Refactor fillsurvey.php link generation see BT#15280

7 years ago · 5ddc4ab4c9
parent 81d89fb452
commit 5ddc4ab4c9
7 changed files with 51 additions and 21 deletions
--- a/main/survey/link.php
+++ b/main/survey/link.php
@ -40,7 +40,7 @@ if ($hashIsValid && $courseInfo) {
    $invitation_id = SurveyUtil::save_invitation($params);

    if ($invitation_id) {
-        $link = api_get_path(WEB_CODE_PATH).'survey/fillsurvey.php?invitationcode='.$invitation_code.'&course='.$courseInfo['code'].'&id_session='.$sessionId;
+        $link = SurveyUtil::generateFillSurveyLink($invitation_code, $courseInfo['code'], $sessionId);
        header('Location: '.$link);
        exit;
    }
--- a/main/survey/pending.php
+++ b/main/survey/pending.php
@ -10,7 +10,7 @@ $cidReset = true;

 require_once __DIR__.'/../inc/global.inc.php';

-api_block_anonymous_users(true);
+api_block_anonymous_users();

 $em = Database::getManager();

@ -36,13 +36,18 @@ foreach ($pending as $i => $item) {

    $course = $course ? ['id' => $course->getId(), 'title' => $course->getTitle(), 'code' => $course->getCode()] : null;
    $session = $session ? ['id' => $session->getId(), 'name' => $session->getName()] : null;
+    $courseInfo = api_get_course_info_by_id($course->getId());
    $surveysData[$survey->getSurveyId()] = [
        'title' => $survey->getTitle(),
-        'invitation_code' => $invitation->getInvitationCode(),
        'avail_from' => $survey->getAvailFrom(),
        'avail_till' => $survey->getAvailTill(),
        'course' => $course,
        'session' => $session,
+        'link' => SurveyUtil::generateFillSurveyLink(
+            $invitation->getInvitationCode(),
+            $courseInfo,
+            $survey->getSessionId()
+        ),
    ];
 }

--- a/main/survey/survey.lib.php
+++ b/main/survey/survey.lib.php
@ -1948,16 +1948,17 @@ class SurveyManager
            return;
        }

-        $urlParams = http_build_query([
-            'course' => api_get_course_id(),
-            'invitationcode' => $invitation->getInvitationCode(),
-        ]);
-
        Display::addFlash(
            Display::return_message(get_lang('MandatorySurveyNoAnswered'), 'warning')
        );

-        header('Location: '.api_get_path(WEB_CODE_PATH).'survey/fillsurvey.php?'.$urlParams.'&'.api_get_cidreq());
+        $url = SurveyUtil::generateFillSurveyLink(
+            $invitation->getInvitationCode(),
+            api_get_course_info(),
+            api_get_session_id()
+        );
+
+        header('Location: '.$url);
        exit;
    }

--- a/main/survey/surveyUtil.class.php
+++ b/main/survey/surveyUtil.class.php
@ -2396,8 +2396,7 @@ class SurveyUtil
        $sessionId = api_get_session_id();

        // Replacing the **link** part with a valid link for the user
-        $link = api_get_path(WEB_CODE_PATH).'survey/fillsurvey.php?';
-        $link .= 'id_session='.$sessionId.'&course='.$_course['code'].'&invitationcode='.$invitation_code;
+        $link = self::generateFillSurveyLink($invitation_code, $_course, $sessionId);

        $text_link = '<a href="'.$link.'">'.get_lang('ClickHereToAnswerTheSurvey')."</a><br />\r\n<br />\r\n"
            .get_lang('OrCopyPasteTheFollowingUrl')." <br />\r\n ".$link;
@ -3417,8 +3416,7 @@ class SurveyUtil
                    [],
                    ICON_SIZE_TINY
                );
-                $url = api_get_path(WEB_CODE_PATH).'survey/fillsurvey.php?course='.$_course['sysCode']
-                    .'&invitationcode='.$row['invitation_code'].'&cidReq='.$_course['sysCode'].'&id_session='.$row['session_id'];
+                $url = self::generateFillSurveyLink($row['invitation_code'], $_course, $row['session_id']);
                echo '<a href="'.$url.'">
                    '.$row['title']
                    .'</a></td>';
@ -3889,4 +3887,35 @@ class SurveyUtil

        return Database::store_result($query);
    }
+
+    /**
+     * @param string $code invitation code
+     * @param array  $courseInfo
+     * @param int    $sessionId
+     * @param string $surveyCode
+     *
+     * @return string
+     */
+    public static function generateFillSurveyLink($code, $courseInfo, $sessionId, $surveyCode = '')
+    {
+        $code = Security::remove_XSS($code);
+        $sessionId = (int) $sessionId;
+
+        if (empty($courseInfo)) {
+            return '';
+        }
+
+        $params =  [
+            'invitationcode' => $code,
+            'cidReq' => $courseInfo['code'],
+            'course' => $courseInfo['code'],
+            'id_session' => $sessionId,
+        ];
+
+        if (!empty($surveyCode)) {
+            $params['scode'] = Security::remove_XSS($surveyCode);
+        }
+
+        return api_get_path(WEB_CODE_PATH).'survey/fillsurvey.php?'.http_build_query($params);
+    }
 }
--- a/main/survey/survey_invitation.php
+++ b/main/survey/survey_invitation.php
@ -149,9 +149,7 @@ foreach ($sentIntitations as $row) {
                echo '	<td>';
                $code = $row['invitation_code'];

-                $link = api_get_path(WEB_CODE_PATH).'survey/fillsurvey.php?';
-                $link .= 'id_session='.$sessionId.'&course='.$courseInfo['code'].'&invitationcode='.$code;
-
+                $link = SurveyUtil::generateFillSurveyLink($code, $courseInfo, $sessionId);
                $link = Display::input('text', 'copy_'.$id, $link, ['id' => 'copy_'.$id, 'class' => '']);
                $link .= ' '.Display::url(
                    Display::returnFontAwesomeIcon('copy').get_lang('CopyTextToClipboard'),
--- a/main/survey/survey_invite.php
+++ b/main/survey/survey_invite.php
@ -175,7 +175,7 @@ if (api_is_multiple_url_enabled()) {
 }

 // Show the URL that can be used by users to fill a survey without invitation
-$auto_survey_link = $portal_url.'main/survey/fillsurvey.php?course='.$_course['sysCode'].'&invitationcode=auto&scode='.$survey_data['survey_code'].'&id_session='.$survey_data['session_id'];
+$auto_survey_link = SurveyUtil::generateFillSurveyLink('auto', $_course, $survey_data['session_id'], $survey_data['survey_code']);

 $form->addElement('label', null, get_lang('AutoInviteLink'));
 $form->addElement('label', null, $auto_survey_link);
--- a/main/template/default/survey/pending.tpl
+++ b/main/template/default/survey/pending.tpl
@ -11,13 +11,10 @@
 </div>
 <br>
 {% for survey in surveys %}
-    {% set course_code = survey.course ? survey.course.code : '' %}
-    {% set session_id = survey.session ? survey.session.id : 0 %}
-
    <div class="panel panel-default">
        <div class="panel-body">
            <div>
-                <a href="{{ _p.web_main ~ 'survey/fillsurvey.php?' ~ {'course': course_code, 'invitationcode': survey.invitation_code, 'cidReq': course_code, 'id_session': session_id}|url_encode }}">
+                <a href="{{ survey.link }}">
                    {{ survey.title }}
                </a>
            </div>