Skip to content

Commit

Permalink
MDL-27387 rating: prevent the submission of ratings outside of the ra…
Browse files Browse the repository at this point in the history 
…nge allowed by the current scale
  • Loading branch information
@andyjdavis
andyjdavis committed May 12, 2011
1 parent 39d106e commit f5a1b06
Show file tree
Hide file tree
Showing 3 changed files with 90 additions and 9 deletions.
33 changes: 30 additions & 3 deletions mod/data/lib.php
View file
Expand Up @@ -1378,11 +1378,14 @@ function data_rating_permissions($options) {
function data_rating_validate($params) { function data_rating_validate($params) {
global $DB, $USER; global $DB, $USER;


if (!array_key_exists('itemid', $params) || !array_key_exists('context', $params) || !array_key_exists('rateduserid', $params)) { if (!array_key_exists('itemid', $params)
|| !array_key_exists('context', $params)
|| !array_key_exists('rateduserid', $params)
|| !array_key_exists('scaleid', $params)) {
throw new rating_exception('missingparameter'); throw new rating_exception('missingparameter');
} }


$datasql = "SELECT d.id as did, d.course, r.userid as userid, d.approval, r.approved, r.timecreated, d.assesstimestart, d.assesstimefinish, r.groupid $datasql = "SELECT d.id as did, d.scale, d.course, r.userid as userid, d.approval, r.approved, r.timecreated, d.assesstimestart, d.assesstimefinish, r.groupid
FROM {data_records} r FROM {data_records} r
JOIN {data} d ON r.dataid = d.id JOIN {data} d ON r.dataid = d.id
WHERE r.id = :itemid"; WHERE r.id = :itemid";
Expand All @@ -1392,16 +1395,40 @@ function data_rating_validate($params) {
throw new rating_exception('invaliditemid'); throw new rating_exception('invaliditemid');
} }


if ($info->scale != $params['scaleid']) {
//the scale being submitted doesnt match the one in the database
throw new rating_exception('invalidscaleid');
}

if ($info->userid == $USER->id) { if ($info->userid == $USER->id) {
//user is attempting to rate their own glossary entry //user is attempting to rate their own glossary entry
throw new rating_exception('nopermissiontorate'); throw new rating_exception('nopermissiontorate');
} }


if ($params['rateduserid'] != $info->userid) { if ($info->userid != $params['rateduserid']) {
//supplied user ID doesnt match the user ID from the database //supplied user ID doesnt match the user ID from the database
throw new rating_exception('invaliduserid'); throw new rating_exception('invaliduserid');
} }


//check that the submitted rating is valid for the scale
if ($params['rating'] < 0) {
throw new rating_exception('invalidnum');
} else if ($info->scale < 0) {
//its a custom scale
$scalerecord = $DB->get_record('scale', array('id' => -$options->scaleid));
if ($scalerecord) {
$scalearray = explode(',', $scalerecord->scale);
if ($params['rating'] > count($scalearray)) {
throw new rating_exception('invalidnum');
}
} else {
throw new rating_exception('invalidscaleid');
}
} else if ($params['rating'] > $info->scale) {
//if its numeric and submitted rating is above maximum
throw new rating_exception('invalidnum');
}

if ($info->approval && !$info->approved) { if ($info->approval && !$info->approved) {
//database requires approval but this item isnt approved //database requires approval but this item isnt approved
throw new rating_exception('nopermissiontorate'); throw new rating_exception('nopermissiontorate');
Expand Down
33 changes: 30 additions & 3 deletions mod/forum/lib.php
View file
Expand Up @@ -3470,11 +3470,14 @@ function forum_rating_permissions($contextid) {
function forum_rating_validate($params) { function forum_rating_validate($params) {
global $DB, $USER; global $DB, $USER;


if (!array_key_exists('itemid', $params) || !array_key_exists('context', $params) || !array_key_exists('rateduserid', $params)) { if (!array_key_exists('itemid', $params)
|| !array_key_exists('context', $params)
|| !array_key_exists('rateduserid', $params)
|| !array_key_exists('scaleid', $params)) {
throw new rating_exception('missingparameter'); throw new rating_exception('missingparameter');
} }


$forumsql = "SELECT f.id as fid, f.course, d.id as did, p.userid as userid, p.created, f.assesstimestart, f.assesstimefinish, d.groupid $forumsql = "SELECT f.id as fid, f.course, f.scale, d.id as did, p.userid as userid, p.created, f.assesstimestart, f.assesstimefinish, d.groupid
FROM {forum_posts} p FROM {forum_posts} p
JOIN {forum_discussions} d ON p.discussion = d.id JOIN {forum_discussions} d ON p.discussion = d.id
JOIN {forum} f ON d.forum = f.id JOIN {forum} f ON d.forum = f.id
Expand All @@ -3485,16 +3488,40 @@ function forum_rating_validate($params) {
throw new rating_exception('invaliditemid'); throw new rating_exception('invaliditemid');
} }


if ($info->scale != $params['scaleid']) {
//the scale being submitted doesnt match the one in the database
throw new rating_exception('invalidscaleid');
}

if ($info->userid == $USER->id) { if ($info->userid == $USER->id) {
//user is attempting to rate their own post //user is attempting to rate their own post
throw new rating_exception('nopermissiontorate'); throw new rating_exception('nopermissiontorate');
} }


if ($params['rateduserid'] != $info->userid) { if ($info->userid != $params['rateduserid']) {
//supplied user ID doesnt match the user ID from the database //supplied user ID doesnt match the user ID from the database
throw new rating_exception('invaliduserid'); throw new rating_exception('invaliduserid');
} }


//check that the submitted rating is valid for the scale
if ($params['rating'] < 0) {
throw new rating_exception('invalidnum');
} else if ($info->scale < 0) {
//its a custom scale
$scalerecord = $DB->get_record('scale', array('id' => -$options->scaleid));
if ($scalerecord) {
$scalearray = explode(',', $scalerecord->scale);
if ($params['rating'] > count($scalearray)) {
throw new rating_exception('invalidnum');
}
} else {
throw new rating_exception('invalidscaleid');
}
} else if ($params['rating'] > $info->scale) {
//if its numeric and submitted rating is above maximum
throw new rating_exception('invalidnum');
}

//check the item we're rating was created in the assessable time window //check the item we're rating was created in the assessable time window
if (!empty($info->assesstimestart) && !empty($info->assesstimefinish)) { if (!empty($info->assesstimestart) && !empty($info->assesstimefinish)) {
if ($info->timecreated < $info->assesstimestart || $info->timecreated > $info->assesstimefinish) { if ($info->timecreated < $info->assesstimestart || $info->timecreated > $info->assesstimefinish) {
Expand Down
33 changes: 30 additions & 3 deletions mod/glossary/lib.php
View file
Expand Up @@ -484,11 +484,14 @@ function glossary_rating_permissions($options) {
function glossary_rating_validate($params) { function glossary_rating_validate($params) {
global $DB, $USER; global $DB, $USER;


if (!array_key_exists('itemid', $params) || !array_key_exists('context', $params) || !array_key_exists('rateduserid', $params)) { if (!array_key_exists('itemid', $params)
|| !array_key_exists('context', $params)
|| !array_key_exists('rateduserid', $params)
|| !array_key_exists('scaleid', $params)) {
throw new rating_exception('missingparameter'); throw new rating_exception('missingparameter');
} }


$glossarysql = "SELECT g.id as gid, e.userid as userid, e.approved, e.timecreated, g.assesstimestart, g.assesstimefinish $glossarysql = "SELECT g.id as gid, g.scale, e.userid as userid, e.approved, e.timecreated, g.assesstimestart, g.assesstimefinish
FROM {glossary_entries} e FROM {glossary_entries} e
JOIN {glossary} g ON e.glossaryid = g.id JOIN {glossary} g ON e.glossaryid = g.id
WHERE e.id = :itemid"; WHERE e.id = :itemid";
Expand All @@ -498,16 +501,40 @@ function glossary_rating_validate($params) {
throw new rating_exception('invaliditemid'); throw new rating_exception('invaliditemid');
} }


if ($info->scale != $params['scaleid']) {
//the scale being submitted doesnt match the one in the database
throw new rating_exception('invalidscaleid');
}

if ($info->userid == $USER->id) { if ($info->userid == $USER->id) {
//user is attempting to rate their own glossary entry //user is attempting to rate their own glossary entry
throw new rating_exception('nopermissiontorate'); throw new rating_exception('nopermissiontorate');
} }


if ($params['rateduserid'] != $info->userid) { if ($info->userid != $params['rateduserid']) {
//supplied user ID doesnt match the user ID from the database //supplied user ID doesnt match the user ID from the database
throw new rating_exception('invaliduserid'); throw new rating_exception('invaliduserid');
} }


//check that the submitted rating is valid for the scale
if ($params['rating'] < 0) {
throw new rating_exception('invalidnum');
} else if ($info->scale < 0) {
//its a custom scale
$scalerecord = $DB->get_record('scale', array('id' => -$options->scaleid));
if ($scalerecord) {
$scalearray = explode(',', $scalerecord->scale);
if ($params['rating'] > count($scalearray)) {
throw new rating_exception('invalidnum');
}
} else {
throw new rating_exception('invalidscaleid');
}
} else if ($params['rating'] > $info->scale) {
//if its numeric and submitted rating is above maximum
throw new rating_exception('invalidnum');
}

if (!$info->approved) { if (!$info->approved) {
//item isnt approved //item isnt approved
throw new rating_exception('nopermissiontorate'); throw new rating_exception('nopermissiontorate');
Expand Down

0 comments on commit f5a1b06

Please sign in to comment.