/// Add a teacher if one is specified
- if (!empty($_GET['add'])) {
+ if (!empty($_GET['add']) and confirm_sesskey()) {
if (! add_teacher($add, $course->id)) {
error("Could not add that teacher to this course!");
}
/// Remove a teacher if one is specified.
- if (!empty($_GET['remove'])) {
+ if (!empty($_GET['remove']) and confirm_sesskey()) {
if (! remove_teacher($remove, $course->id)) {
- error("Could not add that teacher to this course!");
+ error("Could not remove that teacher from this course!");
}
}
$editall = choose_from_menu ($editmenu, "e$teacher->id", $teacher->editall, "", "", "", true);
}
- $removelink = "<a href=\"teacher.php?id=$course->id&remove=$teacher->id\">$strremoveteacher</a>";
+ $removelink = "<a href=\"teacher.php?id=$course->id&remove=$teacher->id&sesskey=$USER->sesskey\">$strremoveteacher</a>";
if (!$teacher->role) {
$teacher->role = $course->teacher;
foreach ($users as $user) {
- $addlink = "<a href=\"teacher.php?id=$course->id&add=$user->id\">$straddteacher</a>";
+ $addlink = "<a href=\"teacher.php?id=$course->id&add=$user->id&sesskey=$USER->sesskey\">$straddteacher</a>";
$picture = print_user_picture($user->id, $course->id, $user->picture, false, true);
$table->data[] = array ($picture, fullname($user, true), $user->email, $addlink);
}
* @return mixed
*/
function required_param($varname, $options=PARAM_CLEAN) {
-/// This function will replace require_variable over time
-/// It returns a value for a given variable name.
if (isset($_POST[$varname])) { // POST has precedence
$param = $_POST[$varname];
* @return mixed
*/
function optional_param($varname, $default=NULL, $options=PARAM_CLEAN) {
-/// This function will replace both of the above two functions over time.
-/// It returns a value for a given variable name.
if (isset($_POST[$varname])) { // POST has precedence
$param = $_POST[$varname];
* @return mixed
*/
function clean_param($param, $options) {
-/// Given a parameter and a bitfield of options, this function
-/// will clean it up and give it the required type, etc.
- if ($param == (int)$param) { // It's just an integer
+ if ((string)$param == (string)(int)$param) { // It's just an integer
return (int)$param;
}
}
/**
- * Ensure that a variable is set or display error
+ * For security purposes, this function will check that the currently
+ * given sesskey (passed as a parameter to the script or this function)
+ * matches that of the current user.
*
- * If $var is undefined display an error message using the {@link error()} function.
- * This function will soon be made obsolete by {@link parameter()}
+ * @param string $sesskey optionally provided sesskey
+ * @return boolean
+ */
+function confirm_sesskey($sesskey=NULL) {
+ global $USER;
+
+ if (empty($sesskey)) {
+ $sesskey = required_param('sesskey'); // Check script parameters
+ }
+
+ if (!isset($USER->sesskey)) {
+ return false;
+ }
+
+ return ($USER->sesskey === $sesskey);
+}
+
+
+/**
+ * Ensure that a variable is set
*
- * @param mixed $var the variable which may not be set
+ * If $var is undefined throw an error, otherwise return $var.
+ * This function will soon be made obsolete by {@link required_param()}
+ *
+ * @param mixed $var the variable which may be unset
+ * @param mixed $default the value to return if $var is unset
*/
function require_variable($var) {
-/// Variable must be present
if (! isset($var)) {
error('A required parameter was missing');
}
* Ensure that a variable is set
*
* If $var is undefined set it (by reference), otherwise return $var.
- * This function is very similar to {@link nvl()}
- * This function will soon be made obsolete by {@link parameter()}
+ * This function will soon be made obsolete by {@link optional_param()}
*
* @param mixed $var the variable which may be unset
* @param mixed $default the value to return if $var is unset
*/
function optional_variable(&$var, $default=0) {
-/// Variable may be present, if not then set a default
if (! isset($var)) {
$var = $default;
}
}
-
/**
* Set a key in global configuration
*
projects / moodle.git / commitdiff