Skip to content

Commit a502e8d

Browse files
TamaroWalterTamaroWalter
committed
add validation for grade category
1 parent 7e5a8fb commit a502e8d

File tree

1 file changed

+44
-9
lines changed

1 file changed

+44
-9
lines changed

lib.php

Lines changed: 44 additions & 9 deletions
Original file line numberDiff line numberDiff line change
@@ -86,6 +86,25 @@
8686

8787
/* Moodle core API */
8888

89+
/**
90+
* Ensure the given grade category id belongs to the course. Return valid id or null.
91+
*
92+
* @param int|null $courseid
93+
* @param int|null $gradecatid
94+
* @return int|null
95+
*/
96+
function moodleoverflow_validate_grade_category(?int $courseid, ?int $gradecatid): ?int {
97+
global $DB;
98+
if (empty($courseid) || empty($gradecatid)) {
99+
return null;
100+
}
101+
$category = $DB->get_record('grade_categories', ['id' => $gradecatid]);
102+
if ($category && $category->courseid == $courseid) {
103+
return $category->id;
104+
}
105+
return null;
106+
}
107+
89108
/**
90109
* Returns the information on whether the module supports a feature.
91110
*
@@ -137,9 +156,17 @@ function moodleoverflow_add_instance(stdClass $moodleoverflow, ?mod_moodleoverfl
137156
// Set the current time.
138157
$moodleoverflow->timecreated = time();
139158

140-
// You may have to add extra stuff in here.
159+
// Sanitize grade category before storing to avoid cross-course references.
160+
if (property_exists($moodleoverflow, 'gradecat')) {
161+
$moodleoverflow->gradecat = moodleoverflow_validate_grade_category($moodleoverflow->course, $moodleoverflow->gradecat);
162+
}
163+
164+
// Insert the record.
141165
$moodleoverflow->id = $DB->insert_record('moodleoverflow', $moodleoverflow);
142166

167+
// Create the grade item with the sanitized category.
168+
moodleoverflow_grade_item_update($moodleoverflow);
169+
143170
return $moodleoverflow->id;
144171
}
145172

@@ -150,7 +177,7 @@ function moodleoverflow_add_instance(stdClass $moodleoverflow, ?mod_moodleoverfl
150177
* @param object $context The context of the moodleoverflow
151178
* @param stdClass $moodleoverflow The moodleoverflow object
152179
*/
153-
function moodleoverflow_instance_created($context, $moodleoverflow) {
180+
function moodleoverflow_instance_created(context_module $context, $moodleoverflow) {
154181

155182
// Check if users are forced to be subscribed to the moodleoverflow instance.
156183
if ($moodleoverflow->forcesubscribe == MOODLEOVERFLOW_INITIALSUBSCRIBE) {
@@ -204,6 +231,11 @@ function moodleoverflow_update_instance(stdClass $moodleoverflow, ?mod_moodleove
204231
}
205232
}
206233

234+
// Sanitize grade category before saving to avoid cross-course references.
235+
if (property_exists($moodleoverflow, 'gradecat')) {
236+
$moodleoverflow->gradecat = moodleoverflow_validate_grade_category((int)$moodleoverflow->course, $moodleoverflow->gradecat);
237+
}
238+
207239
// Update the moodleoverflow instance in the database.
208240
$result = $DB->update_record('moodleoverflow', $moodleoverflow);
209241

@@ -455,6 +487,7 @@ function moodleoverflow_pluginfile($course, $cm, $context, $filearea, $args, $fo
455487

456488
// Finally send the file.
457489
send_stored_file($file, 86400, 0, true, $options); // Download MUST be forced - security!
490+
return true;
458491
}
459492

460493
/* Navigation API */
@@ -696,7 +729,7 @@ function moodleoverflow_update_grades($moodleoverflow, $userid, $nullifnone = nu
696729
* @return int grade_update function success code
697730
*/
698731
function moodleoverflow_grade_item_update($moodleoverflow, $grades = null) {
699-
global $CFG, $DB;
732+
global $CFG;
700733

701734
if (!function_exists('grade_update')) { // Workaround for buggy PHP versions.
702735
require_once($CFG->libdir . '/gradelib.php');
@@ -712,6 +745,14 @@ function moodleoverflow_grade_item_update($moodleoverflow, $grades = null) {
712745
$params['grademin'] = 0;
713746
}
714747

748+
// Only include a category that belongs to this course.
749+
if (property_exists($moodleoverflow, 'gradecat')) {
750+
$validcat = moodleoverflow_validate_grade_category((int)$moodleoverflow->course, $moodleoverflow->gradecat);
751+
if ($validcat !== null) {
752+
$params['categoryid'] = $validcat;
753+
}
754+
}
755+
715756
if ($grades === 'reset') {
716757
$params['reset'] = true;
717758
$grades = null;
@@ -728,12 +769,6 @@ function moodleoverflow_grade_item_update($moodleoverflow, $grades = null) {
728769
$params
729770
);
730771

731-
// Modify grade item category id.
732-
if (!is_null($moodleoverflow->gradecat) && $moodleoverflow->gradecat > 0) {
733-
$params = ['itemname' => $moodleoverflow->name, 'idnumber' => $moodleoverflow->id];
734-
$DB->set_field('grade_items', 'categoryid', $moodleoverflow->gradecat, $params);
735-
}
736-
737772
return $gradeupdate;
738773
}
739774

0 commit comments

Comments
 (0)