MDL-20708 fixed CSRF and missing require_login in delete comments (not in stable...

author Petr Skoda <skodak@moodle.org>

Sun, 1 Nov 2009 20:04:25 +0000 (20:04 +0000)

committer Petr Skoda <skodak@moodle.org>

Sun, 1 Nov 2009 20:04:25 +0000 (20:04 +0000)
author Petr Skoda <skodak@moodle.org>
Sun, 1 Nov 2009 20:04:25 +0000 (20:04 +0000)
committer Petr Skoda <skodak@moodle.org>
Sun, 1 Nov 2009 20:04:25 +0000 (20:04 +0000)
diff --git a/comment/index.php b/comment/index.php

index 812c454ec4471405d1439e58b962db2c23d7178b..fcf4e8622d8389b5db03bc614c7cfa1977a44ac6 100644 (file)
--- a/comment/index.php
+++ b/comment/index.php
@@ -21,8 +21,13 @@
  require_once('../config.php');
  require_once($CFG->libdir.'/adminlib.php');
  require_once('lib.php');
+
+require_login();
+admin_externalpage_setup('comments');
+
  $context = get_context_instance(CONTEXT_SYSTEM);
  require_capability('moodle/comment:delete', $context);
+
  $PAGE->requires->yui_lib('yahoo')->in_head();
  $PAGE->requires->yui_lib('dom')->in_head();
  $PAGE->requires->yui_lib('event')->in_head();
@@ -35,10 +40,12 @@ $action     = optional_param('action', '', PARAM_ALPHA);
  $commentid  = optional_param('commentid', 0, PARAM_INT);
  $commentids = optional_param('commentids', '', PARAM_ALPHANUMEXT);
  $page       = optional_param('page', 0, PARAM_INT);
+
  $manager = new comment_manager();
  
-if (!empty($action)) {
-    confirm_sesskey();
+if ($action and !confirm_sesskey()) {
+    // no action if sesskey not confirmed
+    $action = '';
  }
  
  if ($action === 'delete') {
@@ -60,7 +67,6 @@ if ($action === 'delete') {
      }
  }
  
-admin_externalpage_setup('comments');
  admin_externalpage_print_header();
  echo $OUTPUT->heading(get_string('comments'));
  if (!empty($err)) {
author	Petr Skoda <skodak@moodle.org>
	Sun, 1 Nov 2009 20:04:25 +0000 (20:04 +0000)
committer	Petr Skoda <skodak@moodle.org>
	Sun, 1 Nov 2009 20:04:25 +0000 (20:04 +0000)