diff --git a/main/mySpace/lp_tracking.php b/main/mySpace/lp_tracking.php
index 30621229a5..f0b84960c5 100644
--- a/main/mySpace/lp_tracking.php
+++ b/main/mySpace/lp_tracking.php
@@ -45,25 +45,36 @@ $csv_content = array();
$user_id = intval($_GET['student_id']);
+
+if (isset($_GET['course'])) {
+ $cidReq = Security::remove_XSS($_GET['course']);
+}
+
$user_infos = UserManager :: get_user_info_by_id($user_id);
$name = $user_infos['firstname'].' '.$user_infos['lastname'];
-if(!api_is_platform_admin(true) && !CourseManager :: is_course_teacher($_user['user_id'], $_GET['course']) && !Tracking :: is_allowed_to_coach_student($_user['user_id'],$_GET['student_id']) && $user_infos['hr_dept_id']!==$_user['user_id']) {
+if(!api_is_platform_admin(true) && !CourseManager :: is_course_teacher($_user['user_id'], $cidReq) && !Tracking :: is_allowed_to_coach_student($_user['user_id'],$_GET['student_id']) && $user_infos['hr_dept_id']!==$_user['user_id']) {
Display::display_header('');
api_not_allowed();
Display::display_footer();
}
-$_course = CourseManager :: get_course_information($_GET['course']);
+$course_exits = CourseManager::course_exists($cidReq);
+
+if (!empty($course_exits)) {
+ $_course = CourseManager :: get_course_information($cidReq);
+} else {
+ api_not_allowed();
+}
+
$_course['dbNameGlu'] = $_configuration['table_prefix'] . $_course['db_name'] . $_configuration['db_glue'];
-$cidReq = Security::remove_XSS($_GET['course']);
if(!empty($_GET['origin']) && $_GET['origin'] == 'user_course') {
$interbreadcrumb[] = array ("url" => api_get_path(WEB_COURSE_PATH).$_course['directory'], 'name' => $_course['title']);
- $interbreadcrumb[] = array ("url" => "../user/user.php?cidReq=".Security::remove_XSS($_GET['course']), "name" => get_lang("Users"));
+ $interbreadcrumb[] = array ("url" => "../user/user.php?cidReq=".$cidReq, "name" => get_lang("Users"));
} else if(!empty($_GET['origin']) && $_GET['origin'] == 'tracking_course') {
$interbreadcrumb[] = array ("url" => api_get_path(WEB_COURSE_PATH).$_course['directory'], 'name' => $_course['title']);
- $interbreadcrumb[] = array ("url" => "../tracking/courseLog.php?cidReq=".Security::remove_XSS($_GET['course']).'&studentlist=true&id_session='.$_SESSION['id_session'], "name" => get_lang("Tracking"));
+ $interbreadcrumb[] = array ("url" => "../tracking/courseLog.php?cidReq=".$cidReq.'&studentlist=true&id_session='.$_SESSION['id_session'], "name" => get_lang("Tracking"));
} else {
$interbreadcrumb[] = array ("url" => "index.php", "name" => get_lang('MySpace'));
$interbreadcrumb[] = array ("url" => "student.php", "name" => get_lang("MyStudents"));
@@ -71,7 +82,7 @@ if(!empty($_GET['origin']) && $_GET['origin'] == 'user_course') {
$nameTools=get_lang("DetailsStudentInCourse");
}
-$interbreadcrumb[] = array("url" => "myStudents.php?student=".Security::remove_XSS($_GET['student_id'])."&course=".Security::remove_XSS($_GET['course'])."&details=true&origin=".Security::remove_XSS($_GET['origin']) , "name" => get_lang("DetailsStudentInCourse"));
+$interbreadcrumb[] = array("url" => "myStudents.php?student=".Security::remove_XSS($_GET['student_id'])."&course=".$cidReq."&details=true&origin=".Security::remove_XSS($_GET['origin']) , "name" => get_lang("DetailsStudentInCourse"));
$nameTools = get_lang('LearningPathDetails');
$htmlHeadXtra[] = '
diff --git a/main/newscorm/lp_stats.php b/main/newscorm/lp_stats.php
index c231748350..367bddb502 100644
--- a/main/newscorm/lp_stats.php
+++ b/main/newscorm/lp_stats.php
@@ -34,16 +34,20 @@ require_once ('resourcelinker.inc.php');
require_once ('../inc/lib/tracking.lib.php');
require_once ('../inc/lib/course.lib.php');
-
if(empty($_SESSION['_course']['id']) && isset($_GET['course']))
{
- $course_code = Database :: escape_string($_GET['course']);
+ $course_code = Security::remove_XSS($_GET['course']);
}
else
{
$course_code = $_SESSION['_course']['id'];
}
+
+if (isset($_GET['student_id'])) {
+ $student_id = intval($_GET['student_id']);
+}
+
//The two following variables have to be declared by the includer script
//$lp_id = $_SESSION['oLP']->get_id();
//$list = $_SESSION['oLP']->get_flat_ordered_items_list($lp_id);
@@ -100,7 +104,7 @@ $extend_all_link = '';
$extend_all = 0;
if ($origin == 'tracking') {
- $url_suffix = '&course=' . $_GET['course'] . '&student_id=' . $_GET['student_id'] . '&lp_id=' . $_GET['lp_id'] . '&origin=' . $_GET['origin'];
+ $url_suffix = '&course=' . Security::remove_XSS($_GET['course']) . '&student_id=' . $student_id . '&lp_id=' . Security::remove_XSS($_GET['lp_id']) . '&origin=' . Security::remove_XSS($_GET['origin']);
} else {
$url_suffix = '';
}
@@ -164,7 +168,7 @@ if (isset($_GET['lp_id']) && isset($_GET['my_lp_id'])) {
if ($origin != 'tracking') {
$sql_attempts = 'SELECT * FROM ' . $tbl_stats_exercices . ' WHERE exe_exo_id="' . (int)$row_path['path'] . '" AND exe_user_id="' . (int)api_get_user_id() . '" AND orig_lp_id = "'.(int)$clean_lp_id.'" AND orig_lp_item_id = "'.(int)$clean_lp_item_id.'" AND exe_cours_id="' . $clean_course_code. '" AND status <> "incomplete" ORDER BY exe_date';
} else {
- $sql_attempts = 'SELECT * FROM ' . $tbl_stats_exercices . ' WHERE exe_exo_id="' . (int)$row_path['path'] . '" AND exe_user_id="' . (int)$_GET['student_id'] . '" AND orig_lp_id = "'.(int)$clean_lp_id.'" AND orig_lp_item_id = "'.(int)$clean_lp_item_id.'" AND exe_cours_id="' . $clean_course_code. '" AND status <> "incomplete" ORDER BY exe_date';
+ $sql_attempts = 'SELECT * FROM ' . $tbl_stats_exercices . ' WHERE exe_exo_id="' . (int)$row_path['path'] . '" AND exe_user_id="' . $student_id . '" AND orig_lp_id = "'.(int)$clean_lp_id.'" AND orig_lp_item_id = "'.(int)$clean_lp_item_id.'" AND exe_cours_id="' . $clean_course_code. '" AND status <> "incomplete" ORDER BY exe_date';
}
}
@@ -456,7 +460,7 @@ if (is_array($list) && count($list) > 0){
if ($origin != 'tracking') {
$sql_last_attempt = 'SELECT * FROM ' . $tbl_stats_exercices . ' WHERE exe_exo_id="' . $row['path'] . '" AND exe_user_id="' . api_get_user_id() . '" AND orig_lp_id = "'.$lp_id.'" AND orig_lp_item_id = "'.$row['myid'].'" AND exe_cours_id="' . $course_code . '" AND status <> "incomplete" ORDER BY exe_date DESC limit 1';
} else {
- $sql_last_attempt = 'SELECT * FROM ' . $tbl_stats_exercices . ' WHERE exe_exo_id="' . $row['path'] . '" AND exe_user_id="' . $_GET['student_id'] . '" AND orig_lp_id = "'.$lp_id.'" AND orig_lp_item_id = "'.$row['myid'].'" AND exe_cours_id="' . $course_code . '" AND status <> "incomplete" ORDER BY exe_date DESC limit 1';
+ $sql_last_attempt = 'SELECT * FROM ' . $tbl_stats_exercices . ' WHERE exe_exo_id="' . $row['path'] . '" AND exe_user_id="' . $student_id . '" AND orig_lp_id = "'.$lp_id.'" AND orig_lp_item_id = "'.$row['myid'].'" AND exe_cours_id="' . $course_code . '" AND status <> "incomplete" ORDER BY exe_date DESC limit 1';
}
$resultLastAttempt = api_sql_query($sql_last_attempt, __FILE__, __LINE__);
@@ -553,8 +557,8 @@ if (is_array($list) && count($list) > 0){
$my_url_suffix = '&course=' . api_get_course_id() . '&student_id=' . api_get_user_id() . '&lp_id=' . Security::remove_XSS($row['mylpid']);
$sql_last_attempt = 'SELECT * FROM ' . $tbl_stats_exercices . ' WHERE exe_exo_id="' . $row['path'] . '" AND exe_user_id="' . api_get_user_id() . '" AND orig_lp_id = "'.$lp_id.'" AND orig_lp_item_id = "'.$row['myid'].'" AND exe_cours_id="' . $course_code . '" AND status <> "incomplete" ORDER BY exe_date DESC ';
} else {
- $my_url_suffix = '&course=' . $_GET['course'] . '&student_id=' . Security::remove_XSS($_GET['student_id']) . '&lp_id=' . Security::remove_XSS($row['mylpid']).'&origin=' . Security::remove_XSS($_GET['origin']);
- $sql_last_attempt = 'SELECT * FROM ' . $tbl_stats_exercices . ' WHERE exe_exo_id="' . $row['path'] . '" AND exe_user_id="' . Database :: escape_string($_GET['student_id']) . '" AND orig_lp_id = "'.$lp_id.'" AND orig_lp_item_id = "'.$row['myid'].'" AND exe_cours_id="' . Database :: escape_string($_GET['course']) . '" AND status <> "incomplete" ORDER BY exe_date DESC ';
+ $my_url_suffix = '&course=' . Security::remove_XSS($_GET['course']) . '&student_id=' . $student_id . '&lp_id=' . Security::remove_XSS($row['mylpid']).'&origin=' . Security::remove_XSS($_GET['origin']);
+ $sql_last_attempt = 'SELECT * FROM ' . $tbl_stats_exercices . ' WHERE exe_exo_id="' . $row['path'] . '" AND exe_user_id="' . $student_id . '" AND orig_lp_id = "'.$lp_id.'" AND orig_lp_item_id = "'.$row['myid'].'" AND exe_cours_id="' . Database :: escape_string($_GET['course']) . '" AND status <> "incomplete" ORDER BY exe_date DESC ';
}
$resultLastAttempt = api_sql_query($sql_last_attempt, __FILE__, __LINE__);
@@ -700,14 +704,14 @@ if (is_array($list) && count($list) > 0){
if (!api_is_allowed_to_edit() && $result_disabled_ext_all) {
$output .= ' . 'quiz_na.gif "'.get_lang('ShowAttempt').'") | ';
} else {
- $output .= ' . 'quiz.gif "'.get_lang('ShowAttempt').'") | ';
+ $output .= ' | ';
}
} else {
if (!api_is_allowed_to_edit() && $result_disabled_ext_all) {
$output .= ' | ';
} else {
- $output .= ' | ';
+ $output .= ' | ';
}
}
$output .= '';
@@ -732,7 +736,7 @@ if (!empty($a_my_id)) {
$my_studen_id = 0;
$my_course_id = '';
if ($origin == 'tracking') {
- $my_studen_id = intval($_GET['student_id']);
+ $my_studen_id = $student_id;
$my_course_id = Database::escape_string($_GET['course']);
} else {
$my_studen_id = intval(api_get_user_id());