MDL-71981 user: escape identity fields if writer supports HTML.
[moodle.git] / user / action_redir.php
CommitLineData
6746bb8a 1<?php
ce221eb5 2// This file is part of Moodle - http://moodle.org/
3//
4// Moodle is free software: you can redistribute it and/or modify
5// it under the terms of the GNU General Public License as published by
6// the Free Software Foundation, either version 3 of the License, or
7// (at your option) any later version.
8//
9// Moodle is distributed in the hope that it will be useful,
10// but WITHOUT ANY WARRANTY; without even the implied warranty of
11// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
12// GNU General Public License for more details.
13//
14// You should have received a copy of the GNU General Public License
15// along with Moodle. If not, see <http://www.gnu.org/licenses/>.
16
33e727b7 17/**
ce221eb5 18 * Wrapper script redirecting user operations to correct destination.
19 *
20 * @copyright 1999 Martin Dougiamas http://dougiamas.com
21 * @license http://www.gnu.org/copyleft/gpl.html GNU GPL v3 or later
a2ed6e69 22 * @package core_user
ce221eb5 23 */
33e727b7 24
6746bb8a 25require_once("../config.php");
b71615f5 26require_once($CFG->dirroot . '/course/lib.php');
6746bb8a 27
689ccae5 28$formaction = required_param('formaction', PARAM_LOCALURL);
33e727b7 29$id = required_param('id', PARAM_INT);
6746bb8a 30
a2ed6e69 31$PAGE->set_url('/user/action_redir.php', array('formaction' => $formaction, 'id' => $id));
689ccae5 32list($formaction) = explode('?', $formaction, 2);
ce221eb5 33
b5b81de3
DW
34// This page now only handles the bulk enrolment change actions, other actions are done with ajax.
35$actions = array('bulkchange.php');
6746bb8a 36
33e727b7 37if (array_search($formaction, $actions) === false) {
38 print_error('unknownuseraction');
6746bb8a 39}
40
41if (!confirm_sesskey()) {
33e727b7 42 print_error('confirmsesskeybad');
6746bb8a 43}
44
689ccae5
DW
45if ($formaction == 'bulkchange.php') {
46 // Backwards compatibility for enrolment plugins bulk change functionality.
47 // This awful code is adapting from the participant page with it's param names and values
48 // to the values expected by the bulk enrolment changes forms.
49 $formaction = required_param('formaction', PARAM_URL);
50 require_once($CFG->dirroot . '/enrol/locallib.php');
51
52 $url = new moodle_url($formaction);
53 // Get the enrolment plugin type and bulk action from the url.
54 $plugin = $url->param('plugin');
55 $operationname = $url->param('operation');
e5abe2af 56 $dataformat = $url->param('dataformat');
689ccae5
DW
57
58 $course = $DB->get_record('course', array('id' => $id), '*', MUST_EXIST);
59 $context = context_course::instance($id);
60 $PAGE->set_context($context);
61
689ccae5
DW
62 $userids = optional_param_array('userid', array(), PARAM_INT);
63 $default = new moodle_url('/user/index.php', ['id' => $course->id]);
64 $returnurl = new moodle_url(optional_param('returnto', $default, PARAM_URL));
65
66 if (empty($userids)) {
67 $userids = optional_param_array('bulkuser', array(), PARAM_INT);
68 }
69 if (empty($userids)) {
70 // The first time list hack.
71 if (empty($userids) and $post = data_submitted()) {
72 foreach ($post as $k => $v) {
73 if (preg_match('/^user(\d+)$/', $k, $m)) {
74 $userids[] = $m[1];
75 }
76 }
77 }
78 }
79
e5abe2af
LB
80 if (empty($plugin) AND $operationname == 'download_participants') {
81 // Check permissions.
b71615f5
IT
82 $pagecontext = ($course->id == SITEID) ? context_system::instance() : $context;
83 if (course_can_view_participants($pagecontext)) {
e5abe2af
LB
84 $plugins = core_plugin_manager::instance()->get_plugins_of_type('dataformat');
85 if (isset($plugins[$dataformat])) {
86 if ($plugins[$dataformat]->is_enabled()) {
e5abe2af
LB
87 if (empty($userids)) {
88 redirect($returnurl, get_string('noselectedusers', 'bulkusers'));
89 }
90
91 $columnnames = array(
92 'firstname' => get_string('firstname'),
93 'lastname' => get_string('lastname'),
e5abe2af
LB
94 );
95
c260bad7
PH
96 // Get the list of fields we have to hide.
97 $hiddenfields = [];
98 if (!has_capability('moodle/course:viewhiddenuserfields', $context)) {
99 $hiddenfields = array_flip(explode(',', $CFG->hiddenuserfields));
100 }
101
558cc1b8 102 // TODO Does not support custom user profile fields (MDL-70456).
5e72715e 103 $identityfields = \core_user\fields::get_identity_fields($context, false);
e5abe2af
LB
104 $identityfieldsselect = '';
105
106 foreach ($identityfields as $field) {
107 $columnnames[$field] = get_string($field);
108 $identityfieldsselect .= ', u.' . $field . ' ';
109 }
110
c260bad7
PH
111 [$useridsql, $useridparams] = $DB->get_in_or_equal($userids, SQL_PARAMS_NAMED, 'userid');
112 [$userordersql, $userorderparams] = users_order_by_sql('u', null, $context);
113
114 $params = array_merge($useridparams, $userorderparams);
115
116 // Add column for groups if the user can view them.
117 if (!isset($hiddenfields['groups'])) {
118 $columnnames['groupnames'] = get_string('groups');
119 $identityfieldsselect .= ', gcn.groupnames';
120
121 [$groupconcatnamesql, $groupconcatnameparams] = groups_get_names_concat_sql($course->id);
122 $groupconcatjoin = "LEFT JOIN ({$groupconcatnamesql}) gcn ON gcn.userid = u.id";
123 $params = array_merge($params, $groupconcatnameparams);
124 } else {
125 $groupconcatjoin = '';
e5abe2af
LB
126 }
127
85994027 128 $sql = "SELECT u.firstname, u.lastname" . $identityfieldsselect . "
e5abe2af 129 FROM {user} u
c260bad7
PH
130 {$groupconcatjoin}
131 WHERE u.id {$useridsql}
132 ORDER BY {$userordersql}";
e5abe2af 133
c260bad7 134 $rs = $DB->get_recordset_sql($sql, $params);
526f5ecc
PH
135
136 // Provide callback to pre-process all records ensuring user identity fields are escaped if HTML supported.
137 \core\dataformat::download_data(
138 'courseid_' . $course->id . '_participants',
139 $dataformat,
140 $columnnames,
141 $rs,
142 function(stdClass $record, bool $supportshtml) use ($identityfields): stdClass {
143 if ($supportshtml) {
144 foreach ($identityfields as $identityfield) {
145 $record->{$identityfield} = s($record->{$identityfield});
146 }
147 }
148
149 return $record;
150 }
151 );
e5abe2af
LB
152 $rs->close();
153 }
154 }
155 }
156 } else {
157 $instances = enrol_get_instances($course->id, false);
158 $instance = false;
159 foreach ($instances as $oneinstance) {
160 if ($oneinstance->enrol == $plugin) {
161 $instance = $oneinstance;
162 break;
163 }
164 }
165 if (!$instance) {
166 print_error('errorwithbulkoperation', 'enrol');
167 }
168
169 $manager = new course_enrolment_manager($PAGE, $course, $instance->id);
170 $plugins = $manager->get_enrolment_plugins();
171
172 if (!isset($plugins[$plugin])) {
173 print_error('errorwithbulkoperation', 'enrol');
174 }
175
176 $plugin = $plugins[$plugin];
689ccae5 177
e5abe2af 178 $operations = $plugin->get_bulk_operations($manager);
689ccae5 179
e5abe2af
LB
180 if (!isset($operations[$operationname])) {
181 print_error('errorwithbulkoperation', 'enrol');
182 }
183 $operation = $operations[$operationname];
80a2937d 184
e5abe2af
LB
185 if (empty($userids)) {
186 redirect($returnurl, get_string('noselectedusers', 'bulkusers'));
80a2937d 187 }
80a2937d 188
e5abe2af
LB
189 $users = $manager->get_users_enrolments($userids);
190
191 $removed = array_diff($userids, array_keys($users));
192 if (!empty($removed)) {
193 // This manager does not filter by enrolment method - so we can get the removed users details.
194 $removedmanager = new course_enrolment_manager($PAGE, $course);
195 $removedusers = $removedmanager->get_users_enrolments($removed);
196
197 foreach ($removedusers as $removeduser) {
198 $msg = get_string('userremovedfromselectiona', 'enrol', fullname($removeduser));
199 \core\notification::warning($msg);
689ccae5
DW
200 }
201 }
689ccae5 202
e5abe2af
LB
203 // We may have users from any kind of enrolment, we need to filter for the enrolment plugin matching the bulk action.
204 $matchesplugin = function($user) use ($plugin) {
205 foreach ($user->enrolments as $enrolment) {
206 if ($enrolment->enrolmentplugin->get_name() == $plugin->get_name()) {
207 return true;
208 }
209 }
210 return false;
211 };
212 $filteredusers = array_filter($users, $matchesplugin);
689ccae5 213
e5abe2af
LB
214 if (empty($filteredusers)) {
215 redirect($returnurl, get_string('noselectedusers', 'bulkusers'));
216 }
80a2937d 217
e5abe2af
LB
218 $users = $filteredusers;
219
220 // Get the form for the bulk operation.
221 $mform = $operation->get_form($PAGE->url, array('users' => $users));
222 // If the mform is false then attempt an immediate process. This may be an immediate action that
223 // doesn't require user input OR confirmation.... who know what but maybe one day.
224 if ($mform === false) {
225 if ($operation->process($manager, $users, new stdClass)) {
226 redirect($returnurl);
227 } else {
228 print_error('errorwithbulkoperation', 'enrol');
229 }
689ccae5 230 }
e5abe2af
LB
231 // Check if the bulk operation has been cancelled.
232 if ($mform->is_cancelled()) {
689ccae5
DW
233 redirect($returnurl);
234 }
e5abe2af
LB
235 if ($mform->is_submitted() && $mform->is_validated() && confirm_sesskey()) {
236 if ($operation->process($manager, $users, $mform->get_data())) {
237 redirect($returnurl);
238 }
239 }
689ccae5 240
e5abe2af 241 $pagetitle = get_string('bulkuseroperation', 'enrol');
689ccae5 242
e5abe2af
LB
243 $PAGE->set_title($pagetitle);
244 $PAGE->set_heading($pagetitle);
245 echo $OUTPUT->header();
246 echo $OUTPUT->heading($operation->get_title());
247 $mform->display();
248 echo $OUTPUT->footer();
249 exit();
250 }
689ccae5 251} else {
b5b81de3 252 throw new coding_exception('invalidaction');
689ccae5 253}