KumiSystems/moodle-mod-customcert
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity

Added missing confirm_sesskey() checks

Browse source
This commit is contained in:
Mark Nelson 2017-09-02 14:01:13 +08:00
parent e087567b03
commit a7b14ab48d
4 changed files with 111 additions and 82 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

13
classes/edit_form.php
View file

@ -81,7 +81,14 @@ class edit_form extends \moodleform {
} }
// Link to add another page. // Link to add another page.
$addpagelink = new \moodle_url('/mod/customcert/edit.php', array('tid' => $this->tid, 'aid' => 1, 'action' => 'addpage')); $addpagelink = new \moodle_url('/mod/customcert/edit.php',
array(
'tid' => $this->tid,
'aid' => 1,
'action' => 'addpage',
'sesskey' => sesskey()
)
);
$icon = $OUTPUT->pix_icon('t/switch_plus', get_string('addcertpage', 'customcert')); $icon = $OUTPUT->pix_icon('t/switch_plus', get_string('addcertpage', 'customcert'));
$addpagehtml = \html_writer::link($addpagelink, $icon . get_string('addcertpage', 'customcert')); $addpagehtml = \html_writer::link($addpagelink, $icon . get_string('addcertpage', 'customcert'));
$mform->addElement('html', \html_writer::tag('div', $addpagehtml, array('class' => 'addpage'))); $mform->addElement('html', \html_writer::tag('div', $addpagehtml, array('class' => 'addpage')));
@ -193,9 +200,9 @@ class edit_form extends \moodleform {
} }
$editlink = '/mod/customcert/edit.php'; $editlink = '/mod/customcert/edit.php';
$editlinkparams = array('tid' => $this->tid); $editlinkparams = array('tid' => $this->tid, 'sesskey' => sesskey());
$editelementlink = '/mod/customcert/edit_element.php'; $editelementlink = '/mod/customcert/edit_element.php';
$editelementlinkparams = array('tid' => $this->tid); $editelementlinkparams = array('tid' => $this->tid, 'sesskey' => sesskey());
// Place the ordering arrows. // Place the ordering arrows.
// Only display the move up arrow if it is not the first. // Only display the move up arrow if it is not the first.

18
edit.php
View file

@ -70,6 +70,7 @@ if ($context->contextlevel == CONTEXT_SYSTEM) {
$deleting = false; $deleting = false;
if ($tid) { if ($tid) {
if ($action && confirm_sesskey()) {
switch ($action) { switch ($action) {
case 'pmoveup' : case 'pmoveup' :
$template->move_item('page', $actionid, 'up'); $template->move_item('page', $actionid, 'up');
@ -100,11 +101,15 @@ if ($tid) {
$message = get_string('deletepageconfirm', 'customcert'); $message = get_string('deletepageconfirm', 'customcert');
// Create the link options. // Create the link options.
$nourl = new moodle_url('/mod/customcert/edit.php', array('tid' => $tid)); $nourl = new moodle_url('/mod/customcert/edit.php', array('tid' => $tid));
$yesurl = new moodle_url('/mod/customcert/edit.php', array('tid' => $tid, $yesurl = new moodle_url('/mod/customcert/edit.php',
array(
'tid' => $tid,
'action' => 'deletepage', 'action' => 'deletepage',
'aid' => $actionid, 'aid' => $actionid,
'confirm' => 1, 'confirm' => 1,
'sesskey' => sesskey())); 'sesskey' => sesskey()
)
);
} }
break; break;
case 'deleteelement' : case 'deleteelement' :
@ -117,14 +122,19 @@ if ($tid) {
$message = get_string('deleteelementconfirm', 'customcert'); $message = get_string('deleteelementconfirm', 'customcert');
// Create the link options. // Create the link options.
$nourl = new moodle_url('/mod/customcert/edit.php', array('tid' => $tid)); $nourl = new moodle_url('/mod/customcert/edit.php', array('tid' => $tid));
$yesurl = new moodle_url('/mod/customcert/edit.php', array('tid' => $tid, $yesurl = new moodle_url('/mod/customcert/edit.php',
array(
'tid' => $tid,
'action' => 'deleteelement', 'action' => 'deleteelement',
'aid' => $actionid, 'aid' => $actionid,
'confirm' => 1, 'confirm' => 1,
'sesskey' => sesskey())); 'sesskey' => sesskey()
)
);
} }
break; break;
} }
}
} }
// Check if we are deleting either a page or an element. // Check if we are deleting either a page or an element.

5
load_template.php
View file

@ -42,7 +42,7 @@ if ($cm = $template->get_cm()) {
$template->require_manage(); $template->require_manage();
// Check that they have confirmed they wish to load the template. // Check that they have confirmed they wish to load the template.
if ($confirm) { if ($confirm && confirm_sesskey()) {
// First, remove all the existing elements and pages. // First, remove all the existing elements and pages.
$sql = "SELECT e.* $sql = "SELECT e.*
FROM {customcert_elements} e FROM {customcert_elements} e
@ -104,7 +104,8 @@ if ($confirm) {
$nourl = new moodle_url('/mod/customcert/edit.php', array('tid' => $tid)); $nourl = new moodle_url('/mod/customcert/edit.php', array('tid' => $tid));
$yesurl = new moodle_url('/mod/customcert/load_template.php', array('tid' => $tid, $yesurl = new moodle_url('/mod/customcert/load_template.php', array('tid' => $tid,
'ltid' => $ltid, 'ltid' => $ltid,
'confirm' => 1)); 'confirm' => 1,
'sesskey' => sesskey()));
$pageurl = new moodle_url('/mod/customcert/load_template.php', array('tid' => $tid, 'ltid' => $ltid)); $pageurl = new moodle_url('/mod/customcert/load_template.php', array('tid' => $tid, 'ltid' => $ltid));
\mod_customcert\page_helper::page_setup($pageurl, $template->get_context(), get_string('loadtemplate', 'customcert')); \mod_customcert\page_helper::page_setup($pageurl, $template->get_context(), get_string('loadtemplate', 'customcert'));

19
manage_templates.php
View file

@ -53,13 +53,18 @@ $PAGE->navbar->add(get_string('managetemplates', 'customcert'));
// Check if we are deleting a template. // Check if we are deleting a template.
if ($tid) { if ($tid) {
if ($action && confirm_sesskey()) {
if ($action == 'delete') { if ($action == 'delete') {
if (!$confirm) { if (!$confirm) {
$nourl = new moodle_url('/mod/customcert/manage_templates.php'); $nourl = new moodle_url('/mod/customcert/manage_templates.php');
$yesurl = new moodle_url('/mod/customcert/manage_templates.php', array('tid' => $tid, $yesurl = new moodle_url('/mod/customcert/manage_templates.php',
array(
'tid' => $tid,
'action' => 'delete', 'action' => 'delete',
'confirm' => 1, 'confirm' => 1,
'sesskey' => sesskey())); 'sesskey' => sesskey()
)
);
// Show a confirmation page. // Show a confirmation page.
$strheading = get_string('deleteconfirm', 'customcert'); $strheading = get_string('deleteconfirm', 'customcert');
@ -79,6 +84,7 @@ if ($tid) {
// Redirect back to the manage templates page. // Redirect back to the manage templates page.
redirect(new moodle_url('/mod/customcert/manage_templates.php')); redirect(new moodle_url('/mod/customcert/manage_templates.php'));
} }
}
} }
// Get all the templates that are available. // Get all the templates that are available.
if ($templates = $DB->get_records('customcert_templates', array('contextid' => $contextid), 'timecreated DESC')) { if ($templates = $DB->get_records('customcert_templates', array('contextid' => $contextid), 'timecreated DESC')) {
@ -93,8 +99,13 @@ if ($templates = $DB->get_records('customcert_templates', array('contextid' => $
$editicon = $OUTPUT->action_icon($editlink, new \pix_icon('t/edit', get_string('edit'))); $editicon = $OUTPUT->action_icon($editlink, new \pix_icon('t/edit', get_string('edit')));
// Link to delete the element. // Link to delete the element.
$deletelink = new \moodle_url('/mod/customcert/manage_templates.php', array('tid' => $template->id, $deletelink = new \moodle_url('/mod/customcert/manage_templates.php',
'action' => 'delete')); array(
'tid' => $template->id,
'action' => 'delete',
'sesskey' => sesskey()
)
);
$deleteicon = $OUTPUT->action_icon($deletelink, new \pix_icon('t/delete', get_string('delete')), null, $deleteicon = $OUTPUT->action_icon($deletelink, new \pix_icon('t/delete', get_string('delete')), null,
array('class' => 'action-icon delete-icon')); array('class' => 'action-icon delete-icon'));