Permalink
Browse files

MDL-42883 Administration: Check sessionkey before taking action on us…

…er profile fields
  • Loading branch information...
1 parent 88b51a7 commit 87cf7ea783bfc13baebb833e3645518feb640281 Rajesh Taneja committed with danpoltawski Nov 14, 2013
Showing with 8 additions and 5 deletions.
  1. +8 −5 user/profile/index.php
View
@@ -41,20 +41,23 @@
break;
case 'deletecategory':
$id = required_param('id', PARAM_INT);
- profile_delete_category($id);
+ if (confirm_sesskey()) {
+ profile_delete_category($id);
+ }
redirect($redirect,get_string('deleted'));
break;
case 'deletefield':
$id = required_param('id', PARAM_INT);
$confirm = optional_param('confirm', 0, PARAM_BOOL);
+ // If no userdata for profile than don't show confirmation.
$datacount = $DB->count_records('user_info_data', array('fieldid'=>$id));
- if (data_submitted() and ($confirm and confirm_sesskey()) or $datacount===0) {
+ if (((data_submitted() and $confirm) or ($datacount === 0)) and confirm_sesskey()) {
profile_delete_field($id);
redirect($redirect,get_string('deleted'));
}
- //ask for confirmation
+ // Ask for confirmation, as there is user data available for field.
$fieldname = $DB->get_field('user_info_field', 'name', array('id'=>$id));
$optionsyes = array ('id'=>$id, 'confirm'=>1, 'action'=>'deletefield', 'sesskey'=>sesskey());
$strheading = get_string('profiledeletefield', 'admin', $fieldname);
@@ -173,7 +176,7 @@ function profile_category_icons($category) {
/// Delete
/// Can only delete the last category if there are no fields in it
if ( ($categorycount > 1) or ($fieldcount == 0) ) {
- $editstr .= '<a title="'.$strdelete.'" href="index.php?id='.$category->id.'&amp;action=deletecategory';
+ $editstr .= '<a title="'.$strdelete.'" href="index.php?id='.$category->id.'&amp;action=deletecategory&amp;sesskey='.sesskey();
$editstr .= '"><img src="'.$OUTPUT->pix_url('t/delete') . '" alt="'.$strdelete.'" class="iconsmall" /></a> ';
} else {
$editstr .= '<img src="'.$OUTPUT->pix_url('spacer') . '" alt="" class="iconsmall" /> ';
@@ -216,7 +219,7 @@ function profile_field_icons($field) {
$editstr = '<a title="'.$stredit.'" href="index.php?id='.$field->id.'&amp;action=editfield"><img src="'.$OUTPUT->pix_url('t/edit') . '" alt="'.$stredit.'" class="iconsmall" /></a> ';
/// Delete
- $editstr .= '<a title="'.$strdelete.'" href="index.php?id='.$field->id.'&amp;action=deletefield';
+ $editstr .= '<a title="'.$strdelete.'" href="index.php?id='.$field->id.'&amp;action=deletefield&amp;sesskey='.sesskey();
$editstr .= '"><img src="'.$OUTPUT->pix_url('t/delete') . '" alt="'.$strdelete.'" class="iconsmall" /></a> ';
/// Move up

0 comments on commit 87cf7ea

Please sign in to comment.