Index: moodle/mod/lamslesson/callback.php =================================================================== RCS file: /usr/local/cvsroot/moodle/mod/lamslesson/callback.php,v diff -u -r1.1 -r1.2 --- moodle/mod/lamslesson/callback.php 14 Feb 2011 03:08:14 -0000 1.1 +++ moodle/mod/lamslesson/callback.php 6 Jan 2012 13:23:00 -0000 1.2 @@ -18,23 +18,27 @@ include_once('lib.php'); global $DB; +$hs = required_param('hs', PARAM_ALPHANUM); +$ts = required_param('ts', PARAM_RAW); +$un = required_param('un', PARAM_ALPHANUM); +$lsid = required_param('lsId', PARAM_INT); + if(!isset($CFG->lamslesson_serverid)||!isset($CFG->lamslesson_serverkey)) { header('HTTP/1.1 401 Unauthenticated'); exit(1); } -$plaintext = trim($_GET['ts']).trim($_GET['un']).trim($CFG->lamslesson_serverid).trim($CFG->lamslesson_serverkey); +$plaintext = trim($ts).trim($un).trim($CFG->lamslesson_serverid).trim($CFG->lamslesson_serverkey); $hash = sha1(strtolower($plaintext)); -if($hash!=$_GET['hs']){ +if($hash != $hs){ header('HTTP/1.1 401 Unauthenticated'); exit(1); } //OK, the caller is authenticated. Now let's fulfill its request. // and make Moodle get the latest marks for this user in this lesson -$lsid = $_GET['lsId']; -$user = $DB->get_record('user', array('username'=>$_GET['un'])); +$user = $DB->get_record('user', array('username'=>$un)); if(!$user){ header('HTTP/1.1 401 Unauthenticated'); exit(1); @@ -44,4 +48,4 @@ $gradebookmark = lamslesson_get_lams_outputs($user->username,$lamslesson,$user->username); -?> \ No newline at end of file +?> Index: moodle/mod/lamslesson/lib.php =================================================================== RCS file: /usr/local/cvsroot/moodle/mod/lamslesson/lib.php,v diff -u -r1.8 -r1.9 --- moodle/mod/lamslesson/lib.php 4 Dec 2011 18:36:44 -0000 1.8 +++ moodle/mod/lamslesson/lib.php 6 Jan 2012 13:23:00 -0000 1.9 @@ -711,7 +711,7 @@ $listofcontexts = '('.$sitecontext->id.')'; // must be site } $sql = "SELECT u.id - FROM {$CFG->prefix}user u INNER JOIN {$CFG->prefix}role_assignments r ON u.id=r.userid + FROM {user} u INNER JOIN {role_assignments} r ON u.id=r.userid WHERE r.contextid IN $listofcontexts OR r.contextid=$context->id AND u.deleted=0 AND u.username!='guest'"; $users = $DB->get_records_sql($sql); Index: moodle/mod/lamslesson/userinfo.php =================================================================== RCS file: /usr/local/cvsroot/moodle/mod/lamslesson/userinfo.php,v diff -u -r1.1 -r1.2 --- moodle/mod/lamslesson/userinfo.php 16 Jan 2011 23:29:52 -0000 1.1 +++ moodle/mod/lamslesson/userinfo.php 6 Jan 2012 13:23:00 -0000 1.2 @@ -16,14 +16,19 @@ include_once($CFG->libdir.'/datalib.php'); global $DB; + $hs = required_param('hs', PARAM_ALPHANUM); + $ts = required_param('ts', PARAM_RAW); + $un = required_param('un', PARAM_ALPHANUM); + $lsid = optional_param('lsid', '', PARAM_INT); + if(!isset($CFG->lamslesson_serverid)||!isset($CFG->lamslesson_serverkey)) { header('HTTP/1.1 401 Unauthenticated'); exit(1); } - $plaintext = trim($_GET['ts']).trim($_GET['un']).trim($CFG->lamslesson_serverid).trim($CFG->lamslesson_serverkey); + $plaintext = trim($ts).trim($un).trim($CFG->lamslesson_serverid).trim($CFG->lamslesson_serverkey); $hash = sha1(strtolower($plaintext)); - if($hash!=$_GET['hs']){ + if($hash != $hs){ header('HTTP/1.1 401 Unauthenticated'); exit(1); } @@ -32,7 +37,7 @@ //What it needs is user info in CSV format. It should be like this: //username,first name,last name,job title, department, organisation, //address,phone,fax,mobile,email - $user = $DB->get_record('user', array('username'=>$_GET['un'])); + $user = $DB->get_record('user', array('username'=>$un)); //return false if none found if(!$user){ @@ -43,4 +48,4 @@ $comma_separated = implode(",", $array);//need more sophiscated algorithm to generate CSV formatted string echo $comma_separated; -?> \ No newline at end of file +?>