diff --git a/main/exercise/exercise.class.php b/main/exercise/exercise.class.php index 491395115c..fde7cc26d7 100755 --- a/main/exercise/exercise.class.php +++ b/main/exercise/exercise.class.php @@ -5483,7 +5483,6 @@ class Exercise if ($answerType == HOT_SPOT || $answerType == HOT_SPOT_ORDER) { // We made an extra table for the answers if ($show_result) { - // if ($origin != 'learnpath') { echo ''; echo " @@ -5494,7 +5493,8 @@ class Exercise $(document).on('ready', function () { new HotspotQuestion({ questionId: $questionId, - exerciseId: $exeId, + exerciseId: {$this->id}, + exeId: $exeId, selector: '#hotspot-solution-$questionId', for: 'solution', relPath: '$relPath' @@ -5504,7 +5504,6 @@ class Exercise "; - // } } } elseif ($answerType == ANNOTATION) { if ($show_result) { diff --git a/main/exercise/exercise_result.php b/main/exercise/exercise_result.php index ed8355d9d1..5ef9de478d 100755 --- a/main/exercise/exercise_result.php +++ b/main/exercise/exercise_result.php @@ -40,7 +40,7 @@ if (empty($remind_list)) { $remind_list = isset($_REQUEST['remind_list']) ? $_REQUEST['remind_list'] : null; } -$exe_id = isset($_REQUEST['exe_id']) ? intval($_REQUEST['exe_id']) : 0; +$exe_id = isset($_REQUEST['exe_id']) ? (int) $_REQUEST['exe_id'] : 0; if (empty($objExercise)) { // Redirect to the exercise overview diff --git a/main/exercise/exercise_show.php b/main/exercise/exercise_show.php index 5ff0d1cd4e..b949aaeb8a 100755 --- a/main/exercise/exercise_show.php +++ b/main/exercise/exercise_show.php @@ -82,7 +82,6 @@ if (empty($objExercise)) { $objExercise = Session::read('objExercise'); } -$exeId = isset($_REQUEST['id']) ? $_REQUEST['id'] : null; $action = isset($_REQUEST['action']) ? $_REQUEST['action'] : null; $courseInfo = api_get_course_info(); @@ -462,7 +461,8 @@ foreach ($questionList as $questionId) { $(document).on('ready', function () { new HotspotQuestion({ questionId: $questionId, - exerciseId: $id, + exerciseId: {$objExercise->id}, + exeId: $id, selector: '#hotspot-solution-$questionId-$id', for: 'solution', relPath: '$relPath' @@ -630,7 +630,8 @@ foreach ($questionList as $questionId) { $(document).on('ready', function () { new HotspotQuestion({ questionId: $questionId, - exerciseId: $id, + exerciseId: {$objExercise->id}, + exeId: $id, selector: '#hotspot-solution', for: 'solution', relPath: '$relPath' @@ -1110,7 +1111,7 @@ if ($origin != 'learnpath') { 'action' => 'view', 'lp_id' => $learnpath_id, 'lp_item_id' => $learnpath_item_id, - 'exeId' => $exeId, + 'exeId' => $id, 'fb_type' => $feedback_type, ]); $href = ($lp_mode == 'fullscreen') diff --git a/main/exercise/hotspot_answers.as.php b/main/exercise/hotspot_answers.as.php index d6c707c0c1..8008c69ffd 100755 --- a/main/exercise/hotspot_answers.as.php +++ b/main/exercise/hotspot_answers.as.php @@ -15,20 +15,39 @@ require_once __DIR__.'/../inc/global.inc.php'; api_protect_course_script(); -if (!api_is_allowed_to_edit(null, true)) { - api_not_allowed(true); -} - -// Set vars $questionId = isset($_GET['modifyAnswers']) ? (int) $_GET['modifyAnswers'] : 0; $exerciseId = isset($_GET['exerciseId']) ? (int) $_GET['exerciseId'] : 0; +$exeId = isset($_GET['exeId']) ? (int) $_GET['exeId'] : 0; +$userId = api_get_user_id(); $courseId = api_get_course_int_id(); +$objExercise = new Exercise($courseId); + +// Check if student has access to the hotspot answers +if (!api_is_allowed_to_edit(null, true)) { + if (empty($exeId)) { + api_not_allowed(); + } + $trackExerciseInfo = $objExercise->get_stat_track_exercise_info_by_exe_id($exeId); + + if (empty($trackExerciseInfo)) { + api_not_allowed(); + } + + // Different exercise + if ($exerciseId != $trackExerciseInfo['exe_exo_id']) { + api_not_allowed(); + } + + // Different user + if ($trackExerciseInfo['exe_user_id'] != $userId) { + api_not_allowed(); + } +} $objQuestion = Question::read($questionId, $courseId); -$objExercise = new Exercise($courseId); $objExercise->read($exerciseId); -if (empty($objQuestion) || empty($objQuestion)) { +if (empty($objQuestion) || empty($objExercise)) { exit; } @@ -68,7 +87,6 @@ $data['courseCode'] = $_course['path']; $data['hotspots'] = []; $showTotalScoreAndUserChoicesInLastAttempt = true; - if ($objExercise->selectResultsDisabled() == RESULT_DISABLE_SHOW_SCORE_ATTEMPT_SHOW_ANSWERS_LAST_ATTEMPT) { $showOnlyScore = true; $showResults = true; @@ -76,7 +94,7 @@ if ($objExercise->selectResultsDisabled() == RESULT_DISABLE_SHOW_SCORE_ATTEMPT_S $attempts = Event::getExerciseResultsByUser( api_get_user_id(), $objExercise->id, - api_get_course_int_id(), + $courseId, api_get_session_id(), $trackExerciseInfo['orig_lp_id'], $trackExerciseInfo['orig_lp_item_id'], @@ -111,13 +129,13 @@ if (!$hideExpectedAnswer) { if ($objQuestion->selectType() == HOT_SPOT_DELINEATION) { $qb ->where($qb->expr()->eq('a.cId', $courseId)) - ->andWhere($qb->expr()->eq('a.questionId', intval($questionId))) + ->andWhere($qb->expr()->eq('a.questionId', $questionId)) ->andWhere($qb->expr()->neq('a.hotspotType', 'noerror')) ->orderBy('a.id', 'ASC'); } else { $qb ->where($qb->expr()->eq('a.cId', $courseId)) - ->andWhere($qb->expr()->eq('a.questionId', intval($questionId))) + ->andWhere($qb->expr()->eq('a.questionId', $questionId)) ->orderBy('a.position', 'ASC'); } @@ -146,7 +164,6 @@ if (!$hideExpectedAnswer) { $hotSpot['type'] = 'delineation'; break; } - $hotSpot['coord'] = $hotSpotAnswer->getHotspotCoordinates(); $data['hotspots'][] = $hotSpot; } @@ -160,7 +177,7 @@ $rs = $em [ 'hotspotQuestionId' => $questionId, 'cId' => $courseId, - 'hotspotExeId' => $exerciseId, + 'hotspotExeId' => $exeId, ], ['hotspotAnswerId' => 'ASC'] ); diff --git a/main/inc/lib/exercise.lib.php b/main/inc/lib/exercise.lib.php index da5db58453..d07732f1e9 100644 --- a/main/inc/lib/exercise.lib.php +++ b/main/inc/lib/exercise.lib.php @@ -1187,7 +1187,6 @@ HTML; '; - if ($freeze) { $relPath = api_get_path(WEB_CODE_PATH); echo " @@ -1203,6 +1202,7 @@ HTML; new ".($answerType == HOT_SPOT ? "HotspotQuestion" : "DelineationQuestion")."({ questionId: $questionId, exerciseId: $exerciseId, + exeId: 0, selector: '#hotspot-preview-$questionId', for: 'preview', relPath: '$relPath' diff --git a/main/inc/lib/javascript/hotspot/js/hotspot.js b/main/inc/lib/javascript/hotspot/js/hotspot.js index 3a13cfa3cb..e64c80efc2 100755 --- a/main/inc/lib/javascript/hotspot/js/hotspot.js +++ b/main/inc/lib/javascript/hotspot/js/hotspot.js @@ -1154,7 +1154,8 @@ window.HotspotQuestion = (function () { case 'preview': xhrQuestion = $.getJSON(config.relPath + 'exercise/hotspot_answers.as.php?' + _p.web_cid_query, { modifyAnswers: parseInt(config.questionId), - exerciseId: parseInt(config.exerciseId) + exerciseId: parseInt(config.exerciseId), + exeId: parseInt(config.exeId) }); break; } @@ -1164,13 +1165,11 @@ window.HotspotQuestion = (function () { case 'admin': startHotspotsAdmin(questionInfo); break; - case 'user': startHotspotsUser(questionInfo); break; - case 'solution': - //no break + // no break case 'preview': startHotspotsSolution(questionInfo); break; @@ -1777,11 +1776,12 @@ window.DelineationQuestion = (function () { }); break; case 'solution': - //no break + // no break case 'preview': xhrQuestion = $.getJSON(config.relPath + 'exercise/hotspot_answers.as.php?' + _p.web_cid_query, { modifyAnswers: parseInt(config.questionId), - exerciseId: parseInt(config.exerciseId) + exerciseId: parseInt(config.exerciseId), + exeId: parseInt(config.exeId) }); break; } @@ -1791,13 +1791,11 @@ window.DelineationQuestion = (function () { case 'admin': startAdminSvg(questionInfo); break; - case 'user': startUserSvg(questionInfo); break; - case 'solution': - //no break + // no break case 'preview': startPreviewSvg(questionInfo); break;