From: Petr Skoda <skodak@moodle.org>
Date: Sat, 21 Nov 2009 15:33:10 +0000 (+0000)
Subject: MDL-20901 fixed input validation
X-Git-Url: http://git.mjollnir.org/gw?a=commitdiff_plain;h=c66bbb3021b07762dbcebe7fd02ef1001bee0ca7;p=moodle.git

MDL-20901 fixed input validation
---

diff --git a/mod/forum/lib.php b/mod/forum/lib.php
index 7b48fb7e0a..462ea89965 100644
--- a/mod/forum/lib.php
+++ b/mod/forum/lib.php
@@ -5822,6 +5822,7 @@ function forum_print_discussion($course, $cm, $forum, $discussion, $post, $mode,
                 echo '<form id="form" method="post" action="rate.php">';
                 echo '<div class="ratingform">';
                 echo '<input type="hidden" name="forumid" value="'.$forum->id.'" />';
+                echo '<input type="hidden" name="sesskey" value="'.sesskey().'" />';
                 $ratingsformused = true;
             }
           // preload all ratings - one query only and minimal memory
diff --git a/mod/forum/rate.php b/mod/forum/rate.php
index aee44a8384..85a506ae26 100644
--- a/mod/forum/rate.php
+++ b/mod/forum/rate.php
@@ -38,7 +38,7 @@ if (!$forum->assessed) {
 $context = get_context_instance(CONTEXT_MODULE, $cm->id);
 require_capability('mod/forum:rate', $context);
 
-if ($data = data_submitted()) {
+if ($data = data_submitted() and confirm_sesskey()) {
 
     $discussionid = false;