diff --git a/badges/alignment_action.php b/badges/alignment_action.php index a3815469f3d..8cad2284ead 100644 --- a/badges/alignment_action.php +++ b/badges/alignment_action.php @@ -25,9 +25,9 @@ require_once(__DIR__ . '/../config.php'); require_once($CFG->libdir . '/badgeslib.php'); -$alignmentid = required_param('alignmentid', PARAM_INT); // Related badge ID. +$alignmentid = required_param('alignmentid', PARAM_INT); // Alignment ID. $badgeid = required_param('id', PARAM_INT); // Badge ID. -$action = optional_param('action', 'remove', PARAM_TEXT); // Remove. +$action = optional_param('action', 'remove', PARAM_TEXT); // Action to perform. require_login(); $return = new moodle_url('/badges/alignment.php', array('id' => $badgeid)); @@ -36,6 +36,8 @@ $context = $badge->get_context(); require_capability('moodle/badges:configuredetails', $context); if ($action == 'remove') { + require_sesskey(); $badge->delete_alignment($alignmentid); } + redirect($return); diff --git a/badges/renderer.php b/badges/renderer.php index 80bea0c31b1..404bb6f100f 100644 --- a/badges/renderer.php +++ b/badges/renderer.php @@ -1062,13 +1062,14 @@ class core_badges_renderer extends plugin_renderer_base { ); if (!$currentbadge->is_active() && !$currentbadge->is_locked()) { $delete = $this->output->action_icon( - new moodle_url('alignment_action.php', - array( - 'id' => $currentbadge->id, - 'alignmentid' => $item->id, - 'action' => 'remove' - ) - ), new pix_icon('t/delete', get_string('delete'))); + new moodle_url('/badges/alignment_action.php', [ + 'id' => $currentbadge->id, + 'alignmentid' => $item->id, + 'sesskey' => sesskey(), + 'action' => 'remove' + ]), + new pix_icon('t/delete', get_string('delete')) + ); $edit = $this->output->action_icon( new moodle_url('alignment.php', array(