Skip to content

HTTPS clone URL

Subversion checkout URL

You can clone with
or
.
Download ZIP
Browse files

MDL-27387 rating: prevent the submission of ratings outside of the ra…

…nge allowed by the current scale
  • Loading branch information...
commit 6ac149dce36fd5853cdfaabac8ef6ca12a574e3d 1 parent 439ae87
@andyjdavis andyjdavis authored
Showing with 90 additions and 9 deletions.
  1. +30 −3 mod/data/lib.php
  2. +30 −3 mod/forum/lib.php
  3. +30 −3 mod/glossary/lib.php
View
33 mod/data/lib.php
@@ -1378,11 +1378,14 @@ function data_rating_permissions($options) {
function data_rating_validate($params) {
global $DB, $USER;
- if (!array_key_exists('itemid', $params) || !array_key_exists('context', $params) || !array_key_exists('rateduserid', $params)) {
+ if (!array_key_exists('itemid', $params)
+ || !array_key_exists('context', $params)
+ || !array_key_exists('rateduserid', $params)
+ || !array_key_exists('scaleid', $params)) {
throw new rating_exception('missingparameter');
}
- $datasql = "SELECT d.id as did, d.course, r.userid as userid, d.approval, r.approved, r.timecreated, d.assesstimestart, d.assesstimefinish, r.groupid
+ $datasql = "SELECT d.id as did, d.scale, d.course, r.userid as userid, d.approval, r.approved, r.timecreated, d.assesstimestart, d.assesstimefinish, r.groupid
FROM {data_records} r
JOIN {data} d ON r.dataid = d.id
WHERE r.id = :itemid";
@@ -1392,16 +1395,40 @@ function data_rating_validate($params) {
throw new rating_exception('invaliditemid');
}
+ if ($info->scale != $params['scaleid']) {
+ //the scale being submitted doesnt match the one in the database
+ throw new rating_exception('invalidscaleid');
+ }
+
if ($info->userid == $USER->id) {
//user is attempting to rate their own glossary entry
throw new rating_exception('nopermissiontorate');
}
- if ($params['rateduserid'] != $info->userid) {
+ if ($info->userid != $params['rateduserid']) {
//supplied user ID doesnt match the user ID from the database
throw new rating_exception('invaliduserid');
}
+ //check that the submitted rating is valid for the scale
+ if ($params['rating'] < 0) {
+ throw new rating_exception('invalidnum');
+ } else if ($info->scale < 0) {
+ //its a custom scale
+ $scalerecord = $DB->get_record('scale', array('id' => -$options->scaleid));
+ if ($scalerecord) {
+ $scalearray = explode(',', $scalerecord->scale);
+ if ($params['rating'] > count($scalearray)) {
+ throw new rating_exception('invalidnum');
+ }
+ } else {
+ throw new rating_exception('invalidscaleid');
+ }
+ } else if ($params['rating'] > $info->scale) {
+ //if its numeric and submitted rating is above maximum
+ throw new rating_exception('invalidnum');
+ }
+
if ($info->approval && !$info->approved) {
//database requires approval but this item isnt approved
throw new rating_exception('nopermissiontorate');
View
33 mod/forum/lib.php
@@ -3470,11 +3470,14 @@ function forum_rating_permissions($contextid) {
function forum_rating_validate($params) {
global $DB, $USER;
- if (!array_key_exists('itemid', $params) || !array_key_exists('context', $params) || !array_key_exists('rateduserid', $params)) {
+ if (!array_key_exists('itemid', $params)
+ || !array_key_exists('context', $params)
+ || !array_key_exists('rateduserid', $params)
+ || !array_key_exists('scaleid', $params)) {
throw new rating_exception('missingparameter');
}
- $forumsql = "SELECT f.id as fid, f.course, d.id as did, p.userid as userid, p.created, f.assesstimestart, f.assesstimefinish, d.groupid
+ $forumsql = "SELECT f.id as fid, f.course, f.scale, d.id as did, p.userid as userid, p.created, f.assesstimestart, f.assesstimefinish, d.groupid
FROM {forum_posts} p
JOIN {forum_discussions} d ON p.discussion = d.id
JOIN {forum} f ON d.forum = f.id
@@ -3485,16 +3488,40 @@ function forum_rating_validate($params) {
throw new rating_exception('invaliditemid');
}
+ if ($info->scale != $params['scaleid']) {
+ //the scale being submitted doesnt match the one in the database
+ throw new rating_exception('invalidscaleid');
+ }
+
if ($info->userid == $USER->id) {
//user is attempting to rate their own post
throw new rating_exception('nopermissiontorate');
}
- if ($params['rateduserid'] != $info->userid) {
+ if ($info->userid != $params['rateduserid']) {
//supplied user ID doesnt match the user ID from the database
throw new rating_exception('invaliduserid');
}
+ //check that the submitted rating is valid for the scale
+ if ($params['rating'] < 0) {
+ throw new rating_exception('invalidnum');
+ } else if ($info->scale < 0) {
+ //its a custom scale
+ $scalerecord = $DB->get_record('scale', array('id' => -$options->scaleid));
+ if ($scalerecord) {
+ $scalearray = explode(',', $scalerecord->scale);
+ if ($params['rating'] > count($scalearray)) {
+ throw new rating_exception('invalidnum');
+ }
+ } else {
+ throw new rating_exception('invalidscaleid');
+ }
+ } else if ($params['rating'] > $info->scale) {
+ //if its numeric and submitted rating is above maximum
+ throw new rating_exception('invalidnum');
+ }
+
//check the item we're rating was created in the assessable time window
if (!empty($info->assesstimestart) && !empty($info->assesstimefinish)) {
if ($info->timecreated < $info->assesstimestart || $info->timecreated > $info->assesstimefinish) {
View
33 mod/glossary/lib.php
@@ -484,11 +484,14 @@ function glossary_rating_permissions($options) {
function glossary_rating_validate($params) {
global $DB, $USER;
- if (!array_key_exists('itemid', $params) || !array_key_exists('context', $params) || !array_key_exists('rateduserid', $params)) {
+ if (!array_key_exists('itemid', $params)
+ || !array_key_exists('context', $params)
+ || !array_key_exists('rateduserid', $params)
+ || !array_key_exists('scaleid', $params)) {
throw new rating_exception('missingparameter');
}
- $glossarysql = "SELECT g.id as gid, e.userid as userid, e.approved, e.timecreated, g.assesstimestart, g.assesstimefinish
+ $glossarysql = "SELECT g.id as gid, g.scale, e.userid as userid, e.approved, e.timecreated, g.assesstimestart, g.assesstimefinish
FROM {glossary_entries} e
JOIN {glossary} g ON e.glossaryid = g.id
WHERE e.id = :itemid";
@@ -498,16 +501,40 @@ function glossary_rating_validate($params) {
throw new rating_exception('invaliditemid');
}
+ if ($info->scale != $params['scaleid']) {
+ //the scale being submitted doesnt match the one in the database
+ throw new rating_exception('invalidscaleid');
+ }
+
if ($info->userid == $USER->id) {
//user is attempting to rate their own glossary entry
throw new rating_exception('nopermissiontorate');
}
- if ($params['rateduserid'] != $info->userid) {
+ if ($info->userid != $params['rateduserid']) {
//supplied user ID doesnt match the user ID from the database
throw new rating_exception('invaliduserid');
}
+ //check that the submitted rating is valid for the scale
+ if ($params['rating'] < 0) {
+ throw new rating_exception('invalidnum');
+ } else if ($info->scale < 0) {
+ //its a custom scale
+ $scalerecord = $DB->get_record('scale', array('id' => -$options->scaleid));
+ if ($scalerecord) {
+ $scalearray = explode(',', $scalerecord->scale);
+ if ($params['rating'] > count($scalearray)) {
+ throw new rating_exception('invalidnum');
+ }
+ } else {
+ throw new rating_exception('invalidscaleid');
+ }
+ } else if ($params['rating'] > $info->scale) {
+ //if its numeric and submitted rating is above maximum
+ throw new rating_exception('invalidnum');
+ }
+
if (!$info->approved) {
//item isnt approved
throw new rating_exception('nopermissiontorate');
Please sign in to comment.
Something went wrong with that request. Please try again.