function xmldb_quiz_upgrade($oldversion = 0) { global $CFG, $THEME, $db; $result = true; /// And upgrade begins here. For each one, you'll need one /// block of code similar to the next one. Please, delete /// this comment lines once this file start handling proper /// upgrade code. if ($result && $oldversion < 2007022800) { /// Ensure that there are not existing duplicate entries in the database. $duplicateunits = get_records_select('question_numerical_units', "id > (SELECT MIN(iqnu.id)\n FROM {$CFG->prefix}question_numerical_units iqnu\n WHERE iqnu.question = {$CFG->prefix}question_numerical_units.question AND\n iqnu.unit = {$CFG->prefix}question_numerical_units.unit)", '', 'id'); if ($duplicateunits) { delete_records_select('question_numerical_units', 'id IN (' . implode(',', array_keys($duplicateunits)) . ')'); } /// Define index question-unit (unique) to be added to question_numerical_units $table = new XMLDBTable('question_numerical_units'); $index = new XMLDBIndex('question-unit'); $index->setAttributes(XMLDB_INDEX_UNIQUE, array('question', 'unit')); /// Launch add index question-unit $result = $result && add_index($table, $index); } if ($result && $oldversion < 2007070200) { /// Changing precision of field timelimit on table quiz to (10) $table = new XMLDBTable('quiz'); $field = new XMLDBField('timelimit'); $field->setAttributes(XMLDB_TYPE_INTEGER, '10', XMLDB_UNSIGNED, XMLDB_NOTNULL, null, null, null, '0', 'timemodified'); /// Launch change of precision for field timelimit $result = $result && change_field_precision($table, $field); } if ($result && $oldversion < 2007072200) { require_once $CFG->dirroot . '/mod/quiz/lib.php'; // too much debug output $db->debug = false; quiz_update_grades(); $db->debug = true; } // Separate control for when overall feedback is displayed, independant of the question feedback settings. if ($result && $oldversion < 2007072600) { // Adjust the quiz review options so that overall feedback is displayed whenever feedback is. $result = $result && execute_sql('UPDATE ' . $CFG->prefix . 'quiz SET review = ' . sql_bitor(sql_bitand('review', sql_bitnot(QUIZ_REVIEW_OVERALLFEEDBACK)), sql_bitor(sql_bitand('review', QUIZ_REVIEW_FEEDBACK & QUIZ_REVIEW_IMMEDIATELY) . ' * 65536', sql_bitor(sql_bitand('review', QUIZ_REVIEW_FEEDBACK & QUIZ_REVIEW_OPEN) . ' * 16384', sql_bitand('review', QUIZ_REVIEW_FEEDBACK & QUIZ_REVIEW_CLOSED) . ' * 4096')))); // Same adjustment to the defaults for new quizzes. $result = $result && set_config('quiz_review', $CFG->quiz_review & ~QUIZ_REVIEW_OVERALLFEEDBACK | ($CFG->quiz_review & QUIZ_REVIEW_FEEDBACK & QUIZ_REVIEW_IMMEDIATELY) << 16 | ($CFG->quiz_review & QUIZ_REVIEW_FEEDBACK & QUIZ_REVIEW_OPEN) << 14 | ($CFG->quiz_review & QUIZ_REVIEW_FEEDBACK & QUIZ_REVIEW_CLOSED) << 12); } //===== 1.9.0 upgrade line ======// return $result; }
/** * Verifies sanity of default roles in courses. * @param bool $detailed * @return object result */ function report_security_check_courserole($detailed = false) { global $CFG, $SITE; $problems = array(); $result = new object(); $result->issue = 'report_security_check_courserole'; $result->name = get_string('check_courserole_name', 'report_security'); $result->info = null; $result->details = null; $result->status = null; $result->link = null; if ($detailed) { $result->details = get_string('check_courserole_details', 'report_security'); } // get list of all student roles selected in courses excluding the default course role $sql = "SELECT r.*\n FROM {$CFG->prefix}role r\n JOIN {$CFG->prefix}course c ON c.defaultrole = r.id\n WHERE c.id <> {$SITE->id} AND r.id <> {$CFG->defaultcourseroleid}"; if (!($student_roles = get_records_sql($sql))) { $result->status = REPORT_SECURITY_OK; $result->info = get_string('check_courserole_notyet', 'report_security'); $result->details = get_string('check_courserole_details', 'report_security'); return $result; } $roleids = array_keys($student_roles); $sql = "SELECT DISTINCT rc.roleid\n FROM {$CFG->prefix}role_capabilities rc\n WHERE (rc.capability = 'moodle/legacy:coursecreator' OR rc.capability = 'moodle/legacy:admin'\n OR rc.capability = 'moodle/legacy:teacher' OR rc.capability = 'moodle/legacy:editingteacher')\n AND rc.permission = " . CAP_ALLOW . ""; $riskyroleids = get_records_sql($sql); $riskyroleids = array_keys($riskyroleids); // first test if do anything enabled - that would be really crazy!!!!!! $inroles = implode(',', $roleids); $sql = "SELECT rc.roleid, rc.contextid\n FROM {$CFG->prefix}role_capabilities rc\n WHERE rc.capability = 'moodle/site:doanything'\n AND rc.permission = " . CAP_ALLOW . "\n AND rc.roleid IN ({$inroles})\n GROUP BY rc.roleid, rc.contextid\n ORDER BY rc.roleid, rc.contextid"; $rs = get_recordset_sql($sql); while ($res = rs_fetch_next_record($rs)) { $roleid = $res->roleid; $contextid = $res->contextid; if ($contextid == SYSCONTEXTID) { $a = "{$CFG->wwwroot}/{$CFG->admin}/roles/manage.php?action=view&roleid={$roleid}"; } else { $a = "{$CFG->wwwroot}/{$CFG->admin}/roles/override.php?contextid={$contextid}&roleid={$roleid}"; } $problems[] = get_string('check_courserole_anything', 'report_security', $a); } rs_close($rs); // any XSS legacy cap does not make any sense here! $inroles = implode(',', $riskyroleids); $sql = "SELECT DISTINCT c.id, c.shortname\n FROM {$CFG->prefix}course c\n WHERE c.defaultrole IN ({$inroles})\n ORDER BY c.sortorder"; if ($courses = get_records_sql($sql)) { foreach ($courses as $course) { $a = (object) array('url' => "{$CFG->wwwroot}/course/edit.php?id={$course->id}", 'shortname' => $course->shortname); $problems[] = get_string('check_courserole_riskylegacy', 'report_security', $a); } } // risky caps in any level for roles not marked as risky yet - usually very dangerous!! if ($checkroles = array_diff($roleids, $riskyroleids)) { $inroles = implode(',', $checkroles); $sql = "SELECT rc.roleid, rc.contextid\n FROM {$CFG->prefix}role_capabilities rc\n JOIN {$CFG->prefix}capabilities cap ON cap.name = rc.capability\n WHERE " . sql_bitand('cap.riskbitmask', RISK_XSS | RISK_CONFIG | RISK_DATALOSS) . " <> 0\n AND rc.permission = " . CAP_ALLOW . "\n AND rc.roleid IN ({$inroles})\n GROUP BY rc.roleid, rc.contextid\n ORDER BY rc.roleid, rc.contextid"; $rs = get_recordset_sql($sql); while ($res = rs_fetch_next_record($rs)) { $roleid = $res->roleid; $contextid = $res->contextid; if ($contextid == SYSCONTEXTID) { $a = "{$CFG->wwwroot}/{$CFG->admin}/roles/manage.php?action=view&roleid={$roleid}"; } else { $a = "{$CFG->wwwroot}/{$CFG->admin}/roles/override.php?contextid={$contextid}&roleid={$roleid}"; } $problems[] = get_string('check_courserole_risky', 'report_security', $a); } rs_close($rs); } if ($problems) { $result->status = REPORT_SECURITY_CRITICAL; $result->info = get_string('check_courserole_error', 'report_security'); if ($detailed) { $result->details .= "<ul>"; foreach ($problems as $problem) { $result->details .= "<li>{$problem}</li>"; } $result->details .= "</ul>"; } } else { $result->status = REPORT_SECURITY_OK; $result->info = get_string('check_courserole_ok', 'report_security'); } return $result; }
/** * Returns the SQL text to be used in order to perform one bitwise XOR operation * between 2 integers. * @param integer int1 first integer in the operation * @param integer int2 second integer in the operation * @return string the piece of SQL code to be used in your statement. */ function sql_bitxor($int1, $int2) { global $CFG; switch ($CFG->dbfamily) { case 'oracle': return '(' . sql_bitor($int1, $int2) . ' - ' . sql_bitand($int1, $int2) . ')'; break; case 'postgres': return '((' . $int1 . ') # (' . $int2 . '))'; break; default: return '((' . $int1 . ') ^ (' . $int2 . '))'; } }
/** * Returns the SQL text to be used in order to perform one bitwise OR operation * between 2 integers. * @param integer int1 first integer in the operation * @param integer int2 second integer in the operation * @return string the piece of SQL code to be used in your statement. */ function sql_bitor($int1, $int2) { global $CFG; switch ($CFG->dbfamily) { case 'oracle': return '((' . $int1 . ') + (' . $int2 . ') - ' . sql_bitand($int1, $int2) . ')'; break; default: return '((' . $int1 . ') | (' . $int2 . '))'; } }