Permalink
Browse files

MDL-20930 fixed input validation

  • Loading branch information...
1 parent eaba242 commit cf6e1ae752baa4816f2d528b1f33a50c1928cb93 @skodak skodak committed Nov 22, 2009
Showing with 24 additions and 23 deletions.
  1. +23 −22 mod/glossary/approve.php
  2. +1 −1 mod/glossary/lib.php
@@ -3,38 +3,39 @@
require_once("../../config.php");
require_once("lib.php");
- $id = required_param('id', PARAM_INT); // Course Module ID
- $eid = optional_param('eid', 0, PARAM_INT); // Entry ID
+ $eid = required_param('eid', PARAM_INT); // Entry ID
- $mode = optional_param('mode','approval', PARAM_ALPHA);
- $hook = optional_param('hook','ALL', PARAM_CLEAN);
+ $mode = optional_param('mode', 'approval', PARAM_ALPHA);
+ $hook = optional_param('hook', 'ALL', PARAM_CLEAN);
- if (! $cm = get_coursemodule_from_id('glossary', $id)) {
- error("Course Module ID was incorrect");
+ if (!$entry = get_record('glossary_entries', 'id', $eid)) {
+ error('Entry is incorrect');
}
-
- if (! $course = get_record("course", "id", $cm->course)) {
- error("Course is misconfigured");
+ if (!$glossary = get_record('glossary', 'id', $entry->glossaryid)) {
+ error('Incorrect glossary');
}
-
- if (! $glossary = get_record("glossary", "id", $cm->instance)) {
- error("Course module is incorrect");
+ if (!$cm = get_coursemodule_from_instance('glossary', $glossary->id)) {
+ error('Course Module ID was incorrect');
+ }
+ if (!$course = get_record('course', 'id', $cm->course)) {
+ error('Course is misconfigured');
}
- require_login($course->id, false, $cm);
+ require_login($course, false, $cm);
$context = get_context_instance(CONTEXT_MODULE, $cm->id);
require_capability('mod/glossary:approve', $context);
- $newentry->id = $eid;
- $newentry->approved = 1;
- $newentry->timemodified = time(); // wee need this date here to speed up recent activity, TODO: use timestamp in approved field instead in 2.0
-
- if (! update_record("glossary_entries", $newentry)) {
- error("Could not update your glossary");
- } else {
- add_to_log($course->id, "glossary", "approve entry", "showentry.php?id=$cm->id&eid=$eid", "$eid",$cm->id);
+ if (!$entry->approved and confirm_sesskey()) {
+ $newentry = new object();
+ $newentry->id = $entry->id;
+ $newentry->approved = 1;
+ $newentry->timemodified = time(); // wee need this date here to speed up recent activity, TODO: use timestamp in approved field instead in 2.0
+ if (update_record("glossary_entries", $newentry)) {
+ add_to_log($course->id, "glossary", "approve entry", "showentry.php?id=$cm->id&eid=$eid", "$eid", $cm->id);
+ }
}
- redirect("view.php?id=$cm->id&mode=$mode&hook=$hook",get_string("entryapproved","glossary"),1);
+
+ redirect("view.php?id=$cm->id&mode=$mode&hook=$hook");
die;
?>
@@ -933,7 +933,7 @@ function glossary_print_entry_approval($cm, $entry, $mode,$align="right",$insid
if ($insidetable) {
echo '<table class="glossaryapproval" align="'.$align.'"><tr><td align="'.$align.'">';
}
- echo '<a title="'.get_string('approve','glossary').'" href="approve.php?id='.$cm->id.'&amp;eid='.$entry->id.'&amp;mode='.$mode.'"><img align="'.$align.'" src="'.$CFG->pixpath.'/i/approve.gif" style="border:0px; width:34px; height:34px" alt="'.get_string('approve','glossary').'" /></a>';
+ echo '<a title="'.get_string('approve','glossary').'" href="approve.php?eid='.$entry->id.'&amp;mode='.$mode.'&amp;sesskey='.sesskey().'"><img align="'.$align.'" src="'.$CFG->pixpath.'/i/approve.gif" style="border:0px; width:34px; height:34px" alt="'.get_string('approve','glossary').'" /></a>';
if ($insidetable) {
echo '</td></tr></table>';
}

0 comments on commit cf6e1ae

Please sign in to comment.