mirror of
https://github.com/moodle/moodle.git
synced 2025-01-18 05:58:34 +01:00
course/mod.php is using sesskey.
Merged from MOODLE_14_STABLE
This commit is contained in:
stronk7
parent
d99ceac20f
commit
8b92f5bb7d
@ -54,7 +54,7 @@ class CourseBlock_site_main_menu extends MoodleBlock {
|
||||
|
||||
if ($ismoving) {
|
||||
$this->content->icons[] = ' <img align="bottom" src="'.$CFG->pixpath.'/t/move.gif" height="11" width="11" alt="" />';
|
||||
$this->content->items[] = $USER->activitycopyname.' (<a href="'.$CFG->wwwroot.'/course/mod.php?cancelcopy=true">'.$strcancel.'</a>)';
|
||||
$this->content->items[] = $USER->activitycopyname.' (<a href="'.$CFG->wwwroot.'/course/mod.php?cancelcopy=true&sesskey='.$USER->sesskey.'">'.$strcancel.'</a>)';
|
||||
}
|
||||
|
||||
if (!empty($section->sequence)) {
|
||||
@ -82,7 +82,7 @@ class CourseBlock_site_main_menu extends MoodleBlock {
|
||||
if ($mod->id == $USER->activitycopy) {
|
||||
continue;
|
||||
}
|
||||
$this->content->items[] = '<a title="'.$strmovefull.'" href="'.$CFG->wwwroot.'/course/mod.php?moveto='.$mod->id.'">'.
|
||||
$this->content->items[] = '<a title="'.$strmovefull.'" href="'.$CFG->wwwroot.'/course/mod.php?moveto='.$mod->id.'&sesskey='.$USER->sesskey.'">'.
|
||||
'<img height="16" width="80" src="'.$CFG->pixpath.'/movehere.gif" alt="'.$strmovehere.'" border="0" /></a>';
|
||||
$this->content->icons[] = '';
|
||||
}
|
||||
@ -115,7 +115,7 @@ class CourseBlock_site_main_menu extends MoodleBlock {
|
||||
}
|
||||
|
||||
if ($ismoving) {
|
||||
$this->content->items[] = '<a title="'.$strmovefull.'" href="'.$CFG->wwwroot.'/course/mod.php?movetosection='.$section->id.'">'.
|
||||
$this->content->items[] = '<a title="'.$strmovefull.'" href="'.$CFG->wwwroot.'/course/mod.php?movetosection='.$section->id.'&sesskey='.$USER->sesskey.'">'.
|
||||
'<img height="16" width="80" src="'.$CFG->pixpath.'/movehere.gif" alt="'.$strmovehere.'" border="0" /></a>';
|
||||
$this->content->icons[] = '';
|
||||
}
|
||||
|
||||
@ -84,7 +84,7 @@
|
||||
echo "<tr>";
|
||||
echo "<td colspan=\"3\" valign=\"top\" bgcolor=\"$THEME->cellcontent\" class=\"topicoutlineclip\" width=\"100%\">";
|
||||
echo "<p><font size=\"2\">";
|
||||
echo "$stractivityclipboard (<a href=\"mod.php?cancelcopy=true\">$strcancel</a>)";
|
||||
echo "$stractivityclipboard (<a href=\"mod.php?cancelcopy=true&sesskey=$USER->sesskey\">$strcancel</a>)";
|
||||
echo "</font></p>";
|
||||
echo "</td>";
|
||||
echo "</tr>";
|
||||
|
||||
@ -74,7 +74,7 @@
|
||||
echo "<tr>";
|
||||
echo "<td colspan=\"3\" valign=\"top\" bgcolor=\"$THEME->cellcontent\" class=\"weeklyoutlineclip\" width=\"100%\">";
|
||||
echo "<p><font size=\"2\">";
|
||||
echo "$stractivityclipboard (<a href=\"mod.php?cancelcopy=true\">$strcancel</a>)";
|
||||
echo "$stractivityclipboard (<a href=\"mod.php?cancelcopy=true&sesskey=$USER->sesskey\">$strcancel</a>)";
|
||||
echo "</font></p>";
|
||||
echo "</td>";
|
||||
echo "</tr>";
|
||||
|
||||
@ -904,7 +904,7 @@ function print_section($course, $section, $mods, $modnamesused, $absolute=false,
|
||||
continue;
|
||||
}
|
||||
echo '<a title="'.$strmovefull.'"'.
|
||||
' href="'.$CFG->wwwroot.'/course/mod.php?moveto='.$mod->id.'">'.
|
||||
' href="'.$CFG->wwwroot.'/course/mod.php?moveto='.$mod->id.'&sesskey='.$USER->sesskey.'">'.
|
||||
'<img height="16" width="80" src="'.$CFG->pixpath.'/movehere.gif" '.
|
||||
' alt="'.$strmovehere.'" border="0" /></a><br />
|
||||
';
|
||||
@ -968,7 +968,7 @@ function print_section($course, $section, $mods, $modnamesused, $absolute=false,
|
||||
}
|
||||
if ($ismoving) {
|
||||
echo '<tr><td><a title="'.$strmovefull.'"'.
|
||||
' href="'.$CFG->wwwroot.'/course/mod.php?movetosection='.$section->id.'">'.
|
||||
' href="'.$CFG->wwwroot.'/course/mod.php?movetosection='.$section->id.'&sesskey='.$USER->sesskey.'">'.
|
||||
'<img height="16" width="80" src="'.$CFG->pixpath.'/movehere.gif" '.
|
||||
' alt="'.$strmovehere.'" border="0" /></a></td></tr>
|
||||
';
|
||||
@ -980,7 +980,7 @@ function print_section($course, $section, $mods, $modnamesused, $absolute=false,
|
||||
function print_section_add_menus($course, $section, $modnames, $vertical=false, $return=false) {
|
||||
// Prints the menus to add activities and resources
|
||||
|
||||
global $CFG;
|
||||
global $CFG, $USER;
|
||||
static $straddactivity, $stractivities, $straddresource, $resources;
|
||||
|
||||
if (!isset($straddactivity)) {
|
||||
@ -1000,7 +1000,7 @@ function print_section_add_menus($course, $section, $modnames, $vertical=false,
|
||||
$output = '';
|
||||
|
||||
$output .= '<div align="right"><table align="right"><tr><td>';
|
||||
$output .= popup_form("$CFG->wwwroot/course/mod.php?id=$course->id&section=$section&add=",
|
||||
$output .= popup_form("$CFG->wwwroot/course/mod.php?id=$course->id&section=$section&sesskey=$USER->sesskey&add=",
|
||||
$resources, "ressection$section", "", $straddresource, 'resource/types', $straddresource, true);
|
||||
$output .= '</td>';
|
||||
|
||||
@ -1009,7 +1009,7 @@ function print_section_add_menus($course, $section, $modnames, $vertical=false,
|
||||
}
|
||||
|
||||
$output .= '<td>';
|
||||
$output .= popup_form("$CFG->wwwroot/course/mod.php?id=$course->id&section=$section&add=",
|
||||
$output .= popup_form("$CFG->wwwroot/course/mod.php?id=$course->id&section=$section&sesskey=$USER->sesskey&add=",
|
||||
$modnames, "section$section", "", $straddactivity, 'mods', $straddactivity, true);
|
||||
$output .= '</td></tr></table>';
|
||||
$output .= '</div>';
|
||||
@ -1663,7 +1663,7 @@ function move_module($cm, $move) {
|
||||
}
|
||||
|
||||
function make_editing_buttons($mod, $absolute=false, $moveselect=true, $indent=-1) {
|
||||
global $CFG, $THEME;
|
||||
global $CFG, $THEME, $USER;
|
||||
|
||||
static $str;
|
||||
|
||||
@ -1698,10 +1698,10 @@ function make_editing_buttons($mod, $absolute=false, $moveselect=true, $indent=-
|
||||
}
|
||||
|
||||
if ($mod->visible) {
|
||||
$hideshow = "<a title=\"$str->hide\" href=\"$path/mod.php?hide=$mod->id\"><img".
|
||||
$hideshow = "<a title=\"$str->hide\" href=\"$path/mod.php?hide=$mod->id&sesskey=$USER->sesskey\"><img".
|
||||
" src=\"$pixpath/t/hide.gif\" hspace=\"2\" height=\"11\" width=\"11\" border=\"0\" alt=\"$str->hide\" /></a> ";
|
||||
} else {
|
||||
$hideshow = "<a title=\"$str->show\" href=\"$path/mod.php?show=$mod->id\"><img".
|
||||
$hideshow = "<a title=\"$str->show\" href=\"$path/mod.php?show=$mod->id&sesskey=$USER->sesskey\"><img".
|
||||
" src=\"$pixpath/t/show.gif\" hspace=\"2\" height=\"11\" width=\"11\" ".
|
||||
"border=\"0\" alt=\"$str->show\" /></a> ";
|
||||
}
|
||||
@ -1709,15 +1709,15 @@ function make_editing_buttons($mod, $absolute=false, $moveselect=true, $indent=-
|
||||
if ($mod->groupmode == SEPARATEGROUPS) {
|
||||
$grouptitle = $str->groupsseparate;
|
||||
$groupimage = "$pixpath/t/groups.gif";
|
||||
$grouplink = "$path/mod.php?id=$mod->id&groupmode=0";
|
||||
$grouplink = "$path/mod.php?id=$mod->id&groupmode=0&sesskey=$USER->sesskey";
|
||||
} else if ($mod->groupmode == VISIBLEGROUPS) {
|
||||
$grouptitle = $str->groupsvisible;
|
||||
$groupimage = "$pixpath/t/groupv.gif";
|
||||
$grouplink = "$path/mod.php?id=$mod->id&groupmode=1";
|
||||
$grouplink = "$path/mod.php?id=$mod->id&groupmode=1&sesskey=$USER->sesskey";
|
||||
} else {
|
||||
$grouptitle = $str->groupsnone;
|
||||
$groupimage = "$pixpath/t/groupn.gif";
|
||||
$grouplink = "$path/mod.php?id=$mod->id&groupmode=2";
|
||||
$grouplink = "$path/mod.php?id=$mod->id&groupmode=2&sesskey=$USER->sesskey";
|
||||
}
|
||||
if ($mod->groupmodelink) {
|
||||
$groupmode = "<a title=\"$grouptitle ($str->clicktochange)\" href=\"$grouplink\">".
|
||||
@ -1733,37 +1733,37 @@ function make_editing_buttons($mod, $absolute=false, $moveselect=true, $indent=-
|
||||
}
|
||||
|
||||
if ($moveselect) {
|
||||
$move = "<a title=\"$str->move\" href=\"$path/mod.php?copy=$mod->id\"><img".
|
||||
$move = "<a title=\"$str->move\" href=\"$path/mod.php?copy=$mod->id&sesskey=$USER->sesskey\"><img".
|
||||
" src=\"$pixpath/t/move.gif\" hspace=\"2\" height=\"11\" width=\"11\" ".
|
||||
" border=\"0\" alt=\"$str->move\" /></a>";
|
||||
} else {
|
||||
$move = "<a title=\"$str->moveup\" href=\"$path/mod.php?id=$mod->id&move=-1\"><img".
|
||||
$move = "<a title=\"$str->moveup\" href=\"$path/mod.php?id=$mod->id&move=-1&sesskey=$USER->sesskey\"><img".
|
||||
" src=\"$pixpath/t/up.gif\" hspace=\"2\" height=\"11\" width=\"11\" ".
|
||||
" border=\"0\" alt=\"$str->moveup\" /></a>".
|
||||
"<a title=\"$str->movedown\" href=\"$path/mod.php?id=$mod->id&move=1\"><img".
|
||||
"<a title=\"$str->movedown\" href=\"$path/mod.php?id=$mod->id&move=1&sesskey=$USER->sesskey\"><img".
|
||||
" src=\"$pixpath/t/down.gif\" hspace=\"2\" height=\"11\" width=\"11\" ".
|
||||
" border=\"0\" alt=\"$str->movedown\" /></a>";
|
||||
}
|
||||
|
||||
$leftright = "";
|
||||
if ($indent > 0) {
|
||||
$leftright .= "<a title=\"$str->moveleft\" href=\"$path/mod.php?id=$mod->id&indent=-1\"><img".
|
||||
$leftright .= "<a title=\"$str->moveleft\" href=\"$path/mod.php?id=$mod->id&indent=-1&sesskey=$USER->sesskey\"><img".
|
||||
" src=\"$pixpath/t/left.gif\" hspace=\"2\" height=\"11\" width=\"11\" ".
|
||||
" border=\"0\" alt=\"$str->moveleft\" /></a>";
|
||||
}
|
||||
if ($indent >= 0) {
|
||||
$leftright .= "<a title=\"$str->moveright\" href=\"$path/mod.php?id=$mod->id&indent=1\"><img".
|
||||
$leftright .= "<a title=\"$str->moveright\" href=\"$path/mod.php?id=$mod->id&indent=1&sesskey=$USER->sesskey\"><img".
|
||||
" src=\"$pixpath/t/right.gif\" hspace=\"2\" height=\"11\" width=\"11\" ".
|
||||
" border=\"0\" alt=\"$str->moveright\" /></a>";
|
||||
}
|
||||
|
||||
return "$leftright$move".
|
||||
"<a title=\"$str->update\" href=\"$path/mod.php?update=$mod->id\"><img".
|
||||
"<a title=\"$str->update\" href=\"$path/mod.php?update=$mod->id&sesskey=$USER->sesskey\"><img".
|
||||
" src=\"$pixpath/t/edit.gif\" hspace=\"2\" height=\"11\" width=\"11\" border=\"0\" ".
|
||||
" alt=\"$str->update\" /></a>".
|
||||
// Following line is commented out until this feature is more definite -- martin
|
||||
// "<a title=\"$str->duplicate\" href=\"$path/mod.php?duplicate=$mod->id\"> 2 </a>".
|
||||
"<a title=\"$str->delete\" href=\"$path/mod.php?delete=$mod->id\"><img".
|
||||
// "<a title=\"$str->duplicate\" href=\"$path/mod.php?duplicate=$mod->id&sesskey=$USER->sesskey\"> 2 </a>".
|
||||
"<a title=\"$str->delete\" href=\"$path/mod.php?delete=$mod->id&sesskey=$USER->sesskey\"><img".
|
||||
" src=\"$pixpath/t/delete.gif\" hspace=\"2\" height=\"11\" width=\"11\" border=\"0\" ".
|
||||
" alt=\"$str->delete\" /></a>$hideshow$groupmode";
|
||||
}
|
||||
|
||||
@ -27,6 +27,14 @@
|
||||
|
||||
if (isset($_POST["course"])) { // add or update form submitted
|
||||
|
||||
//It caller is correct, $SESSION->sesskey must exist and coincide
|
||||
if (empty($SESSION->sesskey) or !confirm_sesskey($SESSION->sesskey)) {
|
||||
error(get_string('confirmsesskeybad', 'error'));
|
||||
}
|
||||
|
||||
//Unset this, check done
|
||||
unset($SESSION->sesskey);
|
||||
|
||||
if (!$course = get_record("course", "id", $mod->course)) {
|
||||
error("This course doesn't exist");
|
||||
}
|
||||
@ -165,7 +173,7 @@
|
||||
}
|
||||
|
||||
|
||||
if (isset($_GET['move'])) {
|
||||
if (isset($_GET['move']) and confirm_sesskey()) {
|
||||
|
||||
require_variable($id);
|
||||
|
||||
@ -188,7 +196,7 @@
|
||||
}
|
||||
exit;
|
||||
|
||||
} else if (isset($_GET['movetosection']) or isset($_GET['moveto'])) {
|
||||
} else if ((isset($_GET['movetosection']) or isset($_GET['moveto'])) and confirm_sesskey()) {
|
||||
|
||||
if (! $cm = get_record("course_modules", "id", $USER->activitycopy)) {
|
||||
error("The copied course module doesn't exist!");
|
||||
@ -231,7 +239,7 @@
|
||||
redirect("view.php?id=$section->course");
|
||||
}
|
||||
|
||||
} else if (isset($_GET['indent'])) {
|
||||
} else if (isset($_GET['indent']) and confirm_sesskey()) {
|
||||
|
||||
require_variable($id);
|
||||
|
||||
@ -256,7 +264,7 @@
|
||||
}
|
||||
exit;
|
||||
|
||||
} else if (isset($_GET['hide'])) {
|
||||
} else if (isset($_GET['hide']) and confirm_sesskey()) {
|
||||
|
||||
if (! $cm = get_record("course_modules", "id", $_GET['hide'])) {
|
||||
error("This course module doesn't exist");
|
||||
@ -277,7 +285,7 @@
|
||||
}
|
||||
exit;
|
||||
|
||||
} else if (isset($_GET['show'])) {
|
||||
} else if (isset($_GET['show']) and confirm_sesskey()) {
|
||||
|
||||
if (! $cm = get_record("course_modules", "id", $_GET['show'])) {
|
||||
error("This course module doesn't exist");
|
||||
@ -307,7 +315,7 @@
|
||||
}
|
||||
exit;
|
||||
|
||||
} else if (isset($_GET['groupmode'])) {
|
||||
} else if (isset($_GET['groupmode']) and confirm_sesskey()) {
|
||||
|
||||
if (! $cm = get_record("course_modules", "id", $_GET['id'])) {
|
||||
error("This course module doesn't exist");
|
||||
@ -328,7 +336,7 @@
|
||||
}
|
||||
exit;
|
||||
|
||||
} else if (isset($_GET['copy'])) { // value = course module
|
||||
} else if (isset($_GET['copy']) and confirm_sesskey()) { // value = course module
|
||||
|
||||
if (! $cm = get_record("course_modules", "id", $_GET['copy'])) {
|
||||
error("This course module doesn't exist");
|
||||
@ -356,7 +364,7 @@
|
||||
|
||||
redirect("view.php?id=$cm->course");
|
||||
|
||||
} else if (isset($_GET['cancelcopy'])) { // value = course module
|
||||
} else if (isset($_GET['cancelcopy']) and confirm_sesskey()) { // value = course module
|
||||
|
||||
$courseid = $USER->activitycopycourse;
|
||||
|
||||
@ -366,7 +374,7 @@
|
||||
|
||||
redirect("view.php?id=$courseid");
|
||||
|
||||
} else if (isset($_GET['delete'])) { // value = course module
|
||||
} else if (isset($_GET['delete']) and confirm_sesskey()) { // value = course module
|
||||
|
||||
if (! $cm = get_record("course_modules", "id", $_GET['delete'])) {
|
||||
error("This course module doesn't exist");
|
||||
@ -405,6 +413,7 @@
|
||||
$form->modulename = $module->name;
|
||||
$form->fullmodulename = $fullmodulename;
|
||||
$form->instancename = $instance->name;
|
||||
$SESSION->sesskey = !empty($USER->id) ? $USER->sesskey : '';
|
||||
|
||||
$strdeletecheck = get_string("deletecheck", "", "$form->fullmodulename");
|
||||
$strdeletecheckfull = get_string("deletecheckfull", "", "$form->fullmodulename '$form->instancename'");
|
||||
@ -421,7 +430,7 @@
|
||||
exit;
|
||||
|
||||
|
||||
} else if (isset($_GET['update'])) { // value = course module
|
||||
} else if (isset($_GET['update']) and confirm_sesskey()) { // value = course module
|
||||
|
||||
if (! $cm = get_record("course_modules", "id", $_GET['update'])) {
|
||||
error("This course module doesn't exist");
|
||||
@ -458,6 +467,7 @@
|
||||
$form->modulename = $module->name;
|
||||
$form->instance = $cm->instance;
|
||||
$form->mode = "update";
|
||||
$SESSION->sesskey = !empty($USER->id) ? $USER->sesskey : '';
|
||||
|
||||
$sectionname = get_string("name$course->format");
|
||||
$fullmodulename = strtolower(get_string("modulename", $module->name));
|
||||
@ -470,7 +480,7 @@
|
||||
$pageheading = get_string("updatinga", "moodle", $fullmodulename);
|
||||
}
|
||||
|
||||
} else if (isset($_GET['duplicate'])) { // value = course module
|
||||
} else if (isset($_GET['duplicate']) and confirm_sesskey()) { // value = course module
|
||||
|
||||
if (! $cm = get_record("course_modules", "id", $_GET['duplicate'])) {
|
||||
error("This course module doesn't exist");
|
||||
@ -509,6 +519,7 @@
|
||||
$form->modulename = $module->name;
|
||||
$form->instance = $cm->instance;
|
||||
$form->mode = "add";
|
||||
$SESSION->sesskey = !empty($USER->id) ? $USER->sesskey : '';
|
||||
|
||||
$sectionname = get_string("name$course->format");
|
||||
$fullmodulename = strtolower(get_string("modulename", $module->name));
|
||||
@ -522,7 +533,7 @@
|
||||
}
|
||||
|
||||
|
||||
} else if (isset($_GET['add'])) {
|
||||
} else if (isset($_GET['add']) and confirm_sesskey()) {
|
||||
|
||||
if (empty($_GET['add'])) {
|
||||
redirect($_SERVER["HTTP_REFERER"]);
|
||||
@ -547,6 +558,7 @@
|
||||
$form->instance = "";
|
||||
$form->coursemodule = "";
|
||||
$form->mode = "add";
|
||||
$SESSION->sesskey = !empty($USER->id) ? $USER->sesskey : '';
|
||||
if (isset($_GET['type'])) {
|
||||
$form->type = $_GET['type'];
|
||||
}
|
||||
|
||||
Loading…
x
Reference in New Issue
Block a user