From 8b92f5bb7d6be4c645ad044df05c23fa2f552f54 Mon Sep 17 00:00:00 2001 From: stronk7 Date: Sat, 9 Oct 2004 17:23:28 +0000 Subject: [PATCH] course/mod.php is using sesskey. Merged from MOODLE_14_STABLE --- .../site_main_menu/block_site_main_menu.php | 6 +-- course/format/topics/format.php | 2 +- course/format/weeks/format.php | 2 +- course/lib.php | 38 +++++++++---------- course/mod.php | 36 ++++++++++++------ 5 files changed, 48 insertions(+), 36 deletions(-) diff --git a/blocks/site_main_menu/block_site_main_menu.php b/blocks/site_main_menu/block_site_main_menu.php index 5bdd48c40f..de6d283236 100644 --- a/blocks/site_main_menu/block_site_main_menu.php +++ b/blocks/site_main_menu/block_site_main_menu.php @@ -54,7 +54,7 @@ class CourseBlock_site_main_menu extends MoodleBlock { if ($ismoving) { $this->content->icons[] = ' '; - $this->content->items[] = $USER->activitycopyname.' ('.$strcancel.')'; + $this->content->items[] = $USER->activitycopyname.' ('.$strcancel.')'; } if (!empty($section->sequence)) { @@ -82,7 +82,7 @@ class CourseBlock_site_main_menu extends MoodleBlock { if ($mod->id == $USER->activitycopy) { continue; } - $this->content->items[] = ''. + $this->content->items[] = ''. ''.$strmovehere.''; $this->content->icons[] = ''; } @@ -115,7 +115,7 @@ class CourseBlock_site_main_menu extends MoodleBlock { } if ($ismoving) { - $this->content->items[] = ''. + $this->content->items[] = ''. ''.$strmovehere.''; $this->content->icons[] = ''; } diff --git a/course/format/topics/format.php b/course/format/topics/format.php index 433f03cb6d..8cd777243a 100644 --- a/course/format/topics/format.php +++ b/course/format/topics/format.php @@ -84,7 +84,7 @@ echo ""; echo "cellcontent\" class=\"topicoutlineclip\" width=\"100%\">"; echo "

"; - echo "$stractivityclipboard  ($strcancel)"; + echo "$stractivityclipboard  (sesskey\">$strcancel)"; echo "

"; echo ""; echo ""; diff --git a/course/format/weeks/format.php b/course/format/weeks/format.php index c9a7e69846..1d09b5f191 100644 --- a/course/format/weeks/format.php +++ b/course/format/weeks/format.php @@ -74,7 +74,7 @@ echo ""; echo "cellcontent\" class=\"weeklyoutlineclip\" width=\"100%\">"; echo "

"; - echo "$stractivityclipboard  ($strcancel)"; + echo "$stractivityclipboard  (sesskey\">$strcancel)"; echo "

"; echo ""; echo ""; diff --git a/course/lib.php b/course/lib.php index 6c83112b9c..a92e1052b2 100644 --- a/course/lib.php +++ b/course/lib.php @@ -904,7 +904,7 @@ function print_section($course, $section, $mods, $modnamesused, $absolute=false, continue; } echo ''. + ' href="'.$CFG->wwwroot.'/course/mod.php?moveto='.$mod->id.'&sesskey='.$USER->sesskey.'">'. ''.$strmovehere.'
'; @@ -968,7 +968,7 @@ function print_section($course, $section, $mods, $modnamesused, $absolute=false, } if ($ismoving) { echo ''. + ' href="'.$CFG->wwwroot.'/course/mod.php?movetosection='.$section->id.'&sesskey='.$USER->sesskey.'">'. ''.$strmovehere.' '; @@ -980,7 +980,7 @@ function print_section($course, $section, $mods, $modnamesused, $absolute=false, function print_section_add_menus($course, $section, $modnames, $vertical=false, $return=false) { // Prints the menus to add activities and resources - global $CFG; + global $CFG, $USER; static $straddactivity, $stractivities, $straddresource, $resources; if (!isset($straddactivity)) { @@ -1000,7 +1000,7 @@ function print_section_add_menus($course, $section, $modnames, $vertical=false, $output = ''; $output .= '
'; @@ -1009,7 +1009,7 @@ function print_section_add_menus($course, $section, $modnames, $vertical=false, } $output .= '
'; - $output .= popup_form("$CFG->wwwroot/course/mod.php?id=$course->id&section=$section&add=", + $output .= popup_form("$CFG->wwwroot/course/mod.php?id=$course->id&section=$section&sesskey=$USER->sesskey&add=", $resources, "ressection$section", "", $straddresource, 'resource/types', $straddresource, true); $output .= ''; - $output .= popup_form("$CFG->wwwroot/course/mod.php?id=$course->id&section=$section&add=", + $output .= popup_form("$CFG->wwwroot/course/mod.php?id=$course->id&section=$section&sesskey=$USER->sesskey&add=", $modnames, "section$section", "", $straddactivity, 'mods', $straddactivity, true); $output .= '
'; $output .= '
'; @@ -1663,7 +1663,7 @@ function move_module($cm, $move) { } function make_editing_buttons($mod, $absolute=false, $moveselect=true, $indent=-1) { - global $CFG, $THEME; + global $CFG, $THEME, $USER; static $str; @@ -1698,10 +1698,10 @@ function make_editing_buttons($mod, $absolute=false, $moveselect=true, $indent=- } if ($mod->visible) { - $hideshow = "hide\" href=\"$path/mod.php?hide=$mod->id\">hide\" href=\"$path/mod.php?hide=$mod->id&sesskey=$USER->sesskey\">hide\" /> "; } else { - $hideshow = "show\" href=\"$path/mod.php?show=$mod->id\">show\" href=\"$path/mod.php?show=$mod->id&sesskey=$USER->sesskey\">show\" /> "; } @@ -1709,15 +1709,15 @@ function make_editing_buttons($mod, $absolute=false, $moveselect=true, $indent=- if ($mod->groupmode == SEPARATEGROUPS) { $grouptitle = $str->groupsseparate; $groupimage = "$pixpath/t/groups.gif"; - $grouplink = "$path/mod.php?id=$mod->id&groupmode=0"; + $grouplink = "$path/mod.php?id=$mod->id&groupmode=0&sesskey=$USER->sesskey"; } else if ($mod->groupmode == VISIBLEGROUPS) { $grouptitle = $str->groupsvisible; $groupimage = "$pixpath/t/groupv.gif"; - $grouplink = "$path/mod.php?id=$mod->id&groupmode=1"; + $grouplink = "$path/mod.php?id=$mod->id&groupmode=1&sesskey=$USER->sesskey"; } else { $grouptitle = $str->groupsnone; $groupimage = "$pixpath/t/groupn.gif"; - $grouplink = "$path/mod.php?id=$mod->id&groupmode=2"; + $grouplink = "$path/mod.php?id=$mod->id&groupmode=2&sesskey=$USER->sesskey"; } if ($mod->groupmodelink) { $groupmode = "clicktochange)\" href=\"$grouplink\">". @@ -1733,37 +1733,37 @@ function make_editing_buttons($mod, $absolute=false, $moveselect=true, $indent=- } if ($moveselect) { - $move = "move\" href=\"$path/mod.php?copy=$mod->id\">move\" href=\"$path/mod.php?copy=$mod->id&sesskey=$USER->sesskey\">move\" />"; } else { - $move = "moveup\" href=\"$path/mod.php?id=$mod->id&move=-1\">moveup\" href=\"$path/mod.php?id=$mod->id&move=-1&sesskey=$USER->sesskey\">moveup\" />". - "movedown\" href=\"$path/mod.php?id=$mod->id&move=1\">movedown\" href=\"$path/mod.php?id=$mod->id&move=1&sesskey=$USER->sesskey\">movedown\" />"; } $leftright = ""; if ($indent > 0) { - $leftright .= "moveleft\" href=\"$path/mod.php?id=$mod->id&indent=-1\">moveleft\" href=\"$path/mod.php?id=$mod->id&indent=-1&sesskey=$USER->sesskey\">moveleft\" />"; } if ($indent >= 0) { - $leftright .= "moveright\" href=\"$path/mod.php?id=$mod->id&indent=1\">moveright\" href=\"$path/mod.php?id=$mod->id&indent=1&sesskey=$USER->sesskey\">moveright\" />"; } return "$leftright$move". - "update\" href=\"$path/mod.php?update=$mod->id\">update\" href=\"$path/mod.php?update=$mod->id&sesskey=$USER->sesskey\">update\" />". // Following line is commented out until this feature is more definite -- martin - // "duplicate\" href=\"$path/mod.php?duplicate=$mod->id\"> 2 ". - "delete\" href=\"$path/mod.php?delete=$mod->id\">duplicate\" href=\"$path/mod.php?duplicate=$mod->id&sesskey=$USER->sesskey\"> 2 ". + "delete\" href=\"$path/mod.php?delete=$mod->id&sesskey=$USER->sesskey\">delete\" />$hideshow$groupmode"; } diff --git a/course/mod.php b/course/mod.php index 8e9b7e8a5d..d30661fb21 100644 --- a/course/mod.php +++ b/course/mod.php @@ -27,6 +27,14 @@ if (isset($_POST["course"])) { // add or update form submitted + //It caller is correct, $SESSION->sesskey must exist and coincide + if (empty($SESSION->sesskey) or !confirm_sesskey($SESSION->sesskey)) { + error(get_string('confirmsesskeybad', 'error')); + } + + //Unset this, check done + unset($SESSION->sesskey); + if (!$course = get_record("course", "id", $mod->course)) { error("This course doesn't exist"); } @@ -165,7 +173,7 @@ } - if (isset($_GET['move'])) { + if (isset($_GET['move']) and confirm_sesskey()) { require_variable($id); @@ -188,7 +196,7 @@ } exit; - } else if (isset($_GET['movetosection']) or isset($_GET['moveto'])) { + } else if ((isset($_GET['movetosection']) or isset($_GET['moveto'])) and confirm_sesskey()) { if (! $cm = get_record("course_modules", "id", $USER->activitycopy)) { error("The copied course module doesn't exist!"); @@ -231,7 +239,7 @@ redirect("view.php?id=$section->course"); } - } else if (isset($_GET['indent'])) { + } else if (isset($_GET['indent']) and confirm_sesskey()) { require_variable($id); @@ -256,7 +264,7 @@ } exit; - } else if (isset($_GET['hide'])) { + } else if (isset($_GET['hide']) and confirm_sesskey()) { if (! $cm = get_record("course_modules", "id", $_GET['hide'])) { error("This course module doesn't exist"); @@ -277,7 +285,7 @@ } exit; - } else if (isset($_GET['show'])) { + } else if (isset($_GET['show']) and confirm_sesskey()) { if (! $cm = get_record("course_modules", "id", $_GET['show'])) { error("This course module doesn't exist"); @@ -307,7 +315,7 @@ } exit; - } else if (isset($_GET['groupmode'])) { + } else if (isset($_GET['groupmode']) and confirm_sesskey()) { if (! $cm = get_record("course_modules", "id", $_GET['id'])) { error("This course module doesn't exist"); @@ -328,7 +336,7 @@ } exit; - } else if (isset($_GET['copy'])) { // value = course module + } else if (isset($_GET['copy']) and confirm_sesskey()) { // value = course module if (! $cm = get_record("course_modules", "id", $_GET['copy'])) { error("This course module doesn't exist"); @@ -356,7 +364,7 @@ redirect("view.php?id=$cm->course"); - } else if (isset($_GET['cancelcopy'])) { // value = course module + } else if (isset($_GET['cancelcopy']) and confirm_sesskey()) { // value = course module $courseid = $USER->activitycopycourse; @@ -366,7 +374,7 @@ redirect("view.php?id=$courseid"); - } else if (isset($_GET['delete'])) { // value = course module + } else if (isset($_GET['delete']) and confirm_sesskey()) { // value = course module if (! $cm = get_record("course_modules", "id", $_GET['delete'])) { error("This course module doesn't exist"); @@ -405,6 +413,7 @@ $form->modulename = $module->name; $form->fullmodulename = $fullmodulename; $form->instancename = $instance->name; + $SESSION->sesskey = !empty($USER->id) ? $USER->sesskey : ''; $strdeletecheck = get_string("deletecheck", "", "$form->fullmodulename"); $strdeletecheckfull = get_string("deletecheckfull", "", "$form->fullmodulename '$form->instancename'"); @@ -421,7 +430,7 @@ exit; - } else if (isset($_GET['update'])) { // value = course module + } else if (isset($_GET['update']) and confirm_sesskey()) { // value = course module if (! $cm = get_record("course_modules", "id", $_GET['update'])) { error("This course module doesn't exist"); @@ -458,6 +467,7 @@ $form->modulename = $module->name; $form->instance = $cm->instance; $form->mode = "update"; + $SESSION->sesskey = !empty($USER->id) ? $USER->sesskey : ''; $sectionname = get_string("name$course->format"); $fullmodulename = strtolower(get_string("modulename", $module->name)); @@ -470,7 +480,7 @@ $pageheading = get_string("updatinga", "moodle", $fullmodulename); } - } else if (isset($_GET['duplicate'])) { // value = course module + } else if (isset($_GET['duplicate']) and confirm_sesskey()) { // value = course module if (! $cm = get_record("course_modules", "id", $_GET['duplicate'])) { error("This course module doesn't exist"); @@ -509,6 +519,7 @@ $form->modulename = $module->name; $form->instance = $cm->instance; $form->mode = "add"; + $SESSION->sesskey = !empty($USER->id) ? $USER->sesskey : ''; $sectionname = get_string("name$course->format"); $fullmodulename = strtolower(get_string("modulename", $module->name)); @@ -522,7 +533,7 @@ } - } else if (isset($_GET['add'])) { + } else if (isset($_GET['add']) and confirm_sesskey()) { if (empty($_GET['add'])) { redirect($_SERVER["HTTP_REFERER"]); @@ -547,6 +558,7 @@ $form->instance = ""; $form->coursemodule = ""; $form->mode = "add"; + $SESSION->sesskey = !empty($USER->id) ? $USER->sesskey : ''; if (isset($_GET['type'])) { $form->type = $_GET['type']; } -- 2.39.5