quiz overview report MDL-23377 can't delete attempts when there are n…

…o students. Actually, reviewing this, I noticed some other security checks were missing, for example we should ensure the users can only delete attempts belonging to this quiz!
moodle · Aug 3, 2010 · 981a778 · 981a778
1 parent bed436f
commit 981a778
Showing 1 changed file with 10 additions and 1 deletion.
diff --git a/mod/quiz/report/overview/report.php b/mod/quiz/report/overview/report.php
@@ -126,12 +126,21 @@ function display($quiz, $cm, $course) {
             $allowedlist = $groupstudentslist;
         }
 
-        if ($students && ($attemptids = optional_param('attemptid', array(), PARAM_INT)) && confirm_sesskey()) {
+        if (($attemptids = optional_param('attemptid', array(), PARAM_INT)) && confirm_sesskey()) {
             //attempts need to be deleted
             require_capability('mod/quiz:deleteattempts', $context);
             foreach ($attemptids as $attemptid) {
                 $attempt = get_record('quiz_attempts', 'id', $attemptid);
+                if (!$attempt || $attempt->quiz != $quiz->id || $attempt->preview != 0) {
+                    // Ensure the attempt exists, and belongs to this quiz. If not skip.
+                    continue;
+                }
+                if ($attemptsmode != QUIZ_REPORT_ATTEMPTS_ALL && !array_key_exists($attempt->userid, $students)) {
+                    // Ensure the attempt belongs to a student included in the report. If not skip.
+                    continue;
+                }
                 if ($groupstudents && !array_key_exists($attempt->userid, $groupstudents)) {
+                    // Additional check in groups mode.
                     continue;
                 }
                 add_to_log($course->id, 'quiz', 'delete attempt', 'report.php?id=' . $cm->id,