MDL-20901 fixed input validation

author Petr Skoda <skodak@moodle.org>

Sat, 21 Nov 2009 15:33:10 +0000 (15:33 +0000)

committer Petr Skoda <skodak@moodle.org>

Sat, 21 Nov 2009 15:33:10 +0000 (15:33 +0000)
author Petr Skoda <skodak@moodle.org>
Sat, 21 Nov 2009 15:33:10 +0000 (15:33 +0000)
committer Petr Skoda <skodak@moodle.org>
Sat, 21 Nov 2009 15:33:10 +0000 (15:33 +0000)
diff --git a/mod/forum/lib.php b/mod/forum/lib.php

index 7b48fb7e0a3dae38ba9a60c55f92164db956a816..462ea89965bca36421e39d202347677ffbe8e220 100644 (file)
--- a/mod/forum/lib.php
+++ b/mod/forum/lib.php
@@ -5822,6 +5822,7 @@ function forum_print_discussion($course, $cm, $forum, $discussion, $post, $mode,
                  echo '<form id="form" method="post" action="rate.php">';
                  echo '<div class="ratingform">';
                  echo '<input type="hidden" name="forumid" value="'.$forum->id.'" />';
+                echo '<input type="hidden" name="sesskey" value="'.sesskey().'" />';
                  $ratingsformused = true;
              }
            // preload all ratings - one query only and minimal memory
diff --git a/mod/forum/rate.php b/mod/forum/rate.php

index aee44a83842843ea5584af5e329ce861f5f607e9..85a506ae26b99cf146ffe858742f5f9872154ab7 100644 (file)
--- a/mod/forum/rate.php
+++ b/mod/forum/rate.php
@@ -38,7 +38,7 @@ if (!$forum->assessed) {
  $context = get_context_instance(CONTEXT_MODULE, $cm->id);
  require_capability('mod/forum:rate', $context);
  
-if ($data = data_submitted()) {
+if ($data = data_submitted() and confirm_sesskey()) {
  
      $discussionid = false;
author	Petr Skoda <skodak@moodle.org>
	Sat, 21 Nov 2009 15:33:10 +0000 (15:33 +0000)
committer	Petr Skoda <skodak@moodle.org>
	Sat, 21 Nov 2009 15:33:10 +0000 (15:33 +0000)
mod/forum/lib.php		patch \| blob \| history
mod/forum/rate.php		patch \| blob \| history