Permalink
Browse files

MDL-21859 fixed sesskey protection on email actions

  • Loading branch information...
1 parent 838093a commit 12b9842c6b76c91fdbd031ebec1353aa489c7aa0 @skodak skodak committed Mar 18, 2010
Showing with 4 additions and 4 deletions.
  1. +4 −4 user/view.php
View
@@ -260,11 +260,11 @@
$emailswitch = '';
if (has_capability('moodle/course:useremail', $coursecontext) or $currentuser) { /// Can use the enable/disable email stuff
- if (!empty($enable)) { /// Recieved a parameter to enable the email address
+ if (!empty($enable) and confirm_sesskey()) { /// Recieved a parameter to enable the email address
set_field('user', 'emailstop', 0, 'id', $user->id);
$user->emailstop = 0;
}
- if (!empty($disable)) { /// Recieved a parameter to disable the email address
+ if (!empty($disable) and confirm_sesskey()) { /// Recieved a parameter to disable the email address
set_field('user', 'emailstop', 1, 'id', $user->id);
$user->emailstop = 1;
}
@@ -283,7 +283,7 @@
$switchpix = 'email.gif';
}
$emailswitch = "&nbsp;<a title=\"$switchclick\" ".
- "href=\"view.php?id=$user->id&amp;course=$course->id&amp;$switchparam=1\">".
+ "href=\"view.php?id=$user->id&amp;course=$course->id&amp;$switchparam=1&amp;sesskey=".sesskey()."\">".
"<img src=\"$CFG->pixpath/t/$switchpix\" alt=\"$switchclick\" /></a>";
} else if ($currentuser) { /// Can only re-enable an email this way
@@ -293,7 +293,7 @@
$switchclick = get_string('emailenableclick');
$emailswitch = "&nbsp;(<a title=\"$switchclick\" ".
- "href=\"view.php?id=$user->id&amp;course=$course->id&amp;enable=1\">$switchtitle</a>)";
+ "href=\"view.php?id=$user->id&amp;course=$course->id&amp;enable=1&amp;sesskey=".sesskey()."\">$switchtitle</a>)";
}
}

0 comments on commit 12b9842

Please sign in to comment.