MDL-20636 todo list
[moodle.git] / question / toggleflag.php
CommitLineData
aeb15530 1<?php
62e76c67 2/**
3 * Used by ajax calls to toggle the flagged state of a question in an attempt.
4 * @license http://www.gnu.org/copyleft/gpl.html GNU Public License
5 * @package questionbank
6 */
7
8require_once('../config.php');
9require_once($CFG->libdir.'/questionlib.php');
10
11// Parameters
12$sessionid = required_param('qsid', PARAM_INT);
13$attemptid = required_param('aid', PARAM_INT);
14$questionid = required_param('qid', PARAM_INT);
15$newstate = required_param('newstate', PARAM_BOOL);
16$checksum = required_param('checksum', PARAM_ALPHANUM);
17
18// Check user is logged in.
19require_login();
20
21// Check the sesskey.
22if (!confirm_sesskey()) {
23 echo 'sesskey failure';
24}
25
26// Check the checksum - it is very hard to know who a question session belongs
aeb15530 27// to, so we require that checksum parameter is matches an md5 hash of the
62e76c67 28// three ids and the users username. Since we are only updating a flag, that
29// probably makes it sufficiently difficult for malicious users to toggle
30// other users flags.
31if ($checksum != md5($attemptid . "_" . $USER->secret . "_" . $questionid . "_" . $sessionid)) {
32 echo 'checksum failure';
33}
34
35// Check that the requested session really exists
36$questionsession = $DB->get_record('question_sessions', array('id' => $sessionid,
37 'attemptid' => $attemptid, 'questionid' => $questionid));
38if (!$questionsession) {
39 echo 'invalid ids';
40}
41
42// Now change state
43if (!question_update_flag($sessionid, $newstate)) {
44 echo 'update failed';
45}
46
47echo 'OK';