Permalink
Browse files

MDL-20901 fixed input validation

  • Loading branch information...
1 parent 76c9f22 commit 57b2fa96d43ffaea8bb0645ad116254ab7544d38 @skodak skodak committed Nov 21, 2009
Showing with 4 additions and 3 deletions.
  1. +2 −1 mod/choice/lib.php
  2. +2 −2 mod/choice/view.php
View
3 mod/choice/lib.php
@@ -222,6 +222,7 @@ function choice_show_form($choice, $user, $cm, $allresponses) {
//show save choice button
echo '<div class="button">';
echo "<input type=\"hidden\" name=\"id\" value=\"$cm->id\" />";
+ echo "<input type=\"hidden\" name=\"sesskey\" value=\"".sesskey()."\" />";
if (has_capability('mod/choice:choose', $context, $user->id, false)) { //don't show save button if the logged in user is the guest user.
if ($choicefull) {
print_string('choicefull', 'choice');
@@ -230,7 +231,7 @@ function choice_show_form($choice, $user, $cm, $allresponses) {
echo "<input type=\"submit\" value=\"".get_string("savemychoice","choice")."\" />";
}
if ($choice->allowupdate && $aaa = get_record('choice_answers', 'choiceid', $choice->id, 'userid', $user->id)) {
- echo "<br /><a href='view.php?id=".$cm->id."&amp;action=delchoice'>".get_string("removemychoice","choice")."</a>";
+ echo "<br /><a href='view.php?id=".$cm->id."&amp;action=delchoice&amp;sesskey=".sesskey()."'>".get_string("removemychoice","choice")."</a>";
}
} else {
print_string('havetologin', 'choice');
View
4 mod/choice/view.php
@@ -28,7 +28,7 @@
print_error('badcontext');
}
- if ($action == 'delchoice') {
+ if ($action == 'delchoice' and confirm_sesskey() and has_capability('mod/choice:choose', $context) and $choice->allowupdate) {
if ($answer = get_record('choice_answers', 'choiceid', $choice->id, 'userid', $USER->id)) {
//print_object($answer);
delete_records('choice_answers', 'id', $answer->id);
@@ -39,7 +39,7 @@
update_module_button($cm->id, $course->id, $strchoice), navmenu($course, $cm));
/// Submit any new data if there is any
- if ($form = data_submitted() && has_capability('mod/choice:choose', $context)) {
+ if ($form = data_submitted() && has_capability('mod/choice:choose', $context) && confirm_sesskey()) {
$timenow = time();
if (has_capability('mod/choice:deleteresponses', $context)) {
if ($action == 'delete') { //some responses need to be deleted

0 comments on commit 57b2fa9

Please sign in to comment.