question/toggleflag.php

   1 <?php
   2 /**
   3  * Used by ajax calls to toggle the flagged state of a question in an attempt.
   4  * @license http://www.gnu.org/copyleft/gpl.html GNU Public License
   5  * @package questionbank
   6  */
   7
   8 require_once('../config.php');
   9 require_once($CFG->libdir.'/questionlib.php');
  10
  11 // Parameters
  12 $sessionid = required_param('qsid', PARAM_INT);
  13 $attemptid = required_param('aid', PARAM_INT);
  14 $questionid = required_param('qid', PARAM_INT);
  15 $newstate = required_param('newstate', PARAM_BOOL);
  16 $checksum = required_param('checksum', PARAM_ALPHANUM);
  17
  18 // Check user is logged in.
  19 require_login();
  20
  21 // Check the sesskey.
  22 if (!confirm_sesskey()) {
  23     echo 'sesskey failure';
  24 }
  25
  26 // Check the checksum - it is very hard to know who a question session belongs
  27 // to, so we require that checksum parameter is matches an md5 hash of the
  28 // three ids and the users username. Since we are only updating a flag, that
  29 // probably makes it sufficiently difficult for malicious users to toggle
  30 // other users flags.
  31 if ($checksum != md5($attemptid . "_" . $USER->secret . "_" . $questionid . "_" . $sessionid)) {
  32     echo 'checksum failure';
  33 }
  34
  35 // Check that the requested session really exists
  36 $questionsession = $DB->get_record('question_sessions', array('id' => $sessionid,
  37         'attemptid' => $attemptid, 'questionid' => $questionid));
  38 if (!$questionsession) {
  39     echo 'invalid ids';
  40 }
  41
  42 // Now change state
  43 if (!question_update_flag($sessionid, $newstate)) {
  44     echo 'update failed';
  45 }
  46
  47 echo 'OK';