Skip to content

HTTPS clone URL

Subversion checkout URL

You can clone with
or
.
Download ZIP
Browse files

MDL-24561 forum subscription checks sesskey - backported from 2.0

The only case when sesskey is not available is when we came to
subscribe.php from a link in email. In that case, we display a
confirmation page that redirects back providing the sesskey.
All other links to subscribe.php are fixed now so they provide sesskey
as a parameter.
  • Loading branch information...
commit 0b393d67167fe7b2b64d4f4f97b6e03beb0cadbb 1 parent 44ddbc6
@mudrd8mz mudrd8mz authored
View
2  index.php
@@ -208,7 +208,7 @@
$subtext = get_string('subscribe', 'forum');
}
print_heading_block($newsforum->name);
- echo '<div class="subscribelink"><a href="mod/forum/subscribe.php?id='.$newsforum->id.'">'.$subtext.'</a></div>';
+ echo '<div class="subscribelink"><a href="mod/forum/subscribe.php?id='.$newsforum->id.'&amp;sesskey='.sesskey().'">'.$subtext.'</a></div>';
} else {
print_heading_block($newsforum->name);
}
View
2  lang/en_utf8/forum.php
@@ -47,6 +47,8 @@
$string['configshortpost'] = 'Any post under this length (in characters not including HTML) is considered short (see below).';
$string['configtrackreadposts'] = 'Set to \'yes\' if you want to track read/unread for each user.';
$string['configusermarksread'] = 'If \'yes\', the user must manually mark a post as read. If \'no\', when the post is viewed it is marked as read.';
+$string['confirmsubscribe'] = 'Do you really want to subscribe to forum \'{$a}\'?';
+$string['confirmunsubscribe'] = 'Do you really want to unsubscribe from forum \'{$a}\'?';
$string['couldnotadd'] = 'Could not add your post due to an unknown error';
$string['couldnotdeleteratings'] = 'Sorry, that cannot be deleted as people have already rated it';
$string['couldnotdeletereplies'] = 'Sorry, that cannot be deleted as people have already responded to it';
View
6 mod/forum/lib.php
@@ -4299,6 +4299,7 @@ function forum_get_subscribe_link($forum, $context, $messages = array(), $cantac
$backtoindexlink = '';
}
$link = '';
+ $sesskeylink = '&amp;sesskey='.sesskey();
if ($fakelink) {
$link .= <<<EOD
@@ -4306,14 +4307,15 @@ function forum_get_subscribe_link($forum, $context, $messages = array(), $cantac
//<![CDATA[
var subs_link = document.getElementById("subscriptionlink");
if(subs_link){
- subs_link.innerHTML = "<a title=\"$linktitle\" href='$CFG->wwwroot/mod/forum/subscribe.php?id={$forum->id}{$backtoindexlink}'>$linktext<\/a>";
+ subs_link.innerHTML = "<a title=\"$linktitle\" href='$CFG->wwwroot/mod/forum/subscribe.php?id={$forum->id}{$backtoindexlink}{$sesskeylink}'>$linktext<\/a>";
}
//]]>
</script>
<noscript>
EOD;
}
- $options ['id'] = $forum->id;
+ $options['id'] = $forum->id;
+ $options['sesskey'] = sesskey();
$link .= print_single_button($CFG->wwwroot . '/mod/forum/subscribe.php',
$options, $linktext, 'post', '_self', true, $linktitle);
if ($fakelink) {
View
25 mod/forum/subscribe.php
@@ -1,4 +1,4 @@
-<?php // $Id$
+<?php
// Subscribe to or unsubscribe from a forum.
@@ -8,6 +8,7 @@
$id = required_param('id',PARAM_INT); // The forum to subscribe or unsubscribe to
$force = optional_param('force','',PARAM_ALPHA); // Force everyone to be subscribed to this forum?
$user = optional_param('user',0,PARAM_INT);
+ $sesskey = optional_param('sesskey', null, PARAM_RAW);
if (! $forum = get_record("forum", "id", $id)) {
error("Forum ID was incorrect");
@@ -25,6 +26,7 @@
}
if ($user) {
+ require_sesskey();
if (!has_capability('mod/forum:managesubscriptions', $context)) {
error('You do not have the permission to subscribe/unsubscribe other people!');
}
@@ -65,6 +67,7 @@
: "view.php?f=$id";
if ($force and has_capability('mod/forum:managesubscriptions', $context)) {
+ require_sesskey();
if (forum_is_forcesubscribed($forum)) {
forum_forcesubscribe($forum->id, 0);
redirect($returnto, get_string("everyonecannowchoose", "forum"), 1);
@@ -81,7 +84,20 @@
$info->name = fullname($user);
$info->forum = format_string($forum->name);
+ if ($user->id == $USER->id) {
+ $selflink = 'subscribe.php?id='.$id.'&amp;sesskey='.sesskey();
+ } else {
+ $selflink = 'subscribe.php?id='.$id.'&amp;user='.$user->id.'&amp;sesskey='.sesskey();
+ }
+
if (forum_is_subscribed($user->id, $forum->id)) {
+ if (is_null($sesskey)) { // we came here via link in email
+ $navigation = build_navigation('', $cm);
+ print_header($course->shortname, $course->fullname, $navigation, '', '', true, '', navmenu($course, $cm));
+ notice_yesno(get_string('confirmunsubscribe', 'forum', format_string($forum->name)), $selflink, $returnto);
+ print_footer($course);
+ exit;
+ }
if (forum_unsubscribe($user->id, $forum->id)) {
add_to_log($course->id, "forum", "unsubscribe", "view.php?f=$forum->id", $forum->id, $cm->id);
redirect($returnto, get_string("nownotsubscribed", "forum", $info), 1);
@@ -97,6 +113,13 @@
if (!has_capability('mod/forum:viewdiscussion', $context)) {
error("Could not subscribe you to that forum", $_SERVER["HTTP_REFERER"]);
}
+ if (is_null($sesskey)) { // we came here via link in email
+ $navigation = build_navigation('', $cm);
+ print_header($course->shortname, $course->fullname, $navigation, '', '', true, '', navmenu($course, $cm));
+ notice_yesno(get_string('confirmsubscribe', 'forum', format_string($forum->name)), $selflink, $returnto);
+ print_footer($course);
+ exit;
+ }
if (forum_subscribe($user->id, $forum->id) ) {
add_to_log($course->id, "forum", "subscribe", "view.php?f=$forum->id", $forum->id, $cm->id);
redirect($returnto, get_string("nowsubscribed", "forum", $info), 1);
View
4 mod/forum/view.php
@@ -131,7 +131,7 @@
helpbutton("subscription", $strallowchoice, "forum");
echo '&nbsp;<span class="helplink">';
if (has_capability('mod/forum:managesubscriptions', $context)) {
- echo "<a title=\"$strallowchoice\" href=\"subscribe.php?id=$forum->id&amp;force=no\">$strallowchoice</a>";
+ echo "<a title=\"$strallowchoice\" href=\"subscribe.php?id=$forum->id&amp;force=no&amp;sesskey=".sesskey()."\">$strallowchoice</a>";
} else {
echo $streveryoneisnowsubscribed;
}
@@ -150,7 +150,7 @@
echo '&nbsp;';
if (has_capability('mod/forum:managesubscriptions', $context)) {
- echo "<span class=\"helplink\"><a title=\"$strforcesubscribe\" href=\"subscribe.php?id=$forum->id&amp;force=yes\">$strforcesubscribe</a></span>";
+ echo "<span class=\"helplink\"><a title=\"$strforcesubscribe\" href=\"subscribe.php?id=$forum->id&amp;force=yes&amp;sesskey=".sesskey()."\">$strforcesubscribe</a></span>";
} else {
echo '<span class="helplink">'.$streveryonecannowchoose.'</span>';
}
Please sign in to comment.
Something went wrong with that request. Please try again.