Permalink
Browse files

MDL-36600 Add missing sesskey check when previewing the message

  • Loading branch information...
1 parent ac7efaf commit c7fbbf73e3f501d4247989a0667871ceefaf4ac1 @andrewnicols andrewnicols committed with danpoltawski Jan 9, 2013
Showing with 5 additions and 2 deletions.
  1. +5 −2 user/messageselect.php
View
@@ -91,7 +91,8 @@
$count = 0;
-if (($data = data_submitted()) && confirm_sesskey()) {
+if ($data = data_submitted()) {
+ require_sesskey();
foreach ($data as $k => $v) {
if (preg_match('/^(user|teacher)(\d+)$/',$k,$m)) {
if (!array_key_exists($m[2],$SESSION->emailto[$id])) {
@@ -130,6 +131,7 @@
}
if (!empty($messagebody) && !$edit && !$deluser && ($preview || $send)) {
+ require_sesskey();
if (count($SESSION->emailto[$id])) {
if (!empty($preview)) {
echo '<form method="post" action="messageselect.php" style="margin: 0 20px;">
@@ -142,7 +144,7 @@
echo '<p align="center"><input type="submit" name="send" value="'.get_string('sendmessage', 'message').'" />'."\n";
echo '<input type="submit" name="edit" value="'.get_string('update').'" /></p>';
echo "\n</form>";
- } else if (!empty($send) && require_sesskey()) {
+ } else if (!empty($send)) {
$good = 1;
foreach ($SESSION->emailto[$id] as $user) {
$good = $good && message_post_message($USER,$user,$messagebody,$format);
@@ -170,6 +172,7 @@
}
if (count($SESSION->emailto[$id])) {
+ require_sesskey();
$usehtmleditor = can_use_html_editor();
require("message.html");
}

0 comments on commit c7fbbf7

Please sign in to comment.