MDL-72367 badges: require sesskey to remove badge alignment.

badges/alignment_action.php

@@ -25,9 +25,9 @@
 require_once(__DIR__ . '/../config.php');
 require_once($CFG->libdir . '/badgeslib.php');
 
-$alignmentid = required_param('alignmentid', PARAM_INT); // Related badge ID.
+$alignmentid = required_param('alignmentid', PARAM_INT); // Alignment ID.
 $badgeid = required_param('id', PARAM_INT); // Badge ID.
-$action = optional_param('action', 'remove', PARAM_TEXT); // Remove.
+$action = optional_param('action', 'remove', PARAM_TEXT); // Action to perform.
 
 require_login();
 $return = new moodle_url('/badges/alignment.php', array('id' => $badgeid));
@@ -36,6 +36,8 @@ $context = $badge->get_context();
 require_capability('moodle/badges:configuredetails', $context);
 
 if ($action == 'remove') {
+    require_sesskey();
     $badge->delete_alignment($alignmentid);
 }
+
 redirect($return);

badges/renderer.php

@@ -1062,13 +1062,14 @@ class core_badges_renderer extends plugin_renderer_base {
             );
             if (!$currentbadge->is_active() && !$currentbadge->is_locked()) {
                 $delete = $this->output->action_icon(
-                    new moodle_url('alignment_action.php',
-                        array(
-                            'id' => $currentbadge->id,
-                            'alignmentid' => $item->id,
-                            'action' => 'remove'
-                        )
-                    ), new pix_icon('t/delete', get_string('delete')));
+                    new moodle_url('/badges/alignment_action.php', [
+                        'id' => $currentbadge->id,
+                        'alignmentid' => $item->id,
+                        'sesskey' => sesskey(),
+                        'action' => 'remove'
+                    ]),
+                    new pix_icon('t/delete', get_string('delete'))
+                );
                 $edit = $this->output->action_icon(
                     new moodle_url('alignment.php',
                         array(