course/index.php is using sesskey.

Merged form MOODLE_14_STABLE

diff --git a/admin/index.php b/admin/index.php
index 2bf4e960bfb778c1d9225fd12c2f06223d3b44a8..25d618c7852b9a3442e9ad4b884b55decb3b4191 100644 (file)
--- a/admin/index.php
+++ b/admin/index.php
@@ -314,7 +314,7 @@
                  get_string("adminhelpauthentication")."</font><br />";
     $userdata .= "<font size=+1>&nbsp;</font><a href=\"user.php\">".get_string("edituser")."</a> - <font size=\"1\">".
                  get_string("adminhelpedituser")."</font><br />";
-    $userdata .= "<font size=+1>&nbsp;</font><a href=\"$CFG->wwwroot/$CFG->admin/user.php?newuser=true&sesskey=$USER->sesskey\">".
+    $userdata .= "<font size=+1>&nbsp;</font><a href=\"$CFG->wwwroot/$CFG->admin/user.php?newuser=true&amp;sesskey=$USER->sesskey\">".
                  get_string("addnewuser")."</a> - <font size=\"1\">".
                  get_string("adminhelpaddnewuser")."</font><br />";
     $userdata .= "<font size=+1>&nbsp;</font><a href=\"$CFG->wwwroot/$CFG->admin/uploaduser.php?sesskey=$USER->sesskey\">".
@@ -323,10 +323,10 @@
 
     $userdata .= "<hr /><font size=+1>&nbsp;</font><a href=\"enrol.php?sesskey=$USER->sesskey\">".get_string("enrolments")."</a> - <font size=\"1\">".
                  get_string("adminhelpenrolments")."</font><br />";
-    $userdata .= "<font size=+1>&nbsp;</font><a href=\"../course/index.php?edit=off\">".get_string("assignstudents")."</a> - <font size=\"1\">".
+    $userdata .= "<font size=+1>&nbsp;</font><a href=\"../course/index.php?edit=off&amp;sesskey=$USER->sesskey\">".get_string("assignstudents")."</a> - <font size=\"1\">".
                  get_string("adminhelpassignstudents")."</font><br />";
 
-    $userdata .= "<font size=+1>&nbsp;</font><a href=\"../course/index.php?edit=on\">".get_string("assignteachers")."</a> - <font size=\"1\">".
+    $userdata .= "<font size=+1>&nbsp;</font><a href=\"../course/index.php?edit=on&amp;sesskey=$USER->sesskey\">".get_string("assignteachers")."</a> - <font size=\"1\">".
                  get_string("adminhelpassignteachers").
                  " <img src=\"../pix/t/user.gif\" height=\"11\" width=\"11\" alt=\"\"></font><br />";
     $userdata .= "<font size=+1>&nbsp;</font><a href=\"creators.php?sesskey=$USER->sesskey\">".get_string("assigncreators")."</a> - <font size=\"1\">".
@@ -336,7 +336,7 @@
 
     $table->data[] = array("<font size=+1><b><a href=\"users.php\">".get_string("users")."</a></b>", $userdata);
 
-    $table->data[] = array("<font size=+1><b><a href=\"../course/index.php?edit=on\">".get_string("courses")."</a></b>",
+    $table->data[] = array("<font size=+1><b><a href=\"../course/index.php?edit=on&amp;sesskey=$USER->sesskey\">".get_string("courses")."</a></b>",
                            "<font size=+1>&nbsp;</font>".get_string("adminhelpcourses"));
     $table->data[] = array("<font size=+1><b><a href=\"../course/log.php?id=$site->id\">".get_string("logs")."</a></b>",
                            "<font size=+1>&nbsp;</font>".get_string("adminhelplogs"));

diff --git a/admin/users.php b/admin/users.php
index c287a493832949c84c797ee441e1fc477d1fbc2d..83359ed3094bcf1adc5bc81fc4f1216443d88f37 100644 (file)
--- a/admin/users.php
+++ b/admin/users.php
@@ -28,7 +28,7 @@
     $table->data[] = array("<b><a href=\"user.php\">".get_string("edituser")."</a></b>",
                            get_string("adminhelpedituser"));
     if (is_internal_auth()) {
-        $table->data[] = array("<b><a href=\"$CFG->wwwroot/$CFG->admin/user.php?newuser=true&sesskey=$USER->sesskey\">".get_string("addnewuser")."</a></b>",
+        $table->data[] = array("<b><a href=\"$CFG->wwwroot/$CFG->admin/user.php?newuser=true&amp;sesskey=$USER->sesskey\">".get_string("addnewuser")."</a></b>",
                                get_string("adminhelpaddnewuser"));
         $table->data[] = array("<b><a href=\"$CFG->wwwroot/$CFG->admin/uploaduser.php?sesskey=$USER->sesskey\">".get_string("uploadusers")."</a></b>",
                                get_string("adminhelpuploadusers"));
@@ -36,9 +36,9 @@
     $table->data[] = array('', '<hr />');
     $table->data[] = array("<b><a href=\"enrol.php?sesskey=$USER->sesskey\">".get_string("enrolments")."</a></b>",
                            get_string("adminhelpenrolments"));
-    $table->data[] = array("<b><a href=\"../course/index.php?edit=off\">".get_string("assignstudents")."</a></b>",
+    $table->data[] = array("<b><a href=\"../course/index.php?edit=off&amp;sesskey=$USER->sesskey\">".get_string("assignstudents")."</a></b>",
                            get_string("adminhelpassignstudents"));
-    $table->data[] = array("<b><a href=\"../course/index.php?edit=on\">".get_string("assignteachers")."</a></b>",
+    $table->data[] = array("<b><a href=\"../course/index.php?edit=on&amp;sesskey=$USER->sesskey\">".get_string("assignteachers")."</a></b>",
                            get_string("adminhelpassignteachers")." <img src=\"../pix/t/user.gif\" height=\"11\" width=\"11\" alt=\"\" />");
     $table->data[] = array("<b><a href=\"creators.php?sesskey=$USER->sesskey\">".get_string("assigncreators")."</a></b>",
                            get_string("adminhelpassigncreators"));

diff --git a/blocks/admin/block_admin.php b/blocks/admin/block_admin.php
index 14abd03a3fbbc21719e14eea455c015f68f66fd7..4e3a615e3145fcaf06316b5f3b9ded508be2bc81 100644 (file)
--- a/blocks/admin/block_admin.php
+++ b/blocks/admin/block_admin.php
@@ -1,4 +1,4 @@
-<?PHP //$Id$
+<?php //$Id$
 
 class CourseBlock_admin extends MoodleBlock {
     function CourseBlock_admin($course) {
@@ -32,7 +32,7 @@ class CourseBlock_admin extends MoodleBlock {
 
 
     function load_content_for_site() {
-        global $CFG;
+        global $CFG, $USER;
 
         if (isadmin()) {
             $this->content->items[] = '<a href="'.$CFG->wwwroot.'/'.$CFG->admin.'/configure.php">'.get_string('configuration').'</a>...';
@@ -49,7 +49,7 @@ class CourseBlock_admin extends MoodleBlock {
         }
 
         if (iscreator()) {
-            $this->content->items[] = '<a href="'.$CFG->wwwroot.'/course/index.php?edit=on">'.get_string('courses').'</a>';
+            $this->content->items[] = '<a href="'.$CFG->wwwroot.'/course/index.php?edit=on&amp;sesskey='.$USER->sesskey.'">'.get_string('courses').'</a>';
             $this->content->icons[] = '<img src="'.$CFG->pixpath.'/i/course.gif" height="16" width="16" alt="" />';
         }
 

diff --git a/course/index.php b/course/index.php
index b4c8b5c9833b31022165e7423526025f63deae4f..9cf55e185ae813912529df080b048c62ed1e5af6 100644 (file)
--- a/course/index.php
+++ b/course/index.php
@@ -14,7 +14,7 @@
     }
 
     if (isadmin()) {
-        if (isset($_GET['edit'])) {
+        if (isset($_GET['edit']) and confirm_sesskey()) {
             if ($edit == "on") {
                 $USER->categoriesediting = true;
             } else if ($edit == "off") {
@@ -84,7 +84,7 @@
 
 
 /// If data for a new category was submitted, then add it
-    if ($form = data_submitted()) {
+    if ($form = data_submitted() and confirm_sesskey()) {
         if (!empty($form->addcategory)) {
             unset($newcategory);
             $newcategory->name = $form->addcategory;
@@ -100,7 +100,7 @@
 
 /// Delete a category if necessary
 
-    if (isset($delete)) {
+    if (isset($delete) and confirm_sesskey()) {
         if ($deletecat = get_record("course_categories", "id", $delete)) {
 
             /// Send the children categories to live with their grandparent
@@ -145,7 +145,7 @@
 
 /// Move a category to a new parent if required
 
-    if (isset($move) and isset($moveto)) {
+    if (isset($move) and isset($moveto) and confirm_sesskey()) {
         if ($tempcat = get_record("course_categories", "id", $move)) {
             if ($tempcat->parent != $moveto) {
                 if (! set_field("course_categories", "parent", $moveto, "id", $tempcat->id)) {
@@ -157,7 +157,7 @@
 
 
 /// Hide or show a category 
-    if (isset($hide) or isset($show)) {
+    if ((isset($hide) or isset($show)) and confirm_sesskey()) {
         if (isset($hide)) {
             $tempcat = get_record("course_categories", "id", $hide);
             $visible = 0;
@@ -178,7 +178,7 @@
 
 /// Move a category up or down
 
-    if (isset($moveup) or isset($movedown)) {
+    if ((isset($moveup) or isset($movedown)) and confirm_sesskey()) {
         
         $swapcategory = NULL;
         $movecategory = NULL;
@@ -253,6 +253,7 @@
     echo "<form name=\"addform\" action=\"index.php\" method=\"post\">";
     echo "<input type=\"text\" size=\"30\" alt=\"$straddnewcategory\" name=\"addcategory\" />";
     echo "<input type=\"submit\" value=\"$straddnewcategory\" />";
+    echo "<input type=\"hidden\" name=\"sesskey\" value=\"$USER->sesskey\" />";
     echo "</form>";
     echo "</center>";
 
@@ -336,23 +337,23 @@ function print_category_edit($category, $displaylist, $parentslist, $depth=-1, $
 
         echo "<td nowrap=\"nowrap\">";    /// Print little icons
 
-        echo "<a title=\"$str->delete\" href=\"index.php?delete=$category->id\"><img".
+        echo "<a title=\"$str->delete\" href=\"index.php?delete=$category->id&amp;sesskey=$USER->sesskey\"><img".
              " src=\"$pixpath/t/delete.gif\" height=\"11\" width=\"11\" border=\"0\" alt=\"\" /></a> ";
 
         if (!empty($category->visible)) {
-            echo "<a title=\"$str->hide\" href=\"index.php?hide=$category->id\"><img".
+            echo "<a title=\"$str->hide\" href=\"index.php?hide=$category->id&amp;sesskey=$USER->sesskey\"><img".
                  " src=\"$pixpath/t/hide.gif\" height=\"11\" width=\"11\" border=\"0\" alt=\"\" /></a> ";
         } else {
-            echo "<a title=\"$str->show\" href=\"index.php?show=$category->id\"><img".
+            echo "<a title=\"$str->show\" href=\"index.php?show=$category->id&amp;sesskey=$USER->sesskey\"><img".
                  " src=\"$pixpath/t/show.gif\" height=\"11\" width=\"11\" border=\"0\"alt=\"\" /></a> ";
         }
 
         if ($up) {
-            echo "<a title=\"$str->moveup\" href=\"index.php?moveup=$category->id\"><img".
+            echo "<a title=\"$str->moveup\" href=\"index.php?moveup=$category->id&amp;sesskey=$USER->sesskey\"><img".
                  " src=\"$pixpath/t/up.gif\" height=\"11\" width=\"11\" border=\"0\" alt=\"\" /></a> ";
         }
         if ($down) {
-            echo "<a title=\"$str->movedown\" href=\"index.php?movedown=$category->id\"><img".
+            echo "<a title=\"$str->movedown\" href=\"index.php?movedown=$category->id&amp;sesskey=$USER->sesskey\"><img".
                  " src=\"$pixpath/t/down.gif\" height=\"11\" width=\"11\" border=\"0\"alt=\"\" /></a> ";
         }
         echo "</td>";
@@ -365,7 +366,7 @@ function print_category_edit($category, $displaylist, $parentslist, $depth=-1, $
                 unset($tempdisplaylist[$key]);
             }
         }
-        popup_form ("index.php?move=$category->id&amp;moveto=", $tempdisplaylist, "moveform$category->id", "$category->parent", "", "", "", false);
+        popup_form ("index.php?move=$category->id&amp;sesskey=$USER->sesskey&amp;moveto=", $tempdisplaylist, "moveform$category->id", "$category->parent", "", "", "", false);
         echo "</td>";
         echo "</tr>";
     } else {

diff --git a/lib/weblib.php b/lib/weblib.php
index f70be0fb070c186b31de3dab779f94d277f2f628..b5c2c59029cea92e65be042fbab49daeae088aa9 100644 (file)
--- a/lib/weblib.php
+++ b/lib/weblib.php
@@ -2501,6 +2501,7 @@ function update_categories_button() {
         }
         return "<form target=\"$CFG->framename\" method=\"get\" action=\"$CFG->wwwroot/course/index.php\">".
                '<input type="hidden" name="edit" value="'. $edit .'" />'.
+               '<input type="hidden" name="sesskey" value="'.$USER->sesskey.'" />'.
                '<input type="submit" value="'. $string .'" /></form>';
     }
 }