MDL-20901 fixed input validation

author Petr Skoda <skodak@moodle.org>

Thu, 19 Nov 2009 19:47:46 +0000 (19:47 +0000)

committer Petr Skoda <skodak@moodle.org>

Thu, 19 Nov 2009 19:47:46 +0000 (19:47 +0000)
author Petr Skoda <skodak@moodle.org>
Thu, 19 Nov 2009 19:47:46 +0000 (19:47 +0000)
committer Petr Skoda <skodak@moodle.org>
Thu, 19 Nov 2009 19:47:46 +0000 (19:47 +0000)
diff --git a/grade/edit/outcome/course.php b/grade/edit/outcome/course.php

index ee8d753dabd76302c185831a9e24588ba1df525b..a4a625160f3f148d5e4d1ed79b8db74389dfa6ba 100644 (file)
--- a/grade/edit/outcome/course.php
+++ b/grade/edit/outcome/course.php
@@ -98,7 +98,7 @@ foreach ($standardoutcomes as $oid=>$outcome) {
  
  
  /// form processing
-if ($data = data_submitted()) {
+if ($data = data_submitted() and confirm_sesskey()) {
      require_capability('moodle/grade:manageoutcomes', $context);
      if (!empty($data->add) && !empty($data->addoutcomes)) {
      /// add all selected to course list
diff --git a/grade/edit/outcome/course_form.html b/grade/edit/outcome/course_form.html

index 3185580184b9d92abe316685a034e6c0cff6b13b..29a64465feb5ddd0c9b6522530f120146540d423 100755 (executable)
--- a/grade/edit/outcome/course_form.html
+++ b/grade/edit/outcome/course_form.html
@@ -60,5 +60,6 @@
  </table>
  
  <input name="id" type="hidden" value="<?php echo $courseid?>"/>
+<input type="hidden" name="sesskey" value="<?php echo sesskey() ?>" />
  </div>
  </form>
author	Petr Skoda <skodak@moodle.org>
	Thu, 19 Nov 2009 19:47:46 +0000 (19:47 +0000)
committer	Petr Skoda <skodak@moodle.org>
	Thu, 19 Nov 2009 19:47:46 +0000 (19:47 +0000)
grade/edit/outcome/course.php		patch \| blob \| history
grade/edit/outcome/course_form.html		patch \| blob \| history