MDL-48019 mod_forum: Add sesskey checks when setting tracking prefs

This also removes set_url() and changes require_course_login to
require_login as guests cannot set tracking.

mod/forum/forum.js

@@ -13,7 +13,7 @@ function forum_produce_tracking_link(forumid, ltext, ltitle) {
     var elementid = "trackinglink";
     var subs_link = document.getElementById(elementid);
     if(subs_link){
-        subs_link.innerHTML = "<a title='"+ltitle+"' href='"+M.cfg.wwwroot+"/mod/forum/settracking.php?id="+forumid+"'>"+ltext+"<\/a>";
+        subs_link.innerHTML = "<a title='"+ltitle+"' href='"+M.cfg.wwwroot+"/mod/forum/settracking.php?id="+forumid+"&amp;sesskey="+M.cfg.sesskey+"'>"+ltext+"<\/a>";
     }
 }
 

mod/forum/index.php

@@ -238,7 +238,10 @@
                 } else if ($forum->trackingtype === FORUM_TRACKING_OFF || ($USER->trackforums == 0)) {
                     $trackedlink = '-';
                 } else {
-                    $aurl = new moodle_url('/mod/forum/settracking.php', array('id'=>$forum->id));
+                    $aurl = new moodle_url('/mod/forum/settracking.php', array(
+                            'id' => $forum->id,
+                            'sesskey' => sesskey(),
+                        ));
                     if (!isset($untracked[$forum->id])) {
                         $trackedlink = $OUTPUT->single_button($aurl, $stryes, 'post', array('title'=>$strnotrackforum));
                     } else {

mod/forum/lib.php

@@ -5128,7 +5128,10 @@ function forum_get_tracking_link($forum, $messages=array(), $fakelink=true) {
         // use <noscript> to print button in case javascript is not enabled
         $link .= '<noscript>';
     }
-    $url = new moodle_url('/mod/forum/settracking.php', array('id'=>$forum->id));
+    $url = new moodle_url('/mod/forum/settracking.php', array(
+            'id' => $forum->id,
+            'sesskey' => sesskey(),
+        ));
     $link .= $OUTPUT->single_button($url, $linktext, 'get', array('title'=>$linktitle));
 
     if ($fakelink) {
@@ -7882,7 +7885,10 @@ function forum_extend_settings_navigation(settings_navigation $settingsnav, navi
             } else {
                 $linktext = get_string('trackforum', 'forum');
             }
-            $url = new moodle_url('/mod/forum/settracking.php', array('id'=>$forumobject->id));
+            $url = new moodle_url('/mod/forum/settracking.php', array(
+                    'id' => $forumobject->id,
+                    'sesskey' => sesskey(),
+                ));
             $forumnode->add($linktext, $url, navigation_node::TYPE_SETTING);
         }
     }

mod/forum/settracking.php

@@ -29,11 +29,7 @@
 $id         = required_param('id',PARAM_INT);                           // The forum to subscribe or unsubscribe to
 $returnpage = optional_param('returnpage', 'index.php', PARAM_FILE);    // Page to return to.
 
-$url = new moodle_url('/mod/forum/settracking.php', array('id'=>$id));
-if ($returnpage !== 'index.php') {
-    $url->param('returnpage', $returnpage);
-}
-$PAGE->set_url($url);
+require_sesskey();
 
 if (! $forum = $DB->get_record("forum", array("id" => $id))) {
     print_error('invalidforumid', 'forum');
@@ -47,7 +43,7 @@
     print_error('invalidcoursemodule');
 }
 
-require_course_login($course, false, $cm);
+require_login($course, false, $cm);
 
 $returnto = forum_go_back_to($returnpage.'?id='.$course->id.'&f='.$forum->id);