course/student.php is using sesskey.

Merged from MOODLE_14_STABLE

diff --git a/course/student.html b/course/student.html
index 6784ce35b9e0a360c883b7b5f2c260187e8d8a3d..fc5176a7994a40605a23761ee4f6928b8692c457 100644 (file)
--- a/course/student.html
+++ b/course/student.html
@@ -1,6 +1,7 @@
 
 <form name="studentform" id="studentform" method="post" action="student.php">
 <input type="hidden" name="previoussearch" value="<?php echo $previoussearch ?>" />
+<input type="hidden" name="sesskey" value="<?php echo $sesskey ?>" />
 <input type="hidden" name="id" value="<?php echo $id?>" />
   <table align="center" border="0" cellpadding="5" cellspacing="0">
     <tr>

diff --git a/course/student.php b/course/student.php
index 5fa6997fa2b20c8166c8399e90a7a8a62314efe4..c24c7c648fafe54bbec3729ffdb7b82278f95211 100644 (file)
--- a/course/student.php
+++ b/course/student.php
@@ -67,7 +67,7 @@
 /// A form was submitted so process the input
 
     } else {
-        if (!empty($frm->add) and !empty($frm->addselect)) {
+        if (!empty($frm->add) and !empty($frm->addselect) and confirm_sesskey()) {
             if ($course->enrolperiod) {
                 $timestart = time();
                 $timeend   = $timestart + $course->enrolperiod;
@@ -79,7 +79,7 @@
                     error("Could not add student with id $addstudent to this course!");
                 }
             }
-        } else if (!empty($frm->remove) and !empty($frm->removeselect)) {
+        } else if (!empty($frm->remove) and !empty($frm->removeselect) and confirm_sesskey()) {
             foreach ($frm->removeselect as $removestudent) {
                 if (! unenrol_student($removestudent, $course->id)) {
                     error("Could not remove student with id $removestudent from this course!");
@@ -135,6 +135,8 @@
 
     print_simple_box_start("center", "", "$THEME->cellheading");
 
+    $sesskey = !empty($USER->id) ? $USER->sesskey : '';
+
     include('student.html');
 
     print_simple_box_end();