 }
138
139 $grade->oldgrade = $grade->finalgrade;
140
23207a1a 141 $mform->set_data($grade);
9c25957a 142
20544755 143} else {
27b1735b 144 $mform->set_data(array('itemid'=>$itemid, 'userid'=>$userid, 'locked'=>$grade_item->locked, 'locktime'=>$grade_item->locktime));
20544755 145}
146
147if ($mform->is_cancelled()) {
148 redirect($returnurl);
23207a1a 149
20544755 150// form processing
41486d1c 151} else if ($data = $mform->get_data(false)) {
23207a1a 152 $old_grade_grade = new grade_grade(array('userid'=>$data->userid, 'itemid'=>$grade_item->id), true); //might not exist yet
920a0fb2 153
0658afc9 154 // fix no grade for scales
76317c73 155 if (!isset($data->finalgrade) or $data->finalgrade == $data->oldgrade) {
fb0e3570 156 $data->finalgrade = $old_grade_grade->finalgrade;
157
158 } else if ($grade_item->gradetype == GRADE_TYPE_SCALE and $data->finalgrade < 1) {
0658afc9 159 $data->finalgrade = NULL;
76317c73 160
161 } else if ($grade_item->gradetype == GRADE_TYPE_VALUE) {
162 $data->finalgrade = unformat_float($data->finalgrade);
0658afc9 163 }
164
fb0e3570 165 if (!isset($data->feedback)) {
3f2b0c8a 166 $data->feedback = $old_grade_grade->feedback;
167 $data->feedbackformat = $old_grade_grade->feedbackformat;
fb0e3570 168 }
23207a1a 169 // update final grade or feedback
170 $grade_item->update_final_grade($data->userid, $data->finalgrade, NULL, 'editgrade', $data->feedback, $data->feedbackformat);
8c4d80f1 171
83d387c2 172 $grade_grade = new grade_grade(array('userid'=>$data->userid, 'itemid'=>$grade_item->id), true);
fb0e3570 173 $grade_grade->grade_item =& $grade_item; // no db fetching
8c4d80f1 174
27b1735b 175 if (has_capability('moodle/grade:manage', $context) or has_capability('moodle/grade:hide', $context)) {
f60c61b1 176 $hidden = empty($data->hidden) ? 0: $data->hidden;
177 $hiddenuntil = empty($data->hiddenuntil) ? 0: $data->hiddenuntil;
178
179 if ($grade_item->is_hidden()) {
180 if ($old_grade_grade->hidden == 1 and $hiddenuntil == 0) {
181 //nothing to do - grade was originally hidden, we want to keep it that way
27b1735b 182 } else {
f60c61b1 183 $grade_grade->set_hidden($hiddenuntil);
27b1735b 184 }
15a51159 185 } else {
f60c61b1 186 if ($hiddenuntil) {
187 $grade_grade->set_hidden($hiddenuntil);
188 } else {
189 $grade_grade->set_hidden($hidden); // checkbox data might be undefined
190 }
15a51159 191 }
15a51159 192 }
23207a1a 193
fb0e3570 194 if (isset($data->locked) and !$grade_item->is_locked()) {
195 if (($old_grade_grade->locked or $old_grade_grade->locktime)
196 and (!has_capability('moodle/grade:manage', $context) and !has_capability('moodle/grade:unlock', $context))) {
197 //ignore data
198
199 } else if ((!$old_grade_grade->locked and !$old_grade_grade->locktime)
200 and (!has_capability('moodle/grade:manage', $context) and !has_capability('moodle/grade:lock', $context))) {
201 //ignore data
202
203 } else {
204 $grade_grade->set_locktime($data->locktime); //set_lock may reset locktime
205 $grade_grade->set_locked($data->locked, false, true);
23207a1a 206 }
207 }
208
fb0e3570 209 if (isset($data->excluded) and has_capability('moodle/grade:manage', $context)) {
210 $grade_grade->set_excluded($data->excluded);
211 }
212
a5b8be62 213 if (isset($data->overridden) and has_capability('moodle/grade:manage', $context) or has_capability('moodle/grade:edit', $context)) {
fb0e3570 214 // ignore overridden flag when changing final grade
215 if ($old_grade_grade->finalgrade == $grade_grade->finalgrade) {
216 $grade_grade->set_overridden($data->overridden);
27b1735b 217 }
23207a1a 218 }
920a0fb2 219
fb0e3570 220 // detect cases when we need to do full regrading
221 if ($old_grade_grade->excluded != $grade_grade->excluded) {
222 $parent = $grade_item->get_parent_category();
223 $parent->force_regrading();
20544755 224
fb0e3570 225 } else if ($old_grade_grade->overridden != $grade_grade->overridden and empty($grade_grade->overridden)) { // only when unoverriding
226 $grade_item->force_regrading();
27b1735b 227
fb0e3570 228 } else if ($old_grade_grade->locktime != $grade_grade->locktime) {
229 $grade_item->force_regrading();
230 }
27b1735b 231
ffe6eb27 232 redirect($returnurl);
20544755 233}
234
20544755 235$strgrades = get_string('grades');
20544755 236$strgraderreport = get_string('graderreport', 'grades');
23207a1a 237$strgradeedit = get_string('editgrade', 'grades');
238$struser = get_string('user');
20544755 239
826c5f86 240$navigation = grade_build_nav(__FILE__, $strgradeedit, array('courseid' => $courseid));
20544755 241
242/*********** BEGIN OUTPUT *************/
243
23207a1a 244print_header_simple($strgrades . ': ' . $strgraderreport . ': ' . $strgradeedit,
245 ': ' . $strgradeedit , $navigation, '', '', true, '', navmenu($course));
20544755 246
23207a1a 247print_heading($strgradeedit);
20544755 248
249print_simple_box_start("center");
250
20544755 251// Form if in edit or add modes
252$mform->display();
20544755 253
254print_simple_box_end();
255
256print_footer($course);
257die;