//show save choice button
echo '<div class="button">';
echo "<input type=\"hidden\" name=\"id\" value=\"$cm->id\" />";
+ echo "<input type=\"hidden\" name=\"sesskey\" value=\"".sesskey()."\" />";
if (has_capability('mod/choice:choose', $context, $user->id, false)) { //don't show save button if the logged in user is the guest user.
if ($choicefull) {
print_string('choicefull', 'choice');
echo "<input type=\"submit\" value=\"".get_string("savemychoice","choice")."\" />";
}
if ($choice->allowupdate && $aaa = $DB->get_record('choice_answers', 'choiceid', $choice->id, 'userid', $user->id)) {
- echo "<br /><a href='view.php?id=".$cm->id."&action=delchoice'>".get_string("removemychoice","choice")."</a>";
+ echo "<br /><a href='view.php?id=".$cm->id."&action=delchoice&sesskey=".sesskey()."'>".get_string("removemychoice","choice")."</a>";
}
} else {
print_string('havetologin', 'choice');
print_error('badcontext');
}
- if ($action == 'delchoice') {
+ if ($action == 'delchoice' and confirm_sesskey() and has_capability('mod/choice:choose', $context) and $choice->allowupdate) {
if ($answer = $DB->get_record('choice_answers', array('choiceid' => $choice->id, 'userid' => $USER->id))) {
//print_object($answer);
$DB->delete_records('choice_answers', array('id' => $answer->id));
echo $OUTPUT->header();
/// Submit any new data if there is any
- if ($form = data_submitted() && has_capability('mod/choice:choose', $context)) {
+ if ($form = data_submitted() && has_capability('mod/choice:choose', $context) && confirm_sesskey()) {
$timenow = time();
if (has_capability('mod/choice:deleteresponses', $context)) {
if ($action == 'delete') { //some responses need to be deleted
projects / moodle.git / commitdiff