Skip to content
This repository

HTTPS clone URL

Subversion checkout URL

You can clone with HTTPS or Subversion.

Download ZIP
Browse code

MDL-20930 fixed input validation

  • Loading branch information...
commit cf6e1ae752baa4816f2d528b1f33a50c1928cb93 1 parent eaba242
Petr Škoda authored November 22, 2009
45  mod/glossary/approve.php
@@ -3,38 +3,39 @@
3 3
     require_once("../../config.php");
4 4
     require_once("lib.php");
5 5
 
6  
-    $id  = required_param('id', PARAM_INT);     // Course Module ID
7  
-    $eid = optional_param('eid', 0,  PARAM_INT);    // Entry ID
  6
+    $eid = required_param('eid', PARAM_INT);    // Entry ID
8 7
 
9  
-    $mode = optional_param('mode','approval', PARAM_ALPHA);
10  
-    $hook = optional_param('hook','ALL', PARAM_CLEAN);
  8
+    $mode = optional_param('mode', 'approval', PARAM_ALPHA);
  9
+    $hook = optional_param('hook', 'ALL', PARAM_CLEAN);
11 10
 
12  
-    if (! $cm = get_coursemodule_from_id('glossary', $id)) {
13  
-        error("Course Module ID was incorrect");
  11
+    if (!$entry = get_record('glossary_entries', 'id', $eid)) {
  12
+        error('Entry is incorrect');
14 13
     }
15  
-
16  
-    if (! $course = get_record("course", "id", $cm->course)) {
17  
-        error("Course is misconfigured");
  14
+    if (!$glossary = get_record('glossary', 'id', $entry->glossaryid)) {
  15
+        error('Incorrect glossary');
18 16
     }
19  
-
20  
-    if (! $glossary = get_record("glossary", "id", $cm->instance)) {
21  
-        error("Course module is incorrect");
  17
+    if (!$cm = get_coursemodule_from_instance('glossary', $glossary->id)) {
  18
+        error('Course Module ID was incorrect');
  19
+    }
  20
+    if (!$course = get_record('course', 'id', $cm->course)) {
  21
+        error('Course is misconfigured');
22 22
     }
23 23
 
24  
-    require_login($course->id, false, $cm);
  24
+    require_login($course, false, $cm);
25 25
 
26 26
     $context = get_context_instance(CONTEXT_MODULE, $cm->id);
27 27
     require_capability('mod/glossary:approve', $context);
28 28
 
29  
-    $newentry->id = $eid;
30  
-    $newentry->approved     = 1;
31  
-    $newentry->timemodified = time(); // wee need this date here to speed up recent activity, TODO: use timestamp in approved field instead in 2.0
32  
-
33  
-    if (! update_record("glossary_entries", $newentry)) {
34  
-        error("Could not update your glossary");
35  
-    } else {
36  
-        add_to_log($course->id, "glossary", "approve entry", "showentry.php?id=$cm->id&eid=$eid", "$eid",$cm->id);
  29
+    if (!$entry->approved and confirm_sesskey()) {
  30
+        $newentry = new object();
  31
+        $newentry->id           = $entry->id;
  32
+        $newentry->approved     = 1;
  33
+        $newentry->timemodified = time(); // wee need this date here to speed up recent activity, TODO: use timestamp in approved field instead in 2.0
  34
+        if (update_record("glossary_entries", $newentry)) {
  35
+            add_to_log($course->id, "glossary", "approve entry", "showentry.php?id=$cm->id&eid=$eid", "$eid", $cm->id);
  36
+        }
37 37
     }
38  
-    redirect("view.php?id=$cm->id&mode=$mode&hook=$hook",get_string("entryapproved","glossary"),1);
  38
+
  39
+    redirect("view.php?id=$cm->id&mode=$mode&hook=$hook");
39 40
     die;
40 41
 ?>
2  mod/glossary/lib.php
@@ -933,7 +933,7 @@ function  glossary_print_entry_approval($cm, $entry, $mode,$align="right",$insid
933 933
         if ($insidetable) {
934 934
             echo '<table class="glossaryapproval" align="'.$align.'"><tr><td align="'.$align.'">';
935 935
         }
936  
-        echo '<a title="'.get_string('approve','glossary').'" href="approve.php?id='.$cm->id.'&amp;eid='.$entry->id.'&amp;mode='.$mode.'"><img align="'.$align.'" src="'.$CFG->pixpath.'/i/approve.gif" style="border:0px; width:34px; height:34px" alt="'.get_string('approve','glossary').'" /></a>';
  936
+        echo '<a title="'.get_string('approve','glossary').'" href="approve.php?eid='.$entry->id.'&amp;mode='.$mode.'&amp;sesskey='.sesskey().'"><img align="'.$align.'" src="'.$CFG->pixpath.'/i/approve.gif" style="border:0px; width:34px; height:34px" alt="'.get_string('approve','glossary').'" /></a>';
937 937
         if ($insidetable) {
938 938
             echo '</td></tr></table>';
939 939
         }

0 notes on commit cf6e1ae

Please sign in to comment.
Something went wrong with that request. Please try again.