MDL-20925 fixed input validation and course ajax now fully respects the disable cours...

diff --git a/course/rest.php b/course/rest.php
index 7f072e7be0623904a3673a13677ebce64772508e..779f4ed825936ae966959d5d5a7a8c612596af9d 100644 (file)
--- a/course/rest.php
+++ b/course/rest.php
@@ -53,6 +53,13 @@ $context = get_context_instance(CONTEXT_COURSE, $course->id);
 require_login($course);
 require_capability('moodle/course:update', $context);
 
+if (!empty($CFG->disablecourseajax)) {
+    errorl_log('Course AJAX not allowed');
+    die;
+}
+
+require_sesskey();
+
 // OK, now let's process the parameters and do stuff
 // MDL-10221 the DELETE method is not allowed on some web servers, so we simulate it with the action URL param
 $requestmethod = $_SERVER['REQUEST_METHOD'];

diff --git a/lib/ajax/ajaxcourse.js b/lib/ajax/ajaxcourse.js
index 489da2c95f5bcfe32d3697e99bfcf10edbf716e2..47280bd04b273b523bdbd7b5290d823027bdfde2 100644 (file)
--- a/lib/ajax/ajaxcourse.js
+++ b/lib/ajax/ajaxcourse.js
@@ -218,7 +218,7 @@ main_class.prototype.connect = function(method, urlStub, callback, body) {
             callback = {};
         }
     }
-    return YAHOO.util.Connect.asyncRequest(method, this.portal.strings['wwwroot']+"/course/rest.php?courseId="+main.portal.id+"&"+urlStub, callback, body);
+    return YAHOO.util.Connect.asyncRequest(method, this.portal.strings['wwwroot']+"/course/rest.php?courseId="+main.portal.id+"&sesskey="+this.portal.strings['sesskey']+"&"+urlStub, callback, body);
 }