Skip to content

HTTPS clone URL

Subversion checkout URL

You can clone with
or
.
Download ZIP
Browse files

MDL-36600 user: improve course messaging checks

  • Loading branch information...
commit 60fb0ef8a97a8a6a34ab79e2f455b93cb85450b0 1 parent 4f90540
@andrewnicols andrewnicols authored samhemelryk committed
Showing with 4 additions and 2 deletions.
  1. +1 −0  user/message.html
  2. +3 −2 user/messageselect.php
View
1  user/message.html
@@ -1,5 +1,6 @@
<form id="theform" method="post" action="messageselect.php">
<input type="hidden" name="id" value="<?php p($id) ?>" />
+<input type="hidden" name="sesskey" value="<?php echo sesskey() ?>" />
<input type="hidden" name="returnto" value="<?php p($returnto) ?>" />
<input type="hidden" name="deluser" value="" />
<?php echo $OUTPUT->box_start(); ?>
View
5 user/messageselect.php
@@ -91,7 +91,7 @@
$count = 0;
-if ($data = data_submitted()) {
+if (($data = data_submitted()) && confirm_sesskey()) {
foreach ($data as $k => $v) {
if (preg_match('/^(user|teacher)(\d+)$/',$k,$m)) {
if (!array_key_exists($m[2],$SESSION->emailto[$id])) {
@@ -136,12 +136,13 @@
<input type="hidden" name="returnto" value="'.s($returnto).'" />
<input type="hidden" name="id" value="'.$id.'" />
<input type="hidden" name="format" value="'.$format.'" />
+<input type="hidden" name="sesskey" value="' . sesskey() . '" />
';
echo "<h3>".get_string('previewhtml')."</h3><div class=\"messagepreview\">\n".format_text($messagebody,$format)."\n</div>\n";
echo '<p align="center"><input type="submit" name="send" value="'.get_string('sendmessage', 'message').'" />'."\n";
echo '<input type="submit" name="edit" value="'.get_string('update').'" /></p>';
echo "\n</form>";
- } else if (!empty($send)) {
+ } else if (!empty($send) && require_sesskey()) {
$good = 1;
foreach ($SESSION->emailto[$id] as $user) {
$good = $good && message_post_message($USER,$user,$messagebody,$format);
Please sign in to comment.
Something went wrong with that request. Please try again.