diff --git a/classes/edit_form.php b/classes/edit_form.php index d4289b1..c586778 100644 --- a/classes/edit_form.php +++ b/classes/edit_form.php @@ -81,7 +81,14 @@ class edit_form extends \moodleform { } // Link to add another page. - $addpagelink = new \moodle_url('/mod/customcert/edit.php', array('tid' => $this->tid, 'aid' => 1, 'action' => 'addpage')); + $addpagelink = new \moodle_url('/mod/customcert/edit.php', + array( + 'tid' => $this->tid, + 'aid' => 1, + 'action' => 'addpage', + 'sesskey' => sesskey() + ) + ); $icon = $OUTPUT->pix_icon('t/switch_plus', get_string('addcertpage', 'customcert')); $addpagehtml = \html_writer::link($addpagelink, $icon . get_string('addcertpage', 'customcert')); $mform->addElement('html', \html_writer::tag('div', $addpagehtml, array('class' => 'addpage'))); @@ -193,9 +200,9 @@ class edit_form extends \moodleform { } $editlink = '/mod/customcert/edit.php'; - $editlinkparams = array('tid' => $this->tid); + $editlinkparams = array('tid' => $this->tid, 'sesskey' => sesskey()); $editelementlink = '/mod/customcert/edit_element.php'; - $editelementlinkparams = array('tid' => $this->tid); + $editelementlinkparams = array('tid' => $this->tid, 'sesskey' => sesskey()); // Place the ordering arrows. // Only display the move up arrow if it is not the first. diff --git a/edit.php b/edit.php index 036cc2f..72dd9a5 100644 --- a/edit.php +++ b/edit.php @@ -70,60 +70,70 @@ if ($context->contextlevel == CONTEXT_SYSTEM) { $deleting = false; if ($tid) { - switch ($action) { - case 'pmoveup' : - $template->move_item('page', $actionid, 'up'); - break; - case 'pmovedown' : - $template->move_item('page', $actionid, 'down'); - break; - case 'emoveup' : - $template->move_item('element', $actionid, 'up'); - break; - case 'emovedown' : - $template->move_item('element', $actionid, 'down'); - break; - case 'addpage' : - $template->add_page(); - $url = new \moodle_url('/mod/customcert/edit.php', array('tid' => $tid)); - redirect($url); - break; - case 'deletepage' : - if (!empty($confirm)) { // Check they have confirmed the deletion. - $template->delete_page($actionid); + if ($action && confirm_sesskey()) { + switch ($action) { + case 'pmoveup' : + $template->move_item('page', $actionid, 'up'); + break; + case 'pmovedown' : + $template->move_item('page', $actionid, 'down'); + break; + case 'emoveup' : + $template->move_item('element', $actionid, 'up'); + break; + case 'emovedown' : + $template->move_item('element', $actionid, 'down'); + break; + case 'addpage' : + $template->add_page(); $url = new \moodle_url('/mod/customcert/edit.php', array('tid' => $tid)); redirect($url); - } else { - // Set deletion flag to true. - $deleting = true; - // Create the message. - $message = get_string('deletepageconfirm', 'customcert'); - // Create the link options. - $nourl = new moodle_url('/mod/customcert/edit.php', array('tid' => $tid)); - $yesurl = new moodle_url('/mod/customcert/edit.php', array('tid' => $tid, - 'action' => 'deletepage', - 'aid' => $actionid, - 'confirm' => 1, - 'sesskey' => sesskey())); - } - break; - case 'deleteelement' : - if (!empty($confirm)) { // Check they have confirmed the deletion. - $template->delete_element($actionid); - } else { - // Set deletion flag to true. - $deleting = true; - // Create the message. - $message = get_string('deleteelementconfirm', 'customcert'); - // Create the link options. - $nourl = new moodle_url('/mod/customcert/edit.php', array('tid' => $tid)); - $yesurl = new moodle_url('/mod/customcert/edit.php', array('tid' => $tid, - 'action' => 'deleteelement', - 'aid' => $actionid, - 'confirm' => 1, - 'sesskey' => sesskey())); - } - break; + break; + case 'deletepage' : + if (!empty($confirm)) { // Check they have confirmed the deletion. + $template->delete_page($actionid); + $url = new \moodle_url('/mod/customcert/edit.php', array('tid' => $tid)); + redirect($url); + } else { + // Set deletion flag to true. + $deleting = true; + // Create the message. + $message = get_string('deletepageconfirm', 'customcert'); + // Create the link options. + $nourl = new moodle_url('/mod/customcert/edit.php', array('tid' => $tid)); + $yesurl = new moodle_url('/mod/customcert/edit.php', + array( + 'tid' => $tid, + 'action' => 'deletepage', + 'aid' => $actionid, + 'confirm' => 1, + 'sesskey' => sesskey() + ) + ); + } + break; + case 'deleteelement' : + if (!empty($confirm)) { // Check they have confirmed the deletion. + $template->delete_element($actionid); + } else { + // Set deletion flag to true. + $deleting = true; + // Create the message. + $message = get_string('deleteelementconfirm', 'customcert'); + // Create the link options. + $nourl = new moodle_url('/mod/customcert/edit.php', array('tid' => $tid)); + $yesurl = new moodle_url('/mod/customcert/edit.php', + array( + 'tid' => $tid, + 'action' => 'deleteelement', + 'aid' => $actionid, + 'confirm' => 1, + 'sesskey' => sesskey() + ) + ); + } + break; + } } } diff --git a/load_template.php b/load_template.php index caa4a1c..2e5f5c5 100644 --- a/load_template.php +++ b/load_template.php @@ -42,7 +42,7 @@ if ($cm = $template->get_cm()) { $template->require_manage(); // Check that they have confirmed they wish to load the template. -if ($confirm) { +if ($confirm && confirm_sesskey()) { // First, remove all the existing elements and pages. $sql = "SELECT e.* FROM {customcert_elements} e @@ -104,7 +104,8 @@ if ($confirm) { $nourl = new moodle_url('/mod/customcert/edit.php', array('tid' => $tid)); $yesurl = new moodle_url('/mod/customcert/load_template.php', array('tid' => $tid, 'ltid' => $ltid, - 'confirm' => 1)); + 'confirm' => 1, + 'sesskey' => sesskey())); $pageurl = new moodle_url('/mod/customcert/load_template.php', array('tid' => $tid, 'ltid' => $ltid)); \mod_customcert\page_helper::page_setup($pageurl, $template->get_context(), get_string('loadtemplate', 'customcert')); diff --git a/manage_templates.php b/manage_templates.php index 12644e8..d8f6a51 100644 --- a/manage_templates.php +++ b/manage_templates.php @@ -53,31 +53,37 @@ $PAGE->navbar->add(get_string('managetemplates', 'customcert')); // Check if we are deleting a template. if ($tid) { - if ($action == 'delete') { - if (!$confirm) { - $nourl = new moodle_url('/mod/customcert/manage_templates.php'); - $yesurl = new moodle_url('/mod/customcert/manage_templates.php', array('tid' => $tid, - 'action' => 'delete', - 'confirm' => 1, - 'sesskey' => sesskey())); + if ($action && confirm_sesskey()) { + if ($action == 'delete') { + if (!$confirm) { + $nourl = new moodle_url('/mod/customcert/manage_templates.php'); + $yesurl = new moodle_url('/mod/customcert/manage_templates.php', + array( + 'tid' => $tid, + 'action' => 'delete', + 'confirm' => 1, + 'sesskey' => sesskey() + ) + ); - // Show a confirmation page. - $strheading = get_string('deleteconfirm', 'customcert'); - $PAGE->navbar->add($strheading); - $PAGE->set_title($strheading); - $message = get_string('deletetemplateconfirm', 'customcert'); - echo $OUTPUT->header(); - echo $OUTPUT->heading($strheading); - echo $OUTPUT->confirm($message, $yesurl, $nourl); - echo $OUTPUT->footer(); - exit(); + // Show a confirmation page. + $strheading = get_string('deleteconfirm', 'customcert'); + $PAGE->navbar->add($strheading); + $PAGE->set_title($strheading); + $message = get_string('deletetemplateconfirm', 'customcert'); + echo $OUTPUT->header(); + echo $OUTPUT->heading($strheading); + echo $OUTPUT->confirm($message, $yesurl, $nourl); + echo $OUTPUT->footer(); + exit(); + } + + // Delete the template. + $template->delete(); + + // Redirect back to the manage templates page. + redirect(new moodle_url('/mod/customcert/manage_templates.php')); } - - // Delete the template. - $template->delete(); - - // Redirect back to the manage templates page. - redirect(new moodle_url('/mod/customcert/manage_templates.php')); } } // Get all the templates that are available. @@ -93,8 +99,13 @@ if ($templates = $DB->get_records('customcert_templates', array('contextid' => $ $editicon = $OUTPUT->action_icon($editlink, new \pix_icon('t/edit', get_string('edit'))); // Link to delete the element. - $deletelink = new \moodle_url('/mod/customcert/manage_templates.php', array('tid' => $template->id, - 'action' => 'delete')); + $deletelink = new \moodle_url('/mod/customcert/manage_templates.php', + array( + 'tid' => $template->id, + 'action' => 'delete', + 'sesskey' => sesskey() + ) + ); $deleteicon = $OUTPUT->action_icon($deletelink, new \pix_icon('t/delete', get_string('delete')), null, array('class' => 'action-icon delete-icon'));