From 929423768bc5e3ffa83c52d05839dd214f4f559a Mon Sep 17 00:00:00 2001
From: Petr Skoda <skodak@moodle.org>
Date: Sat, 21 Nov 2009 16:29:33 +0000
Subject: [PATCH] MDL-20925 fixed input validation and course ajax now fully
 respects the disable course ajax option

---
 course/rest.php        | 7 +++++++
 lib/ajax/ajaxcourse.js | 2 +-
 2 files changed, 8 insertions(+), 1 deletion(-)

diff --git a/course/rest.php b/course/rest.php
index 7f072e7be0..779f4ed825 100644
--- a/course/rest.php
+++ b/course/rest.php
@@ -53,6 +53,13 @@ $context = get_context_instance(CONTEXT_COURSE, $course->id);
 require_login($course);
 require_capability('moodle/course:update', $context);
 
+if (!empty($CFG->disablecourseajax)) {
+    errorl_log('Course AJAX not allowed');
+    die;
+}
+
+require_sesskey();
+
 // OK, now let's process the parameters and do stuff
 // MDL-10221 the DELETE method is not allowed on some web servers, so we simulate it with the action URL param
 $requestmethod = $_SERVER['REQUEST_METHOD'];
diff --git a/lib/ajax/ajaxcourse.js b/lib/ajax/ajaxcourse.js
index 489da2c95f..47280bd04b 100644
--- a/lib/ajax/ajaxcourse.js
+++ b/lib/ajax/ajaxcourse.js
@@ -218,7 +218,7 @@ main_class.prototype.connect = function(method, urlStub, callback, body) {
             callback = {};
         }
     }
-    return YAHOO.util.Connect.asyncRequest(method, this.portal.strings['wwwroot']+"/course/rest.php?courseId="+main.portal.id+"&"+urlStub, callback, body);
+    return YAHOO.util.Connect.asyncRequest(method, this.portal.strings['wwwroot']+"/course/rest.php?courseId="+main.portal.id+"&sesskey="+this.portal.strings['sesskey']+"&"+urlStub, callback, body);
 }
 
 
-- 
2.39.5