Fix custom certificate queries see BT#14822

Requires validation of nosolored
7 years ago · 93cbd9271b
parent b0501cfdbe
commit 93cbd9271b
3 changed files with 13 additions and 3 deletions
--- a/main/gradebook/my_certificates.php
+++ b/main/gradebook/my_certificates.php
@ -39,7 +39,7 @@ if (api_get_setting('allow_public_certificates') === 'true') {
        'actions',
        Display::toolbarButton(
            get_lang('SearchCertificates'),
-            api_get_path(WEB_CODE_PATH)."gradebook/search.php",
+            api_get_path(WEB_CODE_PATH).'gradebook/search.php',
            'search',
            'info'
        )
--- a/plugin/customcertificate/src/CustomCertificatePlugin.php
+++ b/plugin/customcertificate/src/CustomCertificatePlugin.php
@ -216,12 +216,13 @@ class CustomCertificatePlugin extends Plugin
            return [];
        }

+        $userId = api_get_user_id();
        $certificateTable = Database::get_main_table(TABLE_MAIN_GRADEBOOK_CERTIFICATE);
        $categoryTable = Database::get_main_table(TABLE_MAIN_GRADEBOOK_CATEGORY);
        $sql = "SELECT cer.user_id AS user_id, cat.session_id AS session_id, cat.course_code AS course_code
                FROM $certificateTable cer
                INNER JOIN $categoryTable cat
-                ON (cer.cat_id = cat.id)
+                ON (cer.cat_id = cat.id AND cer.user_id = $userId)
                WHERE cer.id = $id";
        $rs = Database::query($sql);
        if (Database::num_rows($rs) > 0) {
@ -251,7 +252,7 @@ class CustomCertificatePlugin extends Plugin
    {
        $certId = (int) $certId;
        if (api_get_plugin_setting('customcertificate', 'enable_plugin_customcertificate') == 'true') {
-            $infoCertificate = CustomCertificatePlugin::getCertificateData($certId);
+            $infoCertificate = self::getCertificateData($certId);
            if (!empty($infoCertificate)) {
                if ($certificate->user_id == api_get_user_id() && !empty($certificate->certificate_data)) {
                    $certificateId = $certificate->certificate_data['id'];
--- a/plugin/customcertificate/src/print_certificate.php
+++ b/plugin/customcertificate/src/print_certificate.php
@ -32,6 +32,15 @@ if (intval($_GET['default']) == 1) {
    $enableCourse = api_get_course_setting('customcertificate_course_enable', $courseCode) == 1 ? true : false;
    $useDefault = api_get_course_setting('use_certificate_default', $courseCode) == 1 ? true : false;
 }
+
+if (empty($courseCode)) {
+    $courseCode = isset($_REQUEST['course_code']) ? Database::escape_string($_REQUEST['course_code']) : '';
+}
+
+if (empty($sessionId)) {
+    $sessionId = isset($_REQUEST['session_id']) ? (int) $_REQUEST['session_id'] : '';
+}
+
 $accessUrlId = api_get_current_access_url_id();

 $userList = [];