Skip to content

HTTPS clone URL

Subversion checkout URL

You can clone with HTTPS or Subversion.

Download ZIP
Browse files

course/mod.php is using sesskey.

  • Loading branch information...
commit 55b55d08f9ab28787d0f5796bfaf4e2ce2c84b74 1 parent 952d9ba
stronk7 authored
View
6 blocks/site_main_menu/block_site_main_menu.php
@@ -54,7 +54,7 @@ function get_content() {
if ($ismoving) {
$this->content->icons[] = '&nbsp;<img align="bottom" src="'.$CFG->pixpath.'/t/move.gif" height="11" width="11">';
- $this->content->items[] = $USER->activitycopyname.'&nbsp;(<a href="'.$CFG->wwwroot.'/course/mod.php?cancelcopy=true">'.$strcancel.'</a>)';
+ $this->content->items[] = $USER->activitycopyname.'&nbsp;(<a href="'.$CFG->wwwroot.'/course/mod.php?cancelcopy=true&amp;sesskey='.$USER->sesskey.'">'.$strcancel.'</a>)';
}
if (!empty($section->sequence)) {
@@ -82,7 +82,7 @@ function get_content() {
if ($mod->id == $USER->activitycopy) {
continue;
}
- $this->content->items[] = '<a title="'.$strmovefull.'" href="'.$CFG->wwwroot.'/course/mod.php?moveto='.$mod->id.'">'.
+ $this->content->items[] = '<a title="'.$strmovefull.'" href="'.$CFG->wwwroot.'/course/mod.php?moveto='.$mod->id.'&amp;sesskey='.$USER->sesskey.'">'.
'<img height="16" width="80" src="'.$CFG->pixpath.'/movehere.gif" alt="'.$strmovehere.'" border="0"></a>';
$this->content->icons[] = '';
}
@@ -115,7 +115,7 @@ function get_content() {
}
if ($ismoving) {
- $this->content->items[] = '<a title="'.$strmovefull.'" href="'.$CFG->wwwroot.'/course/mod.php?movetosection='.$section->id.'">'.
+ $this->content->items[] = '<a title="'.$strmovefull.'" href="'.$CFG->wwwroot.'/course/mod.php?movetosection='.$section->id.'&amp;sesskey='.$USER->sesskey.'">'.
'<img height="16" width="80" src="'.$CFG->pixpath.'/movehere.gif" alt="'.$strmovehere.'" border="0"></a>';
$this->content->icons[] = '';
}
View
2  course/format/topics/format.php
@@ -84,7 +84,7 @@
echo "<tr>";
echo "<td colspan=3 valign=top bgcolor=\"$THEME->cellcontent\" class=\"topicoutlineclip\" width=\"100%\">";
echo "<p><font size=2>";
- echo "$stractivityclipboard&nbsp;&nbsp;(<a href=\"mod.php?cancelcopy=true\">$strcancel</a>)";
+ echo "$stractivityclipboard&nbsp;&nbsp;(<a href=\"mod.php?cancelcopy=true&amp;sesskey=$USER->sesskey\">$strcancel</a>)";
echo "</font></p>";
echo "</td>";
echo "</tr>";
View
2  course/format/weeks/format.php
@@ -74,7 +74,7 @@
echo "<tr>";
echo "<td colspan=3 valign=top bgcolor=\"$THEME->cellcontent\" class=\"weeklyoutlineclip\" width=\"100%\">";
echo "<p><font size=2>";
- echo "$stractivityclipboard&nbsp;&nbsp;(<a href=\"mod.php?cancelcopy=true\">$strcancel</a>)";
+ echo "$stractivityclipboard&nbsp;&nbsp;(<a href=\"mod.php?cancelcopy=true&amp;sesskey=$USER->sesskey\">$strcancel</a>)";
echo "</font></p>";
echo "</td>";
echo "</tr>";
View
38 course/lib.php
@@ -899,7 +899,7 @@ function print_section($course, $section, $mods, $modnamesused, $absolute=false,
continue;
}
echo "<a title=\"$strmovefull\"".
- " href=\"$CFG->wwwroot/course/mod.php?moveto=$mod->id\">".
+ " href=\"$CFG->wwwroot/course/mod.php?moveto=$mod->id&amp;sesskey=$USER->sesskey\">".
"<img height=\"16\" width=\"80\" src=\"$CFG->pixpath/movehere.gif\" ".
" alt=\"$strmovehere\" border=\"0\"></a><br />\n";
}
@@ -959,7 +959,7 @@ function print_section($course, $section, $mods, $modnamesused, $absolute=false,
}
if ($ismoving) {
echo "<tr><td><a title=\"$strmovefull\"".
- " href=\"$CFG->wwwroot/course/mod.php?movetosection=$section->id\">".
+ " href=\"$CFG->wwwroot/course/mod.php?movetosection=$section->id&amp;sesskey=$USER->sesskey\">".
"<img height=\"16\" width=\"80\" src=\"$CFG->pixpath/movehere.gif\" ".
" alt=\"$strmovehere\" border=\"0\"></a></td></tr>\n";
}
@@ -970,7 +970,7 @@ function print_section($course, $section, $mods, $modnamesused, $absolute=false,
function print_section_add_menus($course, $section, $modnames, $vertical=false, $return=false) {
// Prints the menus to add activities and resources
- global $CFG;
+ global $CFG, $USER;
static $straddactivity, $stractivities, $straddresource, $resources;
if (!isset($straddactivity)) {
@@ -990,7 +990,7 @@ function print_section_add_menus($course, $section, $modnames, $vertical=false,
$output = '';
$output .= '<div align="right"><table align="right"><tr><td>';
- $output .= popup_form("$CFG->wwwroot/course/mod.php?id=$course->id&amp;section=$section&add=",
+ $output .= popup_form("$CFG->wwwroot/course/mod.php?id=$course->id&amp;section=$section&amp;sesskey=$USER->sesskey&add=",
$resources, "ressection$section", "", $straddresource, 'resource/types', $straddresource, true);
$output .= '</td>';
@@ -999,7 +999,7 @@ function print_section_add_menus($course, $section, $modnames, $vertical=false,
}
$output .= '<td>';
- $output .= popup_form("$CFG->wwwroot/course/mod.php?id=$course->id&amp;section=$section&add=",
+ $output .= popup_form("$CFG->wwwroot/course/mod.php?id=$course->id&amp;section=$section&amp;sesskey=$USER->sesskey&add=",
$modnames, "section$section", "", $straddactivity, 'mods', $straddactivity, true);
$output .= '</td></tr></table>';
$output .= '</div>';
@@ -1653,7 +1653,7 @@ function move_module($cm, $move) {
}
function make_editing_buttons($mod, $absolute=false, $moveselect=true, $indent=-1) {
- global $CFG, $THEME;
+ global $CFG, $THEME, $USER;
static $str;
@@ -1688,10 +1688,10 @@ function make_editing_buttons($mod, $absolute=false, $moveselect=true, $indent=-
}
if ($mod->visible) {
- $hideshow = "<a title=\"$str->hide\" href=\"$path/mod.php?hide=$mod->id\"><img".
+ $hideshow = "<a title=\"$str->hide\" href=\"$path/mod.php?hide=$mod->id&amp;sesskey=$USER->sesskey\"><img".
" src=\"$pixpath/t/hide.gif\" hspace=\"2\" height=\"11\" width=\"11\" border=\"0\" alt=\"$str->hide\"></a> ";
} else {
- $hideshow = "<a title=\"$str->show\" href=\"$path/mod.php?show=$mod->id\"><img".
+ $hideshow = "<a title=\"$str->show\" href=\"$path/mod.php?show=$mod->id&amp;sesskey=$USER->sesskey\"><img".
" src=\"$pixpath/t/show.gif\" hspace=\"2\" height=\"11\" width=\"11\" ".
"border=\"0\" alt=\"$str->show\"></a> ";
}
@@ -1699,15 +1699,15 @@ function make_editing_buttons($mod, $absolute=false, $moveselect=true, $indent=-
if ($mod->groupmode == SEPARATEGROUPS) {
$grouptitle = $str->groupsseparate;
$groupimage = "$pixpath/t/groups.gif";
- $grouplink = "$path/mod.php?id=$mod->id&groupmode=0";
+ $grouplink = "$path/mod.php?id=$mod->id&groupmode=0&amp;sesskey=$USER->sesskey";
} else if ($mod->groupmode == VISIBLEGROUPS) {
$grouptitle = $str->groupsvisible;
$groupimage = "$pixpath/t/groupv.gif";
- $grouplink = "$path/mod.php?id=$mod->id&groupmode=1";
+ $grouplink = "$path/mod.php?id=$mod->id&groupmode=1&amp;sesskey=$USER->sesskey";
} else {
$grouptitle = $str->groupsnone;
$groupimage = "$pixpath/t/groupn.gif";
- $grouplink = "$path/mod.php?id=$mod->id&groupmode=2";
+ $grouplink = "$path/mod.php?id=$mod->id&groupmode=2&amp;sesskey=$USER->sesskey";
}
if ($mod->groupmodelink) {
$groupmode = "<a title=\"$grouptitle ($str->clicktochange)\" href=\"$grouplink\">".
@@ -1723,37 +1723,37 @@ function make_editing_buttons($mod, $absolute=false, $moveselect=true, $indent=-
}
if ($moveselect) {
- $move = "<a title=\"$str->move\" href=\"$path/mod.php?copy=$mod->id\"><img".
+ $move = "<a title=\"$str->move\" href=\"$path/mod.php?copy=$mod->id&amp;sesskey=$USER->sesskey\"><img".
" src=\"$pixpath/t/move.gif\" hspace=\"2\" height=\"11\" width=\"11\" ".
" border=\"0\" alt=\"$str->move\"></a>";
} else {
- $move = "<a title=\"$str->moveup\" href=\"$path/mod.php?id=$mod->id&move=-1\"><img".
+ $move = "<a title=\"$str->moveup\" href=\"$path/mod.php?id=$mod->id&move=-1&amp;sesskey=$USER->sesskey\"><img".
" src=\"$pixpath/t/up.gif\" hspace=\"2\" height=\"11\" width=\"11\" ".
" border=\"0\" alt=\"$str->moveup\"></a>".
- "<a title=\"$str->movedown\" href=\"$path/mod.php?id=$mod->id&move=1\"><img".
+ "<a title=\"$str->movedown\" href=\"$path/mod.php?id=$mod->id&move=1&amp;sesskey=$USER->sesskey\"><img".
" src=\"$pixpath/t/down.gif\" hspace=\"2\" height=\"11\" width=\"11\" ".
" border=\"0\" alt=\"$str->movedown\"></a>";
}
$leftright = "";
if ($indent > 0) {
- $leftright .= "<a title=\"$str->moveleft\" href=\"$path/mod.php?id=$mod->id&indent=-1\"><img".
+ $leftright .= "<a title=\"$str->moveleft\" href=\"$path/mod.php?id=$mod->id&indent=-1&amp;sesskey=$USER->sesskey\"><img".
" src=\"$pixpath/t/left.gif\" hspace=\"2\" height=\"11\" width=\"11\" ".
" border=\"0\" alt=\"$str->moveleft\"></a>";
}
if ($indent >= 0) {
- $leftright .= "<a title=\"$str->moveright\" href=\"$path/mod.php?id=$mod->id&indent=1\"><img".
+ $leftright .= "<a title=\"$str->moveright\" href=\"$path/mod.php?id=$mod->id&indent=1&amp;sesskey=$USER->sesskey\"><img".
" src=\"$pixpath/t/right.gif\" hspace=\"2\" height=\"11\" width=\"11\" ".
" border=\"0\" alt=\"$str->moveright\"></a>";
}
return "$leftright$move".
- "<a title=\"$str->update\" href=\"$path/mod.php?update=$mod->id\"><img".
+ "<a title=\"$str->update\" href=\"$path/mod.php?update=$mod->id&amp;sesskey=$USER->sesskey\"><img".
" src=\"$pixpath/t/edit.gif\" hspace=\"2\" height=\"11\" width=\"11\" border=\"0\" ".
" alt=\"$str->update\"></a>".
// Following line is commented out until this feature is more definite -- martin
- // "<a title=\"$str->duplicate\" href=\"$path/mod.php?duplicate=$mod->id\"> 2 </a>".
- "<a title=\"$str->delete\" href=\"$path/mod.php?delete=$mod->id\"><img".
+ // "<a title=\"$str->duplicate\" href=\"$path/mod.php?duplicate=$mod->id&amp;sesskey=$USER->sesskey\"> 2 </a>".
+ "<a title=\"$str->delete\" href=\"$path/mod.php?delete=$mod->id&amp;sesskey=$USER->sesskey\"><img".
" src=\"$pixpath/t/delete.gif\" hspace=\"2\" height=\"11\" width=\"11\" border=\"0\" ".
" alt=\"$str->delete\"></a>$hideshow$groupmode";
}
View
36 course/mod.php
@@ -27,6 +27,14 @@
if (isset($_POST["course"])) { // add or update form submitted
+ //It caller is correct, $SESSION->sesskey must exist and coincide
+ if (empty($SESSION->sesskey) or !confirm_sesskey($SESSION->sesskey)) {
+ error(get_string('confirmsesskeybad', 'error'));
+ }
+
+ //Unset this, check done
+ unset($SESSION->sesskey);
+
if (!$course = get_record("course", "id", $mod->course)) {
error("This course doesn't exist");
}
@@ -165,7 +173,7 @@
}
- if (isset($_GET['move'])) {
+ if (isset($_GET['move']) and confirm_sesskey()) {
require_variable($id);
@@ -189,7 +197,7 @@
}
exit;
- } else if (isset($_GET['movetosection']) or isset($_GET['moveto'])) {
+ } else if ((isset($_GET['movetosection']) or isset($_GET['moveto'])) and confirm_sesskey()) {
if (! $cm = get_record("course_modules", "id", $USER->activitycopy)) {
error("The copied course module doesn't exist!");
@@ -233,7 +241,7 @@
redirect("view.php?id=$section->course");
}
- } else if (isset($_GET['indent'])) {
+ } else if (isset($_GET['indent']) and confirm_sesskey()) {
require_variable($id);
@@ -259,7 +267,7 @@
}
exit;
- } else if (isset($_GET['hide'])) {
+ } else if (isset($_GET['hide']) and confirm_sesskey()) {
if (! $cm = get_record("course_modules", "id", $_GET['hide'])) {
error("This course module doesn't exist");
@@ -281,7 +289,7 @@
}
exit;
- } else if (isset($_GET['show'])) {
+ } else if (isset($_GET['show']) and confirm_sesskey()) {
if (! $cm = get_record("course_modules", "id", $_GET['show'])) {
error("This course module doesn't exist");
@@ -313,7 +321,7 @@
}
exit;
- } else if (isset($_GET['groupmode'])) {
+ } else if (isset($_GET['groupmode']) and confirm_sesskey()) {
if (! $cm = get_record("course_modules", "id", $_GET['id'])) {
error("This course module doesn't exist");
@@ -335,7 +343,7 @@
}
exit;
- } else if (isset($_GET['copy'])) { // value = course module
+ } else if (isset($_GET['copy']) and confirm_sesskey()) { // value = course module
if (! $cm = get_record("course_modules", "id", $_GET['copy'])) {
error("This course module doesn't exist");
@@ -363,7 +371,7 @@
redirect("view.php?id=$cm->course");
- } else if (isset($_GET['cancelcopy'])) { // value = course module
+ } else if (isset($_GET['cancelcopy']) and confirm_sesskey()) { // value = course module
$courseid = $USER->activitycopycourse;
@@ -373,7 +381,7 @@
redirect("view.php?id=$courseid");
- } else if (isset($_GET['delete'])) { // value = course module
+ } else if (isset($_GET['delete']) and confirm_sesskey()) { // value = course module
if (! $cm = get_record("course_modules", "id", $_GET['delete'])) {
error("This course module doesn't exist");
@@ -412,6 +420,7 @@
$form->modulename = $module->name;
$form->fullmodulename = $fullmodulename;
$form->instancename = $instance->name;
+ $SESSION->sesskey = !empty($USER->id) ? $USER->sesskey : '';
$strdeletecheck = get_string("deletecheck", "", "$form->fullmodulename");
$strdeletecheckfull = get_string("deletecheckfull", "", "$form->fullmodulename '$form->instancename'");
@@ -428,7 +437,7 @@
exit;
- } else if (isset($_GET['update'])) { // value = course module
+ } else if (isset($_GET['update']) and confirm_sesskey()) { // value = course module
if (! $cm = get_record("course_modules", "id", $_GET['update'])) {
error("This course module doesn't exist");
@@ -465,6 +474,7 @@
$form->modulename = $module->name;
$form->instance = $cm->instance;
$form->mode = "update";
+ $SESSION->sesskey = !empty($USER->id) ? $USER->sesskey : '';
$sectionname = get_string("name$course->format");
$fullmodulename = strtolower(get_string("modulename", $module->name));
@@ -477,7 +487,7 @@
$pageheading = get_string("updatinga", "moodle", $fullmodulename);
}
- } else if (isset($_GET['duplicate'])) { // value = course module
+ } else if (isset($_GET['duplicate']) and confirm_sesskey()) { // value = course module
if (! $cm = get_record("course_modules", "id", $_GET['duplicate'])) {
error("This course module doesn't exist");
@@ -516,6 +526,7 @@
$form->modulename = $module->name;
$form->instance = $cm->instance;
$form->mode = "add";
+ $SESSION->sesskey = !empty($USER->id) ? $USER->sesskey : '';
$sectionname = get_string("name$course->format");
$fullmodulename = strtolower(get_string("modulename", $module->name));
@@ -529,7 +540,7 @@
}
- } else if (isset($_GET['add'])) {
+ } else if (isset($_GET['add']) and confirm_sesskey()) {
if (empty($_GET['add'])) {
redirect($_SERVER["HTTP_REFERER"]);
@@ -554,6 +565,7 @@
$form->instance = "";
$form->coursemodule = "";
$form->mode = "add";
+ $SESSION->sesskey = !empty($USER->id) ? $USER->sesskey : '';
if (isset($_GET['type'])) {
$form->type = $_GET['type'];
}
Please sign in to comment.
Something went wrong with that request. Please try again.