quiz reports: MDL-21688 Add missing sesskey checks.
authorTim Hunt <T.J.Hunt@open.ac.uk>
Wed, 7 Apr 2010 11:26:02 +0000 (11:26 +0000)
committerTim Hunt <T.J.Hunt@open.ac.uk>
Wed, 7 Apr 2010 11:26:02 +0000 (11:26 +0000)
mod/quiz/report/overview/overview_table.php
mod/quiz/report/overview/report.php
mod/quiz/report/responses/report.php
mod/quiz/report/responses/responses_table.php
mod/quiz/report/statistics/report.php

index eabbf44..06f5d05 100644 (file)
@@ -79,6 +79,7 @@ class quiz_report_overview_table extends table_sql {
                 echo '<form id="attemptsform" method="post" action="' . $this->reporturl->out_omit_querystring() .'">';
                 echo '<div style="display: none;">';
                 echo html_writer::input_hidden_params($url);
+                echo html_writer::empty_tag('input', array('type' => 'hidden', 'name' => 'sesskey', 'value' => sesskey())) . "\n";
                 echo '</div>';
                 echo '<div>';
             }
index cb46332..f91c360 100644 (file)
@@ -54,26 +54,6 @@ class quiz_overview_report extends quiz_default_report {
             $allowed = $groupstudents;
         }
 
-        if (empty($currentgroup)||$groupstudents) {
-            if (optional_param('delete', 0, PARAM_BOOL)){
-                if($attemptids = optional_param('attemptid', array(), PARAM_INT)) {
-                    //attempts need to be deleted
-                    $this->delete_selected_attempts($quiz, $cm, $attemptids, $groupstudents);
-                    //No need for a redirect, any attemptids that do not exist are ignored.
-                    //So no problem if the user refreshes and tries to delete the same attempts
-                    //twice.
-                }
-            } else if (optional_param('regrade', 0, PARAM_BOOL)){
-                if($attemptids = optional_param('attemptid', array(), PARAM_INT)) {
-                    $this->regrade_selected_attempts($quiz, $attemptids, $groupstudents);
-                    //No need for a redirect, any attemptids that do not exist are ignored.
-                    //So no problem if the user refreshes and tries to delete the same attempts
-                    //twice.
-                }
-            }
-        }
-
-
         $pageoptions = array();
         $pageoptions['id'] = $cm->id;
         $pageoptions['q'] = $quiz->id;
@@ -146,6 +126,22 @@ class quiz_overview_report extends quiz_default_report {
         $displayoptions['qmfilter'] = $qmfilter;
         $displayoptions['regradefilter'] = $regradefilter;
 
+        if (empty($currentgroup) || $groupstudents) {
+            if (optional_param('delete', 0, PARAM_BOOL) && confirm_sesskey()) {
+                if ($attemptids = optional_param('attemptid', array(), PARAM_INT)) {
+                    require_capability('mod/quiz:deleteattempts', $this->context);
+                    $this->delete_selected_attempts($quiz, $cm, $attemptids, $groupstudents);
+                    redirect($reporturl->out(false, $displayoptions));
+                }
+            } else if (optional_param('regrade', 0, PARAM_BOOL) && confirm_sesskey()) {
+                if ($attemptids = optional_param('attemptid', array(), PARAM_INT)) {
+                    $this->regrade_selected_attempts($quiz, $attemptids, $groupstudents);
+                    redirect($reporturl->out(false, $displayoptions));
+                }
+            }
+        }
+
+
         //work out the sql for this table.
         if ($detailedmarks) {
             $questions = quiz_report_load_questions($quiz);
@@ -162,11 +158,11 @@ class quiz_overview_report extends quiz_default_report {
             $this->print_header_and_tabs($cm, $course, $quiz, "overview");
         }
 
-        if ($regradeall){
+        if ($regradeall && confirm_sesskey()) {
             $this->regrade_all(false, $quiz, $groupstudents);
-        } else if ($regradealldry){
+        } else if ($regradealldry && confirm_sesskey()) {
             $this->regrade_all(true, $quiz, $groupstudents);
-        } else if ($regradealldrydo){
+        } else if ($regradealldrydo && confirm_sesskey()) {
             $this->regrade_all_needed($quiz, $groupstudents);
         }
         if ($regradeall || $regradealldry || $regradealldrydo){
@@ -297,6 +293,7 @@ class quiz_overview_report extends quiz_default_report {
                     echo '<form action="'.$displayurl->out_omit_querystring().'">';
                     echo '<div>';
                     echo html_writer::input_hidden_params($displayurl);
+                    echo html_writer::empty_tag('input', array('type' => 'hidden', 'name' => 'sesskey', 'value' => sesskey())) . "\n";
                     echo '<input type="submit" name="regradeall" value="'.$regradealllabel.'"/>';
                     echo '<input type="submit" name="regradealldry" value="'.$regradealldrylabel.'"/>';
                     if ($countregradeneeded){
@@ -623,16 +620,14 @@ class quiz_overview_report extends quiz_default_report {
     }
     function delete_selected_attempts($quiz, $cm, $attemptids, $groupstudents){
         global $DB, $COURSE;
-        require_capability('mod/quiz:deleteattempts', $this->context);
-        $attemptids = optional_param('attemptid', array(), PARAM_INT);
-        if ($groupstudents){
-            list($usql, $params) = $DB->get_in_or_equal($groupstudents);
-            $where = "qa.userid $usql AND ";
-        }
         foreach($attemptids as $attemptid) {
+            $attempt = $DB->get_record('quiz_attempts', array('id' => $attemptid));
+            if ($groupstudents && !in_array($attempt->userid, $groupstudents)) {
+                continue;
+            }
             add_to_log($COURSE->id, 'quiz', 'delete attempt', 'report.php?id=' . $cm->id,
                     $attemptid, $cm->id);
-            quiz_delete_attempt($attemptid, $quiz);
+            quiz_delete_attempt($attempt, $quiz);
         }
     }
     function regrade_selected_attempts($quiz, $attemptids, $groupstudents){
index 2356062..7ca786d 100644 (file)
@@ -32,20 +32,6 @@ class quiz_responses_report extends quiz_default_report {
 
         $download = optional_param('download', '', PARAM_ALPHA);
 
-        if($attemptids = optional_param('attemptid', array(), PARAM_INT)) {
-            //attempts need to be deleted
-            require_capability('mod/quiz:deleteattempts', $context);
-            $attemptids = optional_param('attemptid', array(), PARAM_INT);
-            foreach($attemptids as $attemptid) {
-                add_to_log($course->id, 'quiz', 'delete attempt', 'report.php?id=' . $cm->id,
-                        $attemptid, $cm->id);
-                quiz_delete_attempt($attemptid, $quiz);
-            }
-            //No need for a redirect, any attemptids that do not exist are ignored.
-            //So no problem if the user refreshes and tries to delete the same attempts
-            //twice.
-        }
-
 
         $pageoptions = array();
         $pageoptions['id'] = $cm->id;
@@ -124,6 +110,21 @@ class quiz_responses_report extends quiz_default_report {
             $allowed = $groupstudents;
         }
 
+        if ($students && ($attemptids = optional_param('attemptid', array(), PARAM_INT)) && confirm_sesskey()) {
+            //attempts need to be deleted
+            require_capability('mod/quiz:deleteattempts', $context);
+            foreach ($attemptids as $attemptid) {
+                $attempt = $DB->get_record('quiz_attempts', array('id' => $attemptid));
+                if ($groupstudents && !in_array($attempt->userid, $groupstudents)) {
+                    continue;
+                }
+                add_to_log($course->id, 'quiz', 'delete attempt', 'report.php?id=' . $cm->id,
+                        $attemptid, $cm->id);
+                quiz_delete_attempt($attempt, $quiz);
+            }
+            redirect($reporturl->out(false, $displayoptions));
+        }
+
         $questions = quiz_report_load_questions($quiz);
 
         $table = new quiz_report_responses_table($quiz , $qmsubselect, $groupstudents,
index fd60e14..93755ba 100644 (file)
@@ -38,6 +38,7 @@ class quiz_report_responses_table extends table_sql {
                         '" onsubmit="confirm(\''.$strreallydel.'\');">';
                 echo '<div style="display: none;">';
                 echo html_writer::input_hidden_params($displayurl);
+                echo html_writer::empty_tag('input', array('type' => 'hidden', 'name' => 'sesskey', 'value' => sesskey())) . "\n";
                 echo '</div>';
                 echo '<div>';
             }
index 7778ed3..b5987d4 100644 (file)
@@ -72,7 +72,7 @@ class quiz_statistics_report extends quiz_default_report {
             $groupstudents = array();
         }
 
-        if ($recalculate){
+        if ($recalculate && confirm_sesskey()) {
             if ($todelete = $DB->get_records_menu('quiz_statistics', array('quizid' => $quiz->id, 'groupid'=> (int)$currentgroup, 'allattempts'=>$useallattempts))){
                 list($todeletesql, $todeleteparams) = $DB->get_in_or_equal(array_keys($todelete));
                 if (!$DB->delete_records_select('quiz_statistics', "id $todeletesql", $todeleteparams)){
@@ -409,7 +409,7 @@ class quiz_statistics_report extends quiz_default_report {
                 }
                 $quizinformationtablehtml .= $OUTPUT->box_start('boxaligncenter generalbox boxwidthnormal mdl-align');
                 $quizinformationtablehtml .= get_string('lastcalculated', 'quiz_statistics', $a);
-                $aurl = new moodle_url($reporturl->out_omit_querystring(), $reporturl->params()+array('recalculate'=>1));
+                $aurl = new moodle_url($reporturl->out_omit_querystring(), $reporturl->params() + array('recalculate' => 1, 'sesskey' => sesskey()));
                 $quizinformationtablehtml .= $OUTPUT->single_button($aurl, get_string('recalculatenow', 'quiz_statistics'));
                 $quizinformationtablehtml .= $OUTPUT->box_end();
             }