ILB
/
moodle-mod_attendance
9
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity
Browse Source

add sesskey check for taking attendance and do some cleaning on raw form vars

MOODLE_23_STABLE
Dan Marsden 12 years ago
parent
bf2496652c
commit
72bb6e1e6a
3 changed files with 9 additions and 7 deletions
Whitespace
Show all changes Ignore whitespace when comparing lines Ignore changes in amount of whitespace Ignore changes in whitespace at EOL
Unified View
Diff Options
Show Stats Download Patch File Download Diff File
  1. 11
      locallib.php
  2. 2
      renderer.php
  3. 3
      take.php

11
locallib.php
View File

@ -826,7 +826,7 @@ class attendance {
public function take_from_form_data($formdata) { public function take_from_form_data($formdata) {
global $DB, $USER; global $DB, $USER;
// TODO: WARNING - $formdata is unclean - comes from direct $_POST - ideally needs a rewrite but we do some cleaning below.
$statuses = implode(',', array_keys( (array)$this->get_statuses() )); $statuses = implode(',', array_keys( (array)$this->get_statuses() ));
$now = time(); $now = time();
$sesslog = array(); $sesslog = array();
@ -834,11 +834,14 @@ class attendance {
foreach ($formdata as $key => $value) { foreach ($formdata as $key => $value) {
if (substr($key, 0, 4) == 'user') { if (substr($key, 0, 4) == 'user') {
$sid = substr($key, 4); $sid = substr($key, 4);
if (!(is_numeric($sid) && is_numeric($value))) { // Sanity check on $sid and $value.
print_error('nonnumericid', 'attendance');
}
$sesslog[$sid] = new stdClass(); $sesslog[$sid] = new stdClass();
$sesslog[$sid]->studentid = $sid; $sesslog[$sid]->studentid = $sid; // We check is_numeric on this above.
$sesslog[$sid]->statusid = $value; $sesslog[$sid]->statusid = $value; // We check is_numeric on this above.
$sesslog[$sid]->statusset = $statuses; $sesslog[$sid]->statusset = $statuses;
$sesslog[$sid]->remarks = array_key_exists('remarks'.$sid, $formdata) ? $formdata['remarks'.$sid] : ''; $sesslog[$sid]->remarks = array_key_exists('remarks'.$sid, $formdata) ? clean_param($formdata['remarks'.$sid], PARAM_TEXT) : '';
$sesslog[$sid]->sessionid = $this->pageparams->sessionid; $sesslog[$sid]->sessionid = $this->pageparams->sessionid;
$sesslog[$sid]->timetaken = $now; $sesslog[$sid]->timetaken = $now;
$sesslog[$sid]->takenby = $USER->id; $sesslog[$sid]->takenby = $USER->id;

2
renderer.php
View File

@ -279,7 +279,7 @@ class mod_attendance_renderer extends plugin_renderer_base {
} else { } else {
$table = $this->render_attendance_take_grid($takedata); $table = $this->render_attendance_take_grid($takedata);
} }
$table .= html_writer::input_hidden_params($takedata->url()); $table .= html_writer::input_hidden_params($takedata->url(array('sesskey' => sesskey())));
$params = array( $params = array(
'type' => 'submit', 'type' => 'submit',
'value' => get_string('save', 'attendance')); 'value' => get_string('save', 'attendance'));

3
take.php
View File

@ -50,8 +50,7 @@ if (!$att->perm->can_take_session($pageparams->grouptype)) {
$group = groups_get_group($pageparams->grouptype); $group = groups_get_group($pageparams->grouptype);
throw new moodle_exception('cannottakeforgroup', 'attendance', '', $group->name); throw new moodle_exception('cannottakeforgroup', 'attendance', '', $group->name);
} }
if (($formdata = data_submitted()) && confirm_sesskey()) {
if ($formdata = data_submitted()) {
$att->take_from_form_data($formdata); $att->take_from_form_data($formdata);
} }

Write Preview
Loading…
Cancel
Save