ILB
/
moodle-mod_attendance
9
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity
Browse Source

remove some evil data_submitted calls and check sesskey on actions

MOODLE_23_STABLE
Dan Marsden 12 years ago
parent
0d5f7976b6
commit
07abd15d70
1 changed files with 12 additions and 15 deletions
Whitespace
Show all changes Ignore whitespace when comparing lines Ignore changes in amount of whitespace Ignore changes in whitespace at EOL
Unified View
Diff Options
Show Stats Download Patch File Download Diff File
  1. 27
      sessions.php

27
sessions.php
View File

@ -83,7 +83,7 @@ switch ($att->pageparams->action) {
$sessionid = required_param('sessionid', PARAM_INT); $sessionid = required_param('sessionid', PARAM_INT);
$confirm = optional_param('confirm', null, PARAM_INT); $confirm = optional_param('confirm', null, PARAM_INT);
if (isset($confirm)) { if (isset($confirm) && confirm_sesskey()) {
$att->delete_sessions(array($sessionid)); $att->delete_sessions(array($sessionid));
att_update_all_users_grades($att->id, $att->course, $att->context); att_update_all_users_grades($att->id, $att->course, $att->context);
redirect($att->url_manage(), get_string('sessiondeleted', 'attendance')); redirect($att->url_manage(), get_string('sessiondeleted', 'attendance'));
@ -97,7 +97,7 @@ switch ($att->pageparams->action) {
$message .= html_writer::empty_tag('br'); $message .= html_writer::empty_tag('br');
$message .= $sessinfo->description; $message .= $sessinfo->description;
$params = array('action' => $att->pageparams->action, 'sessionid' => $sessionid, 'confirm' => 1); $params = array('action' => $att->pageparams->action, 'sessionid' => $sessionid, 'confirm' => 1, 'sesskey' => sesskey());
echo $OUTPUT->header(); echo $OUTPUT->header();
echo $OUTPUT->heading(get_string('attendanceforthecourse', 'attendance').' :: ' .$course->fullname); echo $OUTPUT->heading(get_string('attendanceforthecourse', 'attendance').' :: ' .$course->fullname);
@ -107,7 +107,7 @@ switch ($att->pageparams->action) {
case att_sessions_page_params::ACTION_DELETE_SELECTED: case att_sessions_page_params::ACTION_DELETE_SELECTED:
$confirm = optional_param('confirm', null, PARAM_INT); $confirm = optional_param('confirm', null, PARAM_INT);
if (isset($confirm)) { if (isset($confirm) && confirm_sesskey()) {
$sessionsids = required_param('sessionsids', PARAM_ALPHANUMEXT); $sessionsids = required_param('sessionsids', PARAM_ALPHANUMEXT);
$sessionsids = explode('_', $sessionsids); $sessionsids = explode('_', $sessionsids);
@ -115,14 +115,9 @@ switch ($att->pageparams->action) {
att_update_all_users_grades($att->id, $att->course, $att->context); att_update_all_users_grades($att->id, $att->course, $att->context);
redirect($att->url_manage(), get_string('sessiondeleted', 'attendance')); redirect($att->url_manage(), get_string('sessiondeleted', 'attendance'));
} }
$sessid = required_param('sessid', PARAM_SEQUENCE);
$fromform = data_submitted(); $sessionsinfo = $att->get_sessions_info($sessid);
// Nothing selected.
if (!isset($fromform->sessid)) {
print_error ('nosessionsselected', 'attendance', $att->url_manage());
}
$sessionsinfo = $att->get_sessions_info($fromform->sessid);
$message = get_string('deletecheckfull', '', get_string('session', 'attendance')); $message = get_string('deletecheckfull', '', get_string('session', 'attendance'));
$message .= html_writer::empty_tag('br'); $message .= html_writer::empty_tag('br');
@ -133,8 +128,8 @@ switch ($att->pageparams->action) {
$message .= $sessinfo->description; $message .= $sessinfo->description;
} }
$sessionsids = implode('_', $fromform->sessid); $sessionsids = implode('_', $sessid);
$params = array('action' => $att->pageparams->action, 'sessionsids' => $sessionsids, 'confirm' => 1); $params = array('action' => $att->pageparams->action, 'sessionsids' => $sessionsids, 'confirm' => 1, 'sesskey' => sesskey());
echo $OUTPUT->header(); echo $OUTPUT->header();
echo $OUTPUT->heading(get_string('attendanceforthecourse', 'attendance').' :: ' .$course->fullname); echo $OUTPUT->heading(get_string('attendanceforthecourse', 'attendance').' :: ' .$course->fullname);
@ -142,8 +137,10 @@ switch ($att->pageparams->action) {
echo $OUTPUT->footer(); echo $OUTPUT->footer();
exit; exit;
case att_sessions_page_params::ACTION_CHANGE_DURATION: case att_sessions_page_params::ACTION_CHANGE_DURATION:
$fromform = data_submitted(); $sessid = optional_param('sessid', '', PARAM_SEQUENCE);
$slist = isset($fromform->sessid) ? implode('_', $fromform->sessid) : ''; $ids = optional_param('ids', '', PARAM_ALPHANUMEXT);
$slist = isset($sessid) ? implode('_', $sessid) : '';
$url = $att->url_sessions(array('action' => att_sessions_page_params::ACTION_CHANGE_DURATION)); $url = $att->url_sessions(array('action' => att_sessions_page_params::ACTION_CHANGE_DURATION));
$formparams['ids'] = $slist; $formparams['ids'] = $slist;
@ -154,7 +151,7 @@ switch ($att->pageparams->action) {
} }
if ($formdata = $mform->get_data()) { if ($formdata = $mform->get_data()) {
$sessionsids = explode('_', $fromform->ids); $sessionsids = explode('_', $ids);
$duration = $formdata->durtime['hours']*HOURSECS + $formdata->durtime['minutes']*MINSECS; $duration = $formdata->durtime['hours']*HOURSECS + $formdata->durtime['minutes']*MINSECS;
$att->update_sessions_duration($sessionsids, $duration); $att->update_sessions_duration($sessionsids, $duration);
redirect($att->url_manage(), get_string('sessionupdated', 'attendance')); redirect($att->url_manage(), get_string('sessionupdated', 'attendance'));

Write Preview
Loading…
Cancel
Save