From 30e419078fcc9e8a65fc592494a96c7aa2a079de Mon Sep 17 00:00:00 2001
From: Paul Holden <paulh@moodle.com>
Date: Mon, 20 Feb 2023 12:41:18 +0000
Subject: [PATCH] MDL-77320 tool_licensemanager: restrict exposure of user
 sesskey.

---
 admin/tool/licensemanager/classes/helper.php  | 25 ++++---------------
 admin/tool/licensemanager/classes/manager.php | 19 +++++++-------
 admin/tool/licensemanager/index.php           |  6 -----
 3 files changed, 14 insertions(+), 36 deletions(-)

diff --git a/admin/tool/licensemanager/classes/helper.php b/admin/tool/licensemanager/classes/helper.php
index b71a9aac185..fbc67f61bfd 100644
--- a/admin/tool/licensemanager/classes/helper.php
+++ b/admin/tool/licensemanager/classes/helper.php
@@ -14,19 +14,11 @@
 // You should have received a copy of the GNU General Public License
 // along with Moodle.  If not, see <http://www.gnu.org/licenses/>.
 
-/**
- * License manager helper class.
- *
- * @package    tool_licensemanager
- * @copyright  2019 Tom Dickman <tomdickman@catalyst-au.net>
- * @license    http://www.gnu.org/copyleft/gpl.html GNU GPL v3 or later
- */
 
 namespace tool_licensemanager;
 
 use moodle_url;
 
-defined('MOODLE_INTERNAL') || die();
 
 /**
  * License manager helper class.
@@ -48,12 +40,7 @@ class helper {
      * @return \moodle_url
      */
     public static function get_licensemanager_url() : moodle_url {
-        global $CFG;
-
-        $url = new moodle_url($CFG->wwwroot . self::MANAGER_PATH,
-            ['sesskey' => sesskey()]);
-
-        return $url;
+        return new moodle_url(self::MANAGER_PATH);
     }
 
     /**
@@ -90,9 +77,8 @@ class helper {
      * @return \moodle_url
      */
     public static function get_create_license_url() : moodle_url {
-        $url = new moodle_url(self::MANAGER_PATH,
-            ['action' => manager::ACTION_CREATE, 'sesskey' => sesskey()]);
-
+        $url = self::get_licensemanager_url();
+        $url->params(['action' => manager::ACTION_CREATE]);
         return $url;
     }
 
@@ -104,9 +90,8 @@ class helper {
      * @return \moodle_url
      */
     public static function get_update_license_url(string $licenseshortname) : moodle_url {
-        $url = new moodle_url(self::MANAGER_PATH,
-            ['action' => manager::ACTION_UPDATE, 'license' => $licenseshortname, 'sesskey' => sesskey()]);
-
+        $url = self::get_licensemanager_url();
+        $url->params(['action' => manager::ACTION_UPDATE, 'license' => $licenseshortname]);
         return $url;
     }
 
diff --git a/admin/tool/licensemanager/classes/manager.php b/admin/tool/licensemanager/classes/manager.php
index 85d37544cf5..e7cbcc7c439 100644
--- a/admin/tool/licensemanager/classes/manager.php
+++ b/admin/tool/licensemanager/classes/manager.php
@@ -14,22 +14,12 @@
 // You should have received a copy of the GNU General Public License
 // along with Moodle.  If not, see <http://www.gnu.org/licenses/>.
 
-/**
- * License manager.
- *
- * @package    tool_licensemanager
- * @copyright  2019 Tom Dickman <tomdickman@catalyst-au.net>
- * @license    http://www.gnu.org/copyleft/gpl.html GNU GPL v3 or later
- */
-
 namespace tool_licensemanager;
 
 use tool_licensemanager\form\edit_license;
 use license_manager;
 use stdClass;
 
-defined('MOODLE_INTERNAL') || die();
-
 /**
  * License manager, main controller for tool_licensemanager.
  *
@@ -95,18 +85,25 @@ class manager {
         }
 
         $viewmanager = true;
+        $redirect = helper::get_licensemanager_url();
 
         switch ($action) {
             case self::ACTION_DISABLE:
+                require_sesskey();
                 license_manager::disable($license);
+                redirect($redirect);
                 break;
 
             case self::ACTION_ENABLE:
+                require_sesskey();
                 license_manager::enable($license);
+                redirect($redirect);
                 break;
 
             case self::ACTION_DELETE:
+                require_sesskey();
                 license_manager::delete($license);
+                redirect($redirect);
                 break;
 
             case self::ACTION_CREATE:
@@ -116,7 +113,9 @@ class manager {
 
             case self::ACTION_MOVE_UP:
             case self::ACTION_MOVE_DOWN:
+                require_sesskey();
                 $this->change_license_order($action, $license);
+                redirect($redirect);
                 break;
 
             case self::ACTION_VIEW_LICENSE_MANAGER:
diff --git a/admin/tool/licensemanager/index.php b/admin/tool/licensemanager/index.php
index 123dd9db6e0..4c287337ebe 100644
--- a/admin/tool/licensemanager/index.php
+++ b/admin/tool/licensemanager/index.php
@@ -28,15 +28,9 @@ require_once($CFG->libdir . '/licenselib.php');
 
 require_admin();
 
-$returnurl = \tool_licensemanager\helper::get_licensemanager_url();
-
 $action = optional_param('action', '', PARAM_ALPHANUMEXT);
 $license = optional_param('license', '', PARAM_SAFEDIR);
 
-if (!confirm_sesskey()) {
-    redirect($returnurl);
-}
-
 // Route via the manager.
 $licensemanager = new \tool_licensemanager\manager();
 $PAGE->set_context(context_system::instance());