Fixes #915

timschofield · timschofield · commit d216d061ec11 · 2026-05-03T20:28:46.000+01:00
1. Added security token validation in the POST handler (lines 20-22)
2. Added user guidance message when no reviews exist (lines 115-137)

Files changed in commit:
HRPerformanceRatings.php
diff --git a/HRPerformanceRatings.php b/HRPerformanceRatings.php
@@ -17,14 +17,17 @@
 
 // Handle form submission
 if (isset($_POST['SubmitRatings'])) {
-	$ReviewID = (int)$_POST['ReviewID'];
-
-	if ($ReviewID > 0) {
+	if (!hash_equals($_SESSION['FormID'], $_POST['FormID'])) {
+		prnMsg(__('Form token validation failed'), 'error');
+	} elseif (isset($_POST['ReviewID']) && (int)$_POST['ReviewID'] > 0) {
+		$ReviewID = (int)$_POST['ReviewID'];
 		DB_Txn_Begin();
 
-		// Delete existing ratings for this review
+		/* Delete existing ratings inside a transaction so that if any
+		 * subsequent insert fails, the connection close rolls back the
+		 * delete automatically — leaving the original data intact. */
 		$SQL = "DELETE FROM hrperformanceratings WHERE reviewid = " . $ReviewID;
-		DB_query($SQL);
+		DB_query($SQL, __('Could not delete existing ratings'));
 
 		// Insert new ratings
 		$TotalWeightedScore = 0;
@@ -41,6 +44,10 @@
 				$SQL = "SELECT weight FROM hrperformancecriteria WHERE criteriaid = " . $CriteriaID;
 				$Result = DB_query($SQL);
 				$CriteriaRow = DB_fetch_array($Result);
+				if ($CriteriaRow === false) {
+					/* Criteria no longer exists — skip this rating */
+					continue;
+				}
 				$Weight = $CriteriaRow['weight'];
 
 				$WeightedScore = $Rating * ($Weight / 100);
@@ -57,7 +64,7 @@
 							'" . $_SESSION['UserID'] . "',
 							NOW()
 						)";
-				DB_query($SQL);
+				DB_query($SQL, __('Could not insert performance rating'));
 
 				$TotalWeightedScore += $WeightedScore;
 				$TotalWeight += $Weight;
@@ -105,17 +112,29 @@
 			ORDER BY pr.reviewdate DESC, e.lastname, e.firstname";
 	$Result = DB_query($SQL);
 
-	while ($Row = DB_fetch_array($Result)) {
-		echo '<option value="' . $Row['reviewid'] . '">' .
-			$Row['employeenumber'] . ' - ' . $Row['firstname'] . ' ' . $Row['lastname'] .
-			' (' . ConvertSQLDate($Row['reviewdate']) . ' - ' . $Row['reviewtype'] . ')' .
-			'</option>';
-	}
+	if (DB_num_rows($Result) == 0) {
+		echo '</select></td>
+			</tr>
+			</table>
+		</form>';
+		echo '<div style="background-color: #fff3cd; padding: 15px; margin: 20px 0; border: 1px solid #ffc107; border-radius: 4px;">
+				<p><strong>' . __('No Performance Reviews Found') . '</strong></p>
+				<p>' . __('Before you can add performance ratings, you need to create a performance review first.') . '</p>
+				<p>' . __('Please visit') . ' <a href="' . htmlspecialchars($RootPath . '/HRPerformanceReviews.php', ENT_QUOTES, 'UTF-8') . '">' . __('Performance Reviews') . '</a> ' . __('to create a new review.') . '</p>
+			</div>';
+	} else {
+		while ($Row = DB_fetch_array($Result)) {
+			echo '<option value="' . $Row['reviewid'] . '">' .
+				$Row['employeenumber'] . ' - ' . $Row['firstname'] . ' ' . $Row['lastname'] .
+				' (' . ConvertSQLDate($Row['reviewdate']) . ' - ' . $Row['reviewtype'] . ')' .
+				'</option>';
+		}
 
-	echo '</select></td>
+		echo '</select></td>
 			</tr>
 			</table>
 		</form>';
+	}
 }
 
 // Display rating form
@@ -154,7 +173,7 @@
 					<td><strong>' . __('Review Type') . ':</strong></td>
 					<td>' . __($ReviewRow['reviewtype']) . '</td>
 					<td><strong>' . __('Overall Rating') . ':</strong></td>
-					<td>' . __($ReviewRow['overallrating']) . '</td>
+					<td>' . htmlspecialchars($ReviewRow['overallrating'], ENT_QUOTES, 'UTF-8') . '</td>
 				</tr>
 			</table>
 		</div>';
