search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
MDL-20830 workshop requires sesskey when editing submission
[moodle.git] / mod / workshop / submissions.php
blob777f9d4ed72cc2a473236071b78384926231d7d7
1 <?php // $Id$
2
3 /*************************************************
4 ACTIONS handled are:
5
6 adminamendtitle
7 confirmdelete
8 delete
9 adminlist
10 editsubmission
11 listallsubmissions
12 listforassessmentstudent
13 listforassessmentteacher
14 showsubmission
15 updatesubmission
16
17
18 ************************************************/
19
20 require("../../config.php");
21 require("lib.php");
22 require("locallib.php");
23
24 $id = required_param('id', PARAM_INT); // Course Module ID
25 $action = optional_param('action', '', PARAM_ALPHA);
26 $sid = optional_param('sid', 0, PARAM_INT); //submission id
27 $order = optional_param('order', 'name', PARAM_ALPHA);
28 $title = optional_param('title', '', PARAM_CLEAN);
29 $nentries = optional_param('nentries', '', PARAM_ALPHANUM);
30 $anonymous = optional_param('anonymous', '', PARAM_CLEAN);
31 $description = optional_param('description', '', PARAM_CLEAN);
32
33 $timenow = time();
34
35 // get some useful stuff...
36 if (! $cm = get_coursemodule_from_id('workshop', $id)) {
37 error("Course Module ID was incorrect");
38 }
39 if (! $course = get_record("course", "id", $cm->course)) {
40 error("Course is misconfigured");
41 }
42 if (! $workshop = get_record("workshop", "id", $cm->instance)) {
43 error("Course module is incorrect");
44 }
45
46 require_login($course->id, false, $cm);
47 $context = get_context_instance(CONTEXT_MODULE, $cm->id);
48
49 $strworkshops = get_string("modulenameplural", "workshop");
50 $strworkshop = get_string("modulename", "workshop");
51 $strsubmissions = get_string("submissions", "workshop");
52
53 // ... print the header and...
54 $navigation = build_navigation($strsubmissions, $cm);
55 print_header_simple(format_string($workshop->name), "", $navigation,
56 "", "", true);
57
58 //...get the action or set up an suitable default
59 if (empty($action)) {
60 $action = "listallsubmissions";
61 }
62
63
64 /******************* admin amend title ************************************/
65 elseif ($action == 'adminamendtitle' ) {
66
67 require_capability('mod/workshop:manage', $context);
68 if (empty($sid)) {
69 error("Admin Amend Title: submission id missing");
70 }
71
72 $submission = get_record("workshop_submissions", "id", $sid);
73 print_heading(get_string("amendtitle", "workshop"));
74 ?>
75 <form id="amendtitleform" action="submissions.php" method="post">
76 <fieldset class="invisiblefieldset">
77 <input type="hidden" name="action" value="adminupdatetitle" />
78 <input type="hidden" name="sesskey" value="<?php echo sesskey(); ?>" />
79 <input type="hidden" name="id" value="<?php echo $cm->id ?>" />
80 <input type="hidden" name="sid" value="<?php echo $sid ?>" />
81 <div class="boxaligncenter">
82 <table cellpadding="5" border="1">
83 <?php
84
85 // now get the comment
86 echo "<tr valign=\"top\">\n";
87 echo " <td align=\"right\"><p><b>". get_string("title", "workshop").":</b></p></td>\n";
88 echo " <td>\n";
89 echo " <input type=\"text\" name=\"title\" size=\"60\" maxlength=\"100\" value=\"$submission->title\" />\n";
90 echo " </td></tr></table>\n";
91 echo "<input type=\"submit\" value=\"".get_string("amendtitle", "workshop")."\" />\n";
92 echo "</div></fieldset></form>\n";
93
94 print_heading("<a $CFG->frametarget href=\"view.php?id=$cm->id#sid=$submission->id\">".get_string("cancel")."</a>");
95 }
96
97
98 /******************* admin clear late (flag) ************************************/
99 elseif ($action == 'adminclearlate' ) {
100
101 require_capability('mod/workshop:manage', $context);
102 require_sesskey();
103 if (empty($sid)) {
104 error("Admin clear late flag: submission id missing");
105 }
106
107 if (!$submission = get_record("workshop_submissions", "id", $sid)) {
108 error("Admin clear late flag: can not get submission record");
109 }
110 if (set_field("workshop_submissions", "late", 0, "id", $sid)) {
111 print_heading(get_string("clearlateflag", "workshop")." ".get_string("ok"));
112 }
113
114 add_to_log($course->id, "workshop", "late flag cleared", "view.php?id=$cm->id", "submission $submission->id");
115
116 redirect("view.php?id=$cm->id");
117 }
118
119
120 /******************* confirm delete ************************************/
121 elseif ($action == 'confirmdelete' ) {
122
123 if (empty($sid)) {
124 error("Confirm delete: submission id missing");
125 }
126 notice_yesno(get_string("confirmdeletionofthisitem","workshop", get_string("submission", "workshop")),
127 "submissions.php?sesskey=" . sesskey() . "&amp;action=delete&amp;id=$cm->id&amp;sid=$sid", "view.php?id=$cm->id#sid=$sid");
128 }
129
130
131 /******************* delete ************************************/
132 elseif ($action == 'delete' ) {
133
134 require_sesskey();
135 if (empty($sid)) {
136 error("Delete: submission id missing");
137 }
138
139 if (!$submission = get_record("workshop_submissions", "id", $sid)) {
140 error("Admin delete: can not get submission record");
141 }
142
143 // students are only allowed to delete their own submission and only up to the deadline
144 if (!(workshop_is_teacher($workshop) or
145 (($USER->id = $submission->userid) and ($timenow < $workshop->submissionend)
146 and (($timenow < $workshop->assessmentstart) or ($timenow < $submission->timecreated + $CFG->maxeditingtime))))) {
147 error("You are not authorized to delete this submission");
148 }
149
150 print_string("deleting", "workshop");
151 // first get any assessments...
152 if ($assessments = workshop_get_assessments($submission, 'ALL')) {
153 foreach($assessments as $assessment) {
154 // ...and all the associated records...
155 delete_records("workshop_comments", "assessmentid", $assessment->id);
156 delete_records("workshop_grades", "assessmentid", $assessment->id);
157 echo ".";
158 }
159 }
160 // ...now delete the assessments...
161 delete_records("workshop_assessments", "submissionid", $submission->id);
162 // ...and the submission record...
163 delete_records("workshop_submissions", "id", $submission->id);
164 // ..and finally the submitted file
165 workshop_delete_submitted_files($workshop, $submission);
166
167 redirect("view.php?id=$cm->id");
168 }
169
170
171 /******************* admin (confirm) late flag ************************************/
172 elseif ($action == 'adminlateflag' ) {
173
174 require_capability('mod/workshop:manage', $context);
175 if (empty($sid)) {
176 error("Admin confirm late flag: submission id missing");
177 }
178 if (!$submission = get_record("workshop_submissions", "id", $sid)) {
179 error("Admin confirm late flag: can not get submission record");
180 }
181
182 notice_yesno(get_string("clearlateflag","workshop")."?",
183 "submissions.php?sesskey=" . sesskey() . "&amp;action=adminclearlate&amp;id=$cm->id&amp;sid={$submission->id}",
184 "view.php?id=$cm->id");
185 }
186
187
188 /******************* list all submissions ************************************/
189 elseif ($action == 'adminlist' ) {
190
191 require_capability('mod/workshop:manage', $context);
192
193 workshop_list_submissions_for_admin($workshop, $order);
194 print_continue("view.php?id=$cm->id");
195
196 }
197
198
199 /******************* admin update title ************************************/
200 elseif ($action == 'adminupdatetitle' ) {
201
202 require_capability('mod/workshop:manage', $context);
203 require_sesskey();
204 if (empty($sid)) {
205 error("Admin Update Title: submission id missing");
206 }
207
208 if (set_field("workshop_submissions", "title", $title, "id", $sid)) {
209 print_heading(get_string("amendtitle", "workshop")." ".get_string("ok"));
210 }
211 print_continue("view.php?id=$cm->id");
212 }
213
214
215 /******************* confirm remove attachments ************************************/
216 elseif ($action == 'confirmremoveattachments' ) {
217
218 if (empty($sid)) {
219 error("Admin confirm delete: submission id missing");
220 }
221 if (!$submission = get_record("workshop_submissions", "id", $sid)) {
222 error("Admin delete: can not get submission record");
223 }
224
225 notice_yesno(get_string("confirmremoveattachments","workshop"),
226 "submissions.php?sesskey=" . sesskey() . "&amp;action=removeattachments&amp;id=$cm->id&amp;sid=$sid",
227 "view.php?id=$cm->id");
228 }
229
230
231 /******************* edit submission ************************************/
232 elseif ($action == 'editsubmission' ) {
233
234 if (empty($sid)) {
235 error("Edit submission: submission id missing");
236 }
237 $usehtmleditor = can_use_html_editor();
238
239 $submission = get_record("workshop_submissions", "id", $sid);
240 print_heading(get_string("editsubmission", "workshop"));
241 if ($submission->userid <> $USER->id) {
242 error("Edit submission: Userids do not match");
243 }
244 if (($submission->timecreated < ($timenow - $CFG->maxeditingtime)) and ($workshop->assessmentstart < $timenow)) {
245 print_error('notallowed', 'workshop');
246 }
247 ?>
248 <form id="editform" enctype="multipart/form-data" action="submissions.php" method="post">
249 <fieldset class="invisiblefieldset">
250 <input type="hidden" name="action" value="updatesubmission" />
251 <input type="hidden" name="sesskey" value="<?php echo sesskey(); ?>" />
252 <input type="hidden" name="id" value="<?php echo $cm->id ?>" />
253 <input type="hidden" name="sid" value="<?php echo $sid ?>" />
254 <div class="boxaligncenter">
255 <table cellpadding="5" border="1">
256 <?php
257 echo "<tr valign=\"top\"><td><b>". get_string("title", "workshop").":</b>\n";
258 echo "<input type=\"text\" name=\"title\" size=\"60\" maxlength=\"100\" value=\"$submission->title\" />\n";
259 echo "</td></tr><tr><td><b>".get_string("submission", "workshop").":</b><br />\n";
260 print_textarea($usehtmleditor, 25,70, 630, 400, "description", $submission->description);
261 use_html_editor("description");
262 echo "</td></tr>\n";
263 if ($workshop->nattachments) {
264 $filearea = workshop_file_area_name($workshop, $submission);
265 if ($basedir = workshop_file_area($workshop, $submission)) {
266 if ($files = get_directory_list($basedir)) {
267 echo "<tr><td><b>".get_string("attachments", "workshop").
268 "</b><div style=\"text-align:right;\"><input type=\"button\" value=\"".get_string("removeallattachments",
269 "workshop")."\" onclick=\"getElementById('editform').action.value='removeattachments';
270 getElementById('editform').submit();\"/></div></td></tr>\n";
271 $n = 1;
272 require_once($CFG->libdir .'/filelib.php');
273 foreach ($files as $file) {
274 $icon = mimeinfo("icon", $file);
275 $ffurl = get_file_url("$filearea/$file");
276 // removed target=\"uploadedfile\"
277 // as it does not validate MDL_7861
278 echo "<tr><td>".get_string("attachment", "workshop")." $n: <img src=\"$CFG->pixpath/f/$icon\"
279 class=\"icon\" alt=\"".get_string('file')."\" />".
280 "&nbsp;<a href=\"$ffurl\">$file</a></td></tr>\n";
281 }
282 } else {
283 echo "<tr><td><b>".get_string("noattachments", "workshop")."</b></td></tr>\n";
284 }
285 }
286 echo "<tr><td>\n";
287 require_once($CFG->dirroot.'/lib/uploadlib.php');
288 for ($i=0; $i < $workshop->nattachments; $i++) {
289 $iplus1 = $i + 1;
290 $tag[$i] = get_string("newattachment", "workshop")." $iplus1:";
291 }
292 upload_print_form_fragment($workshop->nattachments,null,$tag,false,null,$course->maxbytes,
293 $workshop->maxbytes,false);
294 echo "</td></tr>\n";
295 }
296
297 echo "</table>\n";
298 echo "<input type=\"submit\" value=\"".get_string("savemysubmission", "workshop")."\" />\n";
299 echo "</div></fieldset></form>\n";
300 }
301
302
303 /******************* list all submissions ************************************/
304 elseif ($action == 'listallsubmissions' ) {
305 if (!$users = workshop_get_students($workshop)) {
306 print_heading(get_string("nostudentsyet"));
307 print_footer($course);
308 exit;
309 }
310 print_heading(get_string("listofallsubmissions", "workshop").":", "CENTER");
311 workshop_list_all_submissions($workshop, $USER);
312 print_continue("view.php?id=$cm->id");
313
314 }
315
316
317 /******************* list for assessment student (submissions) ************************************/
318 elseif ($action == 'listforassessmentstudent' ) {
319 if (!$users = workshop_get_students($workshop)) {
320 print_heading(get_string("nostudentsyet"));
321 print_footer($course);
322 exit;
323 }
324 workshop_list_unassessed_student_submissions($workshop, $USER);
325 print_continue("view.php?id=$cm->id");
326
327 }
328
329
330 /******************* list for assessment teacher (submissions) ************************************/
331 elseif ($action == 'listforassessmentteacher' ) {
332
333 require_capability('mod/workshop:manage', $context);
334
335 workshop_list_unassessed_teacher_submissions($workshop, $USER);
336 print_continue("view.php?id=$cm->id");
337
338 }
339
340
341 /******************* remove (all) attachments ************************************/
342 elseif ($action == 'removeattachments' ) {
343
344 require_sesskey();
345 $form = data_submitted();
346
347 if (empty($form->sid)) {
348 error("Update submission: submission id missing");
349 }
350
351 $submission = get_record("workshop_submissions", "id", $form->sid);
352
353 // students are only allowed to remove their own attachments and only up to the deadline
354 if (!(workshop_is_teacher($workshop) or
355 (($USER->id = $submission->userid) and ($timenow < $workshop->submissionend)
356 and (($timenow < $workshop->assessmentstart) or ($timenow < $submission->timecreated + $CFG->maxeditingtime))))) {
357 error("You are not authorized to delete these attachments");
358 }
359
360 // amend title... just in case they were modified
361 // check existence of title
362 if (empty($form->title)) {
363 notify(get_string("notitlegiven", "workshop"));
364 } else {
365 set_field("workshop_submissions", "title", $form->title, "id", $submission->id);
366 set_field("workshop_submissions", "description", trim($form->description), "id", $submission->id);
367 }
368 print_string("removeallattachments", "workshop");
369 workshop_delete_submitted_files($workshop, $submission);
370 add_to_log($course->id, "workshop", "removeattachments", "view.php?id=$cm->id", "submission $submission->id");
371
372 print_continue("view.php?id=$cm->id#sid=$submission->id");
373 }
374
375
376 /******************* show submission ************************************/
377 elseif ($action == 'showsubmission' ) {
378
379 if (empty($sid)) {
380 error("Show submission: submission id missing");
381 }
382
383 $submission = get_record("workshop_submissions", "id", $sid);
384 $title = '"'.$submission->title.'" ';
385 if (workshop_is_teacher($workshop)) {
386 $title .= get_string('by', 'workshop').' '.workshop_fullname($submission->userid, $course->id);
387 }
388 print_heading($title);
389 echo '<div style="text-align:center">'.get_string('submitted', 'workshop').': '.userdate($submission->timecreated).'</div><br />';
390 workshop_print_submission($workshop, $submission);
391 print_continue(htmlentities($_SERVER['HTTP_REFERER'].'#sid='.$submission->id));
392 }
393
394
395 /*************** update (league table options teacher) ***************************/
396 elseif ($action == 'updateleaguetable') {
397
398 require_capability('mod/workshop:manage', $context);
399
400 // save number of entries in showleaguetable option
401 if ($nentries == 'All') {
402 $nentries = 99;
403 }
404 set_field("workshop", "showleaguetable", $nentries, "id", "$workshop->id");
405
406 // save the anonymous option
407 set_field("workshop", "anonymous", $anonymous, "id", "$workshop->id");
408 add_to_log($course->id, "workshop", "league table", "view.php?id=$cm->id", $nentries, $cm->id);
409
410 redirect("view.php?id=$cm->id");
411 }
412
413
414 /*************** update submission ***************************/
415 elseif ($action == 'updatesubmission') {
416
417 require_sesskey();
418 if (empty($sid)) {
419 error("Update submission: submission id missing");
420 }
421 $submission = get_record("workshop_submissions", "id", $sid);
422
423 // students are only allowed to update their own submission and only up to the deadline
424 if (!(workshop_is_teacher($workshop) or
425 (($USER->id = $submission->userid) and ($timenow < $workshop->submissionend)
426 and (($timenow < $workshop->assessmentstart) or ($timenow < $submission->timecreated + $CFG->maxeditingtime))))) {
427 error("You are not authorized to update your submission");
428 }
429
430 // check existence of title
431 if (empty($title)) {
432 $title = get_string("notitle", "workshop");
433 }
434 set_field("workshop_submissions", "title", $title, "id", $submission->id);
435 set_field("workshop_submissions", "description", trim($description), "id", $submission->id);
436 set_field("workshop_submissions", "timecreated", $timenow, "id", $submission->id);
437 if ($workshop->nattachments) {
438 require_once($CFG->dirroot.'/lib/uploadlib.php');
439 $um = new upload_manager(null,false,false,$course,false,$workshop->maxbytes);
440 if ($um->preprocess_files()) {
441 $dir = workshop_file_area_name($workshop, $submission);
442 if ($um->save_files($dir)) {
443 add_to_log($course->id, "workshop", "newattachment", "view.php?id=$cm->id", "$workshop->id");
444 print_heading(get_string("uploadsuccess", "workshop"));
445 }
446 // upload manager will print errors.
447 }
448 print_continue("view.php?id=$cm->id");
449 } else {
450 echo '</div>'; // close <div id='page'>
451 redirect("view.php?id=$cm->id#sid=$submission->id");
452 }
453 }
454
455
456 /*************** no man's land **************************************/
457
458 else {
459
460 error("Fatal Error: Unknown Action: ".$action."\n");
461
462 }
463
464
465 print_footer($course);
466
467 ?>
Read-only mirror of the Moodle CVS