From 954fd9a4bfc72979b0b8a717e33bd6c90424f034 Mon Sep 17 00:00:00 2001
From: Jonathan Harker <jonathan@catalyst.net.nz>
Date: Tue, 9 Dec 2014 19:26:32 +1300
Subject: [PATCH] Use core required_param for toggle parameters.

 - delegate security responsibility of HTTP parameters to core Moodle
   code.
 - PARAM_RAW is sufficient, since always filtering topcoll parameters.
 - This work was made possible through funding from Te Rito Maioha Early
   Childhood New Zealand.
---
 format.php         |  2 +-
 settopcollpref.php |  2 +-
 togglelib.php      | 75 ++++++++++++----------------------------------
 3 files changed, 21 insertions(+), 58 deletions(-)

diff --git a/format.php b/format.php
index 6ee93662..a0283d64 100644
--- a/format.php
+++ b/format.php
@@ -88,7 +88,7 @@
     $defaulttogglepersistence = clean_param(get_config('format_topcoll', 'defaulttogglepersistence'), PARAM_INT);
 
     if ($defaulttogglepersistence == 1) {
-        user_preference_allow_ajax_update('topcoll_toggle_' . $course->id, PARAM_TOPCOLL);
+        user_preference_allow_ajax_update('topcoll_toggle_' . $course->id, PARAM_RAW);
         $userpreference = get_user_preferences('topcoll_toggle_' . $course->id);
     } else {
         $userpreference = null;
diff --git a/settopcollpref.php b/settopcollpref.php
index d4d668eb..b1edd8d8 100644
--- a/settopcollpref.php
+++ b/settopcollpref.php
@@ -44,7 +44,7 @@
 }
 
 // Get and set the value.
-$value = required_topcoll_param('value', $USER->ajax_updatable_user_prefs[$name]);
+$value = required_topcoll_param('value');
 // Update
 if (!set_user_preference($name, $value)) {
     print_error('errorsettinguserpref');
diff --git a/togglelib.php b/togglelib.php
index 0609bfcb..c498b9a1 100644
--- a/togglelib.php
+++ b/togglelib.php
@@ -220,85 +220,48 @@ public function test() {
     }
 }
 
-// Toggle user preference code as PARAM_TEXT is unsuitable.  See: CONTRIB-5211 & MDL-46754.
-define('PARAM_TOPCOLL',  'topcoll');
-
 /**
- * Returns a particular value for the named variable, taken from
- * POST or GET.  If the parameter doesn't exist then an error is
- * thrown because we require this variable.
- *
- * This function should be used to initialise all required values
- * in a script that are based on parameters.  Usually it will be
- * used like this:
- *    $id = required_param('value', PARAM_TOPCOLL);
- *
- * Please note the $type parameter is now required and the value can not be array.
+ * Returns a required_param() toggle value for the named user preference.
  *
- * @param string $parname the name of the page parameter we want
- * @param string $type expected type of parameter
+ * @param string $parname the name of the user preference we want
  * @return mixed
  * @throws coding_exception
  */
-function required_topcoll_param($parname, $type) {
-    if (func_num_args() != 2 or empty($parname) or empty($type)) {
-        throw new coding_exception('required_topcoll_param() requires $parname and $type to be specified (parameter: '.$parname.')');
-    }
-    // POST has precedence.
-    if (isset($_POST[$parname])) {
-        $param = $_POST[$parname];
-    } else if (isset($_GET[$parname])) {
-        $param = $_GET[$parname];
-    } else {
-        print_error('missingparam', '', '', $parname);
-    }
-
-    if (is_array($param)) {
-        debugging('Invalid array parameter detected in required_topcoll_param(): '.$parname);
-        // TODO: switch to fatal error in Moodle 2.3.
-        return required_param_array($parname, $type);
+function required_topcoll_param($parname) {
+    if (empty($parname)) {
+        throw new coding_exception('required_topcoll_param() requires $parname to be specified');
     }
+    $param = required_param($parname, PARAM_RAW);
 
-    return clean_topcoll_param($param, $type);
+    return clean_topcoll_param($param);
 }
 
 /**
- * Used by required_topcoll_param to clean the variables and/or cast
- * to specific types, based on an options field.
+ * Used by required_topcoll_param to clean the toggle parameter.
  *
- * @param mixed $param the variable we are cleaning
- * @param string $type expected format of param after cleaning.
+ * @param string $param the variable we are cleaning
  * @return mixed
  * @throws coding_exception
  */
-function clean_topcoll_param($param, $type) {
+function clean_topcoll_param($param) {
     global $CFG;
 
     if (is_array($param)) {
-        throw new coding_exception('clean_topcoll_param() can not process arrays, please use clean_param_array() instead.');
+        throw new coding_exception('clean_topcoll_param() can not process arrays.');
     } else if (is_object($param)) {
         if (method_exists($param, '__toString')) {
             $param = $param->__toString();
         } else {
-            throw new coding_exception('clean_topcoll_param() can not process objects, please use clean_param_array() instead.');
+            throw new coding_exception('clean_topcoll_param() can not process objects.');
         }
     }
 
-    switch ($type) {
-        case PARAM_TOPCOLL:
-            $param = fix_utf8($param);
-
-            $chars = strlen($param);
-            for ($i = 0; $i < $chars; $i++) {
-                $charval = ord($param[$i]);
-                if (($charval < 58) || ($charval > 121)) {
-                    return '';
-                }
-            }
-            return $param;
-
-        default:
-            // Doh! throw error, switched parameters in optional_param or another serious problem.
-            print_error("unknownparamtype", '', '', $type);
+    $chars = strlen($param);
+    for ($i = 0; $i < $chars; $i++) {
+        $charval = ord($param[$i]);
+        if (($charval < 58) || ($charval > 121)) {
+            return '';
+        }
     }
+    return $param;
 }