From 1ebbd18b8251afaea7fea049a845470ce60c0c94 Mon Sep 17 00:00:00 2001 From: Sagar Ghimire Date: Mon, 24 Aug 2020 11:40:49 +1000 Subject: [PATCH] MDL-68284 gradebook: Prevent exposing hidden quiz grade item --- grade/edit/tree/item.php | 47 ++++++++++++++++++----------------- grade/edit/tree/item_form.php | 5 ++-- lib/db/upgrade.php | 22 ++++++++++++++++ version.php | 2 +- 4 files changed, 49 insertions(+), 27 deletions(-) diff --git a/grade/edit/tree/item.php b/grade/edit/tree/item.php index 2ece98fd571..64ddf7f7d8c 100644 --- a/grade/edit/tree/item.php +++ b/grade/edit/tree/item.php @@ -133,8 +133,11 @@ if ($mform->is_cancelled()) { $data->grademin = 0; } - $hidden = empty($data->hidden) ? 0: $data->hidden; - $hiddenuntil = empty($data->hiddenuntil) ? 0: $data->hiddenuntil; + $hide = empty($data->hiddenuntil) ? 0 : $data->hiddenuntil; + if (!$hide) { + $hide = empty($data->hidden) ? 0 : $data->hidden; + } + unset($data->hidden); unset($data->hiddenuntil); @@ -155,45 +158,43 @@ if ($mform->is_cancelled()) { $data->aggregationcoef2 = $defaults['aggregationcoef2']; } - $grade_item = new grade_item(array('id'=>$id, 'courseid'=>$courseid)); - $oldmin = $grade_item->grademin; - $oldmax = $grade_item->grademax; - grade_item::set_properties($grade_item, $data); - $grade_item->outcomeid = null; + $gradeitem = new grade_item(array('id' => $id, 'courseid' => $courseid)); + $oldmin = $gradeitem->grademin; + $oldmax = $gradeitem->grademax; + grade_item::set_properties($gradeitem, $data); + $gradeitem->outcomeid = null; // Handle null decimals value if (!property_exists($data, 'decimals') or $data->decimals < 0) { - $grade_item->decimals = null; + $gradeitem->decimals = null; } - if (empty($grade_item->id)) { - $grade_item->itemtype = 'manual'; // all new items to be manual only - $grade_item->insert(); + if (empty($gradeitem->id)) { + $gradeitem->itemtype = 'manual'; // All new items to be manual only. + $gradeitem->insert(); // set parent if needed if (isset($data->parentcategory)) { - $grade_item->set_parent($data->parentcategory, false); + $gradeitem->set_parent($data->parentcategory, false); } } else { - $grade_item->update(); + $gradeitem->update(); if (!empty($data->rescalegrades) && $data->rescalegrades == 'yes') { - $newmin = $grade_item->grademin; - $newmax = $grade_item->grademax; - $grade_item->rescale_grades_keep_percentage($oldmin, $oldmax, $newmin, $newmax, 'gradebook'); + $newmin = $gradeitem->grademin; + $newmax = $gradeitem->grademax; + $gradeitem->rescale_grades_keep_percentage($oldmin, $oldmax, $newmin, $newmax, 'gradebook'); } } - // update hiding flag - if ($hiddenuntil) { - $grade_item->set_hidden($hiddenuntil, false); - } else { - $grade_item->set_hidden($hidden, false); + if ($item->cancontrolvisibility) { + // Update hiding flag. + $gradeitem->set_hidden($hide, false); } - $grade_item->set_locktime($locktime); // locktime first - it might be removed when unlocking - $grade_item->set_locked($locked, false, true); + $gradeitem->set_locktime($locktime); // Locktime first - it might be removed when unlocking. + $gradeitem->set_locked($locked, false, true); redirect($returnurl); } diff --git a/grade/edit/tree/item_form.php b/grade/edit/tree/item_form.php index f762cc7e9c8..fe5f58aadd0 100644 --- a/grade/edit/tree/item_form.php +++ b/grade/edit/tree/item_form.php @@ -181,10 +181,9 @@ class edit_item_form extends moodleform { /// hiding if ($item->cancontrolvisibility) { - // advcheckbox is not compatible with disabledIf! - $mform->addElement('checkbox', 'hidden', get_string('hidden', 'grades')); + $mform->addElement('advcheckbox', 'hidden', get_string('hidden', 'grades'), '', [], [0, 1]); $mform->addElement('date_time_selector', 'hiddenuntil', get_string('hiddenuntil', 'grades'), array('optional'=>true)); - $mform->disabledIf('hidden', 'hiddenuntil[off]', 'notchecked'); + $mform->disabledIf('hidden', 'hiddenuntil[enabled]', 'checked'); } else { $mform->addElement('static', 'hidden', get_string('hidden', 'grades'), get_string('componentcontrolsvisibility', 'grades')); diff --git a/lib/db/upgrade.php b/lib/db/upgrade.php index 54eecc81e81..4c437ed5ffe 100644 --- a/lib/db/upgrade.php +++ b/lib/db/upgrade.php @@ -2762,5 +2762,27 @@ function xmldb_main_upgrade($oldversion) { upgrade_main_savepoint(true, 2020100700.00); } + if ($oldversion < 2020101300.01) { + // Script to fix incorrect records of "hidden" field in existing grade items. + $sql = "SELECT cm.instance, cm.course + FROM {course_modules} cm + JOIN {modules} m ON m.id = cm.module + WHERE m.name = :module AND cm.visible = :visible"; + $hidequizlist = $DB->get_recordset_sql($sql, ['module' => 'quiz', 'visible' => 0]); + + foreach ($hidequizlist as $hidequiz) { + $params = [ + 'itemmodule' => 'quiz', + 'courseid' => $hidequiz->course, + 'iteminstance' => $hidequiz->instance, + ]; + + $DB->set_field('grade_items', 'hidden', 1, $params); + } + $hidequizlist->close(); + + upgrade_main_savepoint(true, 2020101300.01); + } + return true; } diff --git a/version.php b/version.php index a7d851b991e..4b0925e10fe 100644 --- a/version.php +++ b/version.php @@ -29,7 +29,7 @@ defined('MOODLE_INTERNAL') || die(); -$version = 2020101300.00; // YYYYMMDD = weekly release date of this DEV branch. +$version = 2020101300.01; // YYYYMMDD = weekly release date of this DEV branch. // RR = release increments - 00 in DEV branches. // .XX = incremental changes. $release = '3.10dev+ (Build: 20201013)';// Human-friendly version name -- 2.43.0