From bb918a02d693fb13292265724037136ede479d95 Mon Sep 17 00:00:00 2001
From: Mark Nelson <markn@moodle.com>
Date: Tue, 30 May 2017 11:59:06 +0800
Subject: [PATCH] Verification link should only verify for specified
 certificate

Also populated navigation bar.
---
 verify_certificate.php | 15 +++++++++++----
 1 file changed, 11 insertions(+), 4 deletions(-)

diff --git a/verify_certificate.php b/verify_certificate.php
index 16e04f2..a99c312 100644
--- a/verify_certificate.php
+++ b/verify_certificate.php
@@ -27,11 +27,17 @@ require_once('../../config.php');
 $contextid = required_param('contextid', PARAM_INT);
 $code = optional_param('code', '', PARAM_ALPHANUM); // The code for the certificate we are verifying.
 
+$context = context::instance_by_id($contextid);
+
+$cm = get_coursemodule_from_id('customcert', $context->instanceid, 0, false, MUST_EXIST);
+$course = $DB->get_record('course', array('id' => $cm->course), '*', MUST_EXIST);
+$customcert = $DB->get_record('customcert', array('id' => $cm->instance), '*', MUST_EXIST);
+
 // Need to be logged in.
-require_login();
+require_login($course, false, $cm);
 
 // Ok, now check the user has the ability to verify certificates.
-require_capability('mod/customcert:verifycertificate', context::instance_by_id($contextid));
+require_capability('mod/customcert:verifycertificate', $context);
 
 // Set up the page.
 $pageurl = new moodle_url('/mod/customcert/verify_certificate.php', array('contextid' => $contextid));
@@ -40,7 +46,7 @@ if ($code) {
 }
 
 $PAGE->set_url($pageurl);
-$PAGE->set_context(context_system::instance());
+$PAGE->set_context($context);
 $PAGE->set_title(get_string('verifycertificate', 'customcert'));
 
 // The form we are using to verify these codes.
@@ -62,9 +68,10 @@ if ($form->get_data()) {
               JOIN {user} u
                 ON ci.userid = u.id
              WHERE ci.code = :code
+               AND c.id = :customcertid
                AND u.deleted = 0";
     // It is possible (though unlikely) that there is the same code for issued certificates.
-    if ($issues = $DB->get_records_sql($sql, array('code' => $code))) {
+    if ($issues = $DB->get_records_sql($sql, array('code' => $code, 'customcertid' => $customcert->id))) {
         $result->success = true;
         $result->issues = $issues;
     } else {