Skip to content

HTTPS clone URL

Subversion checkout URL

You can clone with HTTPS or Subversion.

Download ZIP
Browse files

Merging patch from HEAD: addressing SC#20 and updating parameter hand…

…ling code.
  • Loading branch information...
commit bce32e137325cd6b3df78e5d5b93794c767aa294 1 parent 0d3a8fa
defacer authored
Showing with 23 additions and 11 deletions.
  1. +12 −0 calendar/lib.php
  2. +11 −11 calendar/view.php
12 calendar/lib.php
View
@@ -390,6 +390,7 @@ function calendar_sql_where($tstart, $tend, $users, $groups, $courses, $withdura
if(is_bool($users) && is_bool($groups) && is_bool($courses)) {
return false;
}
+
if(is_array($users) && !empty($users)) {
// Events from a number of users
if(!empty($whereclause)) $whereclause .= ' OR';
@@ -409,6 +410,7 @@ function calendar_sql_where($tstart, $tend, $users, $groups, $courses, $withdura
// No user at all
// No need to do anything
}
+
if(is_array($groups) && !empty($groups)) {
// Events from a number of groups
if(!empty($whereclause)) $whereclause .= ' OR';
@@ -424,6 +426,8 @@ function calendar_sql_where($tstart, $tend, $users, $groups, $courses, $withdura
if(!empty($whereclause)) $whereclause .= ' OR ';
$whereclause .= ' groupid != 0';
}
+ // boolean false (no groups at all): we don't need to do anything
+
if(is_array($courses)) {
// A number of courses (maybe none at all!)
if(!empty($courses)) {
@@ -448,6 +452,14 @@ function calendar_sql_where($tstart, $tend, $users, $groups, $courses, $withdura
$whereclause .= ' groupid = 0 AND courseid != 0';
}
+ // Security check: if, by now, we have NOTHING in $whereclause, then it means
+ // that NO event-selecting clauses were defined. Thus, we won't be returning ANY
+ // events no matter what. Allowing the code to proceed might return a completely
+ // valid query with only time constraints, thus selecting ALL events in that time frame!
+ if(empty($whereclause)) {
+ return false;
+ }
+
if ($ignorehidden) {
if (!empty($whereclause)) $whereclause .= ' AND';
$whereclause .= ' visible = 1';
22 calendar/view.php
View
@@ -44,11 +44,7 @@
require_once($CFG->dirroot.'/course/lib.php');
require_once($CFG->dirroot.'/calendar/lib.php');
- optional_variable($_GET['view'], 'upcoming');
optional_variable($_GET['course'], 0);
- optional_variable($_GET['cal_d']);
- optional_variable($_GET['cal_m']);
- optional_variable($_GET['cal_y']);
if(!$site = get_site()) {
redirect($CFG->wwwroot.'/'.$CFG->admin.'/index.php');
@@ -60,10 +56,14 @@
$nav = calendar_get_link_tag(get_string('calendar', 'calendar'), CALENDAR_URL.'view.php?view=upcoming&', $now['mday'], $now['mon'], $now['year']);
- // Make sure that the GET variables are correct
- $day = intval($_GET['cal_d']);
- $mon = intval($_GET['cal_m']);
- $yr = intval($_GET['cal_y']);
+ optional_param('view', 'upcoming');
+ optional_param('cal_d', 0, PARAM_INT);
+ optional_param('cal_m', 0, PARAM_INT);
+ optional_param('cal_y', 0, PARAM_INT);
+ $day = $cal_d;
+ $mon = $cal_m;
+ $yr = $cal_y;
+
if(!checkdate($mon, $day, $yr)) {
$day = intval($now['mday']);
$mon = intval($now['mon']);
@@ -71,7 +71,7 @@
}
$time = mktime(0, 0, 0, $mon, $day, $yr);
- switch($_GET['view']) {
+ switch($view) {
case 'day':
$text = strftime(get_string('strftimedate'), $time);
if($text[0] == '0') {
@@ -139,7 +139,7 @@
echo '<td style="vertical-align: top; width: 100%;">';
- switch($_GET['view']) {
+ switch($view) {
case 'day':
calendar_show_day($day, $mon, $yr, $courses, $groups, $users);
break;
@@ -161,7 +161,7 @@
list($prevmon, $prevyr) = calendar_sub_month($mon, $yr);
list($nextmon, $nextyr) = calendar_add_month($mon, $yr);
$getvars = 'cal_d='.$day.'&amp;cal_m='.$mon.'&amp;cal_y='.$yr; // For filtering
- echo calendar_filter_controls($_GET['view'], $getvars);
+ echo calendar_filter_controls($view, $getvars);
echo '<p>';
echo calendar_top_controls('display', array('m' => $prevmon, 'y' => $prevyr));
echo calendar_get_mini($courses, $groups, $users, $prevmon, $prevyr);
Please sign in to comment.
Something went wrong with that request. Please try again.