]> git.mjollnir.org Git - moodle.git/commitdiff
projects / moodle.git / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: 19c795b)
MDL-20901 fixed input validation
authorPetr Skoda <skodak@moodle.org>
Thu, 19 Nov 2009 19:41:52 +0000 (19:41 +0000)
committerPetr Skoda <skodak@moodle.org>
Thu, 19 Nov 2009 19:41:52 +0000 (19:41 +0000)
enrol/manual/enrol.html patch | blob | history
enrol/manual/enrol.php patch | blob | history

diff --git a/enrol/manual/enrol.html b/enrol/manual/enrol.html
index fa69f70a3cfbbdca330a9b5866ea58be69de2f0a..4033f84054b5a995969efad14bbfd451605c65fd 100644 (file)
--- a/enrol/manual/enrol.html
+++ b/enrol/manual/enrol.html
@@ -19,6 +19,7 @@
               <input type="password" name="password" size="20" value="<?php p($password) ?>"  />
               <input type="hidden" name="id" value="<?php p($course->id) ?>"  />
               <input type="hidden" name="enrol" value="manual" />
+              <input type="hidden" name="sesskey" value="<?php echo sesskey() ?>" />
               <input type="submit" value="<?php print_string("enrolme") ?>" />
             </td>
           </tr>
diff --git a/enrol/manual/enrol.php b/enrol/manual/enrol.php
index 67b5a02dce2aac1a3df9da012e8212081c24c203..4f665e1a41a617290630eae83c2e2a60ce11453d 100644 (file)
--- a/enrol/manual/enrol.php
+++ b/enrol/manual/enrol.php
@@ -70,11 +70,11 @@ function print_entry($course) {
             $PAGE->set_heading($course->fullname);
             echo $OUTPUT->header();
             echo '<br />';
-            echo $OUTPUT->confirm(get_string('enrolmentconfirmation'), "enrol.php?id=$course->id&confirm=1", "enrol.php?id=$course->id&cancel=1");
+            echo $OUTPUT->confirm(get_string('enrolmentconfirmation'), "enrol.php?id=$course->id&confirm=1&amp;sesskey=".sesskey(), "enrol.php?id=$course->id&cancel=1");
             echo $OUTPUT->footer();
             exit;
 
-        } else if (!empty($_GET['confirm'])) {
+        } else if (!empty($_GET['confirm']) and confirm_sesskey()) {
 
             if (!enrol_into_course($course, $USER, 'manual')) {
                 print_error('couldnotassignrole');
@@ -140,7 +140,7 @@ function check_entry($form, $course) {
         $form->password = '';
     }
 
-    if (empty($course->password)) {
+    if (empty($course->password) or !confirm_sesskey()) {
         // do not allow entry when no course password set
         // automatic login when manual primary, no login when secondary at all!!
         print_error('invalidenrol');
Unnamed repository; edit this file to name it for gitweb.