3 * Used by ajax calls to toggle the flagged state of a question in an attempt.
4 * @license http://www.gnu.org/copyleft/gpl.html GNU Public License
5 * @package questionbank
8 require_once('../config.php');
9 require_once($CFG->libdir
.'/questionlib.php');
12 $sessionid = required_param('qsid', PARAM_INT
);
13 $attemptid = required_param('aid', PARAM_INT
);
14 $questionid = required_param('qid', PARAM_INT
);
15 $newstate = required_param('newstate', PARAM_BOOL
);
16 $checksum = required_param('checksum', PARAM_ALPHANUM
);
18 // Check user is logged in.
22 if (!confirm_sesskey()) {
23 echo 'sesskey failure';
26 // Check the checksum - it is very hard to know who a question session belongs
27 // to, so we require that checksum parameter is matches an md5 hash of the
28 // three ids and the users username. Since we are only updating a flag, that
29 // probably makes it sufficiently difficult for malicious users to toggle
31 if ($checksum != md5($attemptid . "_" . $USER->secret
. "_" . $questionid . "_" . $sessionid)) {
32 echo 'checksum failure';
35 // Check that the requested session really exists
36 $questionsession = $DB->get_record('question_sessions', array('id' => $sessionid,
37 'attemptid' => $attemptid, 'questionid' => $questionid));
38 if (!$questionsession) {
43 if (!question_update_flag($sessionid, $newstate)) {