Browse files

course/category.php is using sesskey

  • Loading branch information...
1 parent c30dd54 commit d177dd771368b9debd80b894c6ae948ea2868991 stronk7 committed Oct 8, 2004
Showing with 18 additions and 12 deletions.
  1. +15 −10 course/category.php
  2. +2 −2 course/index.php
  3. +1 −0 lib/weblib.php
View
25 course/category.php
@@ -23,7 +23,7 @@
}
if (iscreator()) {
- if (isset($_GET['edit'])) {
+ if (isset($_GET['edit']) and confirm_sesskey()) {
if ($edit == "on") {
$USER->categoryediting = true;
} else if ($edit == "off") {
@@ -47,7 +47,7 @@
if (isadmin()) {
/// Rename the category if requested
- if (!empty($_POST['rename'])) {
+ if (!empty($_POST['rename']) and confirm_sesskey()) {
$category->name = $_POST['rename'];
if (! set_field("course_categories", "name", $category->name, "id", $category->id)) {
notify("An error occurred while renaming the category");
@@ -56,7 +56,7 @@
/// Resort the category if requested
- if (!empty($_GET['resort'])) {
+ if (!empty($_GET['resort']) and confirm_sesskey()) {
if ($courses = get_courses($category->id, "fullname ASC")) {
$count = 0;
foreach ($courses as $course) {
@@ -114,17 +114,19 @@
/// Move a specified course to a new category
- if (isset($moveto) and $data = data_submitted()) { // Some courses are being moved
+ if (isset($moveto) and $data = data_submitted() and confirm_sesskey()) { // Some courses are being moved
if (! $destcategory = get_record("course_categories", "id", $data->moveto)) {
error("Error finding the category");
}
unset($data->moveto);
unset($data->id);
+ unset($data->sesskey);
if ($data) {
foreach ($data as $code => $junk) {
+
$courseid = substr($code, 1);
if (! $course = get_record("course", "id", $courseid)) {
@@ -143,7 +145,7 @@
/// Hide or show a course
- if (isset($hide) or isset($show)) {
+ if ((isset($hide) or isset($show)) and confirm_sesskey()) {
if (isset($hide)) {
$course = get_record("course", "id", $hide);
$visible = 0;
@@ -161,7 +163,7 @@
/// Move a course up or down
- if (isset($moveup) or isset($movedown)) {
+ if ((isset($moveup) or isset($movedown)) and confirm_sesskey()) {
$movecourse = NULL;
$swapcourse = NULL;
@@ -274,6 +276,7 @@
}
echo "<form name=\"movecourses\" action=\"category.php\" method=\"post\">";
+ echo "<input type=\"hidden\" name=\"sesskey\" value=\"$USER->sesskey\">";
echo "<table align=\"center\" border=0 cellspacing=2 cellpadding=4 class=\"generalbox\"><tr>";
echo "<th>$strcourses</th>";
if ($creatorediting) {
@@ -308,10 +311,10 @@
echo "<a title=\"$strdelete\" href=\"delete.php?id=$acourse->id\"><img".
" src=\"$pixpath/t/delete.gif\" height=11 width=11 border=0></a> ";
if (!empty($acourse->visible)) {
- echo "<a title=\"$strhide\" href=\"category.php?id=$category->id&hide=$acourse->id\"><img".
+ echo "<a title=\"$strhide\" href=\"category.php?id=$category->id&hide=$acourse->id&sesskey=$USER->sesskey\"><img".
" src=\"$pixpath/t/hide.gif\" height=11 width=11 border=0></a> ";
} else {
- echo "<a title=\"$strshow\" href=\"category.php?id=$category->id&show=$acourse->id\"><img".
+ echo "<a title=\"$strshow\" href=\"category.php?id=$category->id&show=$acourse->id&sesskey=$USER->sesskey\"><img".
" src=\"$pixpath/t/show.gif\" height=11 width=11 border=0></a> ";
}
@@ -322,14 +325,14 @@
" src=\"$pixpath/t/restore.gif\" height=11 width=11 border=0></a> ";
if ($up) {
- echo "<a title=\"$strmoveup\" href=\"category.php?id=$category->id&moveup=$acourse->id\"><img".
+ echo "<a title=\"$strmoveup\" href=\"category.php?id=$category->id&moveup=$acourse->id&sesskey=$USER->sesskey\"><img".
" src=\"$pixpath/t/up.gif\" height=11 width=11 border=0></a> ";
} else {
echo "<img src=\"$CFG->wwwroot/pix/spacer.gif\" height=11 width=11 border=0></a> ";
}
if ($down) {
- echo "<a title=\"$strmovedown\" href=\"category.php?id=$category->id&movedown=$acourse->id\"><img".
+ echo "<a title=\"$strmovedown\" href=\"category.php?id=$category->id&movedown=$acourse->id&sesskey=$USER->sesskey\"><img".
" src=\"$pixpath/t/down.gif\" height=11 width=11 border=0></a> ";
} else {
echo "<img src=\"$CFG->wwwroot/pix/spacer.gif\" height=11 width=11 border=0></a> ";
@@ -386,6 +389,7 @@
unset($options);
$options["id"] = $category->id;
$options["resort"] = "name";
+ $options["sesskey"] = $USER->sesskey;
print_single_button("category.php", $options, get_string("resortcoursesbyname"), "get");
}
@@ -400,6 +404,7 @@
$strrename= get_string("rename");
echo "<form name=\"renameform\" action=\"category.php\" method=\"post\">";
echo "<input type=\"hidden\" name=\"id\" value=\"$category->id\">";
+ echo "<input type=\"hidden\" name=\"sesskey\" value=\"$USER->sesskey\">";
echo "<input type=\"text\" size=30 name=\"rename\" value=\"".s($category->name)."\">";
echo "<input type=\"submit\" value=\"$strrename\">";
echo "</form>";
View
4 course/index.php
@@ -298,7 +298,7 @@
function print_category_edit($category, $displaylist, $parentslist, $depth=-1, $up=false, $down=false) {
/// Recursive function to print all the categories ready for editing
- global $THEME, $CFG;
+ global $THEME, $CFG, $USER;
static $str = '';
static $pixpath = '';
@@ -327,7 +327,7 @@ function print_category_edit($category, $displaylist, $parentslist, $depth=-1, $
echo "&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;";
}
$linkcss = $category->visible ? "" : " class=\"dimmed\" ";
- echo "<a $linkcss title=\"$str->edit\" href=\"category.php?id=$category->id&edit=on\">$category->name</a>";
+ echo "<a $linkcss title=\"$str->edit\" href=\"category.php?id=$category->id&edit=on&sesskey=$USER->sesskey\">$category->name</a>";
echo "</p>";
echo "</td>";
View
1 lib/weblib.php
@@ -1905,6 +1905,7 @@ function update_category_button($categoryid) {
return "<form target=\"$CFG->framename\" method=\"get\" action=\"$CFG->wwwroot/course/category.php\">".
"<input type=\"hidden\" name=\"id\" value=\"$categoryid\" />".
"<input type=\"hidden\" name=\"edit\" value=\"$edit\" />".
+ "<input type=\"hidden\" name=\"sesskey\" value=\"$USER->sesskey\" />".
"<input type=\"submit\" value=\"$string\" /></form>";
}
}

0 comments on commit d177dd7

Please sign in to comment.