Skip to content

HTTPS clone URL

Subversion checkout URL

You can clone with
or
.
Download ZIP
Browse files

quiz overview report MDL-23377 can't delete attempts when there are n…

…o students.

Actually, reviewing this, I noticed some other security checks were missing, for
example we should ensure the users can only delete attempts belonging to this quiz!
  • Loading branch information...
commit 981a7785be48e8f753070cc72978a235d5f9f529 1 parent bed436f
@timhunt timhunt authored
Showing with 10 additions and 1 deletion.
  1. +10 −1 mod/quiz/report/overview/report.php
View
11 mod/quiz/report/overview/report.php
@@ -126,12 +126,21 @@ function display($quiz, $cm, $course) {
$allowedlist = $groupstudentslist;
}
- if ($students && ($attemptids = optional_param('attemptid', array(), PARAM_INT)) && confirm_sesskey()) {
+ if (($attemptids = optional_param('attemptid', array(), PARAM_INT)) && confirm_sesskey()) {
//attempts need to be deleted
require_capability('mod/quiz:deleteattempts', $context);
foreach ($attemptids as $attemptid) {
$attempt = get_record('quiz_attempts', 'id', $attemptid);
+ if (!$attempt || $attempt->quiz != $quiz->id || $attempt->preview != 0) {
+ // Ensure the attempt exists, and belongs to this quiz. If not skip.
+ continue;
+ }
+ if ($attemptsmode != QUIZ_REPORT_ATTEMPTS_ALL && !array_key_exists($attempt->userid, $students)) {
+ // Ensure the attempt belongs to a student included in the report. If not skip.
+ continue;
+ }
if ($groupstudents && !array_key_exists($attempt->userid, $groupstudents)) {
+ // Additional check in groups mode.
continue;
}
add_to_log($course->id, 'quiz', 'delete attempt', 'report.php?id=' . $cm->id,
Please sign in to comment.
Something went wrong with that request. Please try again.