From 0185b2f2a604985d26169a4062df96ebfc63b966 Mon Sep 17 00:00:00 2001
From: jmontoyaa <gugli100@gmail.com>
Date: Wed, 11 Apr 2018 09:07:36 +0200
Subject: [PATCH] Fix hotspot preview question + add security access see
 BT#14222

---
 main/exercise/hotspot_answers.as.php          | 38 +++++++++++--------
 main/inc/lib/javascript/hotspot/js/hotspot.js |  4 +-
 2 files changed, 24 insertions(+), 18 deletions(-)

diff --git a/main/exercise/hotspot_answers.as.php b/main/exercise/hotspot_answers.as.php
index d6ed540b6d..cdbab757b9 100755
--- a/main/exercise/hotspot_answers.as.php
+++ b/main/exercise/hotspot_answers.as.php
@@ -5,8 +5,7 @@ use Chamilo\CoreBundle\Entity\TrackEHotspot;
 use Chamilo\CourseBundle\Entity\CQuizAnswer;
 
 /**
- * This file generates the ActionScript variables code used by the
- * HotSpot .swf.
+ * This file generates a json answer to the question preview
  *
  * @package chamilo.exercise
  *
@@ -14,14 +13,25 @@ use Chamilo\CourseBundle\Entity\CQuizAnswer;
  */
 require_once __DIR__.'/../inc/global.inc.php';
 
+api_protect_course_script();
+
+if (!api_is_allowed_to_edit(null, true)) {
+    api_not_allowed(true);
+}
+
 // Set vars
-$questionId = intval($_GET['modifyAnswers']);
-$exe_id = intval($_GET['exe_id']);
+$questionId = isset($_GET['modifyAnswers']) ? (int) $_GET['modifyAnswers'] : 0;
+$exerciseId = isset($_GET['exerciseId']) ? (int) $_GET['exerciseId'] : 0;
+$courseId = api_get_course_int_id();
+
+$objQuestion = Question::read($questionId, $courseId);
+$objExercise = new Exercise($courseId);
+$objExercise->read($exerciseId);
+
+if (empty($objQuestion) || empty($objQuestion)) {
+    exit;
+}
 
-$objQuestion = Question::read($questionId);
-$trackExerciseInfo = ExerciseLib::get_exercise_track_exercise_info($exe_id);
-$objExercise = new Exercise(api_get_course_int_id());
-$objExercise->read($trackExerciseInfo['exe_exo_id']);
 $em = Database::getManager();
 $documentPath = api_get_path(SYS_COURSE_PATH).$_course['path'].'/document';
 $picturePath = $documentPath.'/images';
@@ -29,7 +39,6 @@ $pictureName = $objQuestion->getPictureFilename();
 $pictureSize = getimagesize($picturePath.'/'.$pictureName);
 $pictureWidth = $pictureSize[0];
 $pictureHeight = $pictureSize[1];
-$course_id = api_get_course_int_id();
 
 $data = [];
 $data['type'] = 'solution';
@@ -74,7 +83,6 @@ if ($objExercise->selectResultsDisabled() == RESULT_DISABLE_SHOW_SCORE_ATTEMPT_S
             'desc'
         );
         $numberAttempts = count($attempts);
-
         $showTotalScoreAndUserChoicesInLastAttempt = false;
 
         if ($numberAttempts >= $objExercise->attempts) {
@@ -86,7 +94,6 @@ if ($objExercise->selectResultsDisabled() == RESULT_DISABLE_SHOW_SCORE_ATTEMPT_S
 }
 
 $hideExpectedAnswer = false;
-
 if ($objExercise->selectFeedbackType() == 0 && $objExercise->selectResultsDisabled() == 2) {
     $hideExpectedAnswer = true;
 }
@@ -103,13 +110,13 @@ if (!$hideExpectedAnswer) {
 
     if ($objQuestion->selectType() == HOT_SPOT_DELINEATION) {
         $qb
-            ->where($qb->expr()->eq('a.cId', $course_id))
+            ->where($qb->expr()->eq('a.cId', $courseId))
             ->andWhere($qb->expr()->eq('a.questionId', intval($questionId)))
             ->andWhere($qb->expr()->neq('a.hotspotType', 'noerror'))
             ->orderBy('a.id', 'ASC');
     } else {
         $qb
-            ->where($qb->expr()->eq('a.cId', $course_id))
+            ->where($qb->expr()->eq('a.cId', $courseId))
             ->andWhere($qb->expr()->eq('a.questionId', intval($questionId)))
             ->orderBy('a.position', 'ASC');
     }
@@ -152,8 +159,8 @@ $rs = $em
     ->findBy(
         [
             'hotspotQuestionId' => $questionId,
-            'cId' => $course_id,
-            'hotspotExeId' => $exe_id,
+            'cId' => $courseId,
+            'hotspotExeId' => $exerciseId,
         ],
         ['hotspotAnswerId' => 'ASC']
     );
@@ -164,7 +171,6 @@ foreach ($rs as $row) {
 }
 
 $data['done'] = 'done';
-
 header('Content-Type: application/json');
 
 echo json_encode($data);
diff --git a/main/inc/lib/javascript/hotspot/js/hotspot.js b/main/inc/lib/javascript/hotspot/js/hotspot.js
index beddd915eb..3a13cfa3cb 100755
--- a/main/inc/lib/javascript/hotspot/js/hotspot.js
+++ b/main/inc/lib/javascript/hotspot/js/hotspot.js
@@ -1154,7 +1154,7 @@ window.HotspotQuestion = (function () {
             case 'preview':
                 xhrQuestion = $.getJSON(config.relPath + 'exercise/hotspot_answers.as.php?' + _p.web_cid_query, {
                     modifyAnswers: parseInt(config.questionId),
-                    exe_id: parseInt(config.exerciseId)
+                    exerciseId: parseInt(config.exerciseId)
                 });
                 break;
         }
@@ -1781,7 +1781,7 @@ window.DelineationQuestion = (function () {
             case 'preview':
                 xhrQuestion = $.getJSON(config.relPath + 'exercise/hotspot_answers.as.php?' + _p.web_cid_query, {
                     modifyAnswers: parseInt(config.questionId),
-                    exe_id: parseInt(config.exerciseId)
+                    exerciseId: parseInt(config.exerciseId)
                 });
                 break;
         }