KumiSystems/moodle-mod_htmlcert
1
0
Fork 0
Code Issues Pull requests Packages Projects Releases Wiki Activity

Added missing confirm_sesskey() checks

Browse source
This commit is contained in:
Mark Nelson 2017-09-02 14:01:13 +08:00
parent e087567b03
commit a7b14ab48d
4 changed files with 111 additions and 82 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

13
classes/edit_form.php
View file

@ -81,7 +81,14 @@ class edit_form extends \moodleform {
} }
// Link to add another page. // Link to add another page.
$addpagelink = new \moodle_url('/mod/customcert/edit.php', array('tid' => $this->tid, 'aid' => 1, 'action' => 'addpage')); $addpagelink = new \moodle_url('/mod/customcert/edit.php',
array(
'tid' => $this->tid,
'aid' => 1,
'action' => 'addpage',
'sesskey' => sesskey()
)
);
$icon = $OUTPUT->pix_icon('t/switch_plus', get_string('addcertpage', 'customcert')); $icon = $OUTPUT->pix_icon('t/switch_plus', get_string('addcertpage', 'customcert'));
$addpagehtml = \html_writer::link($addpagelink, $icon . get_string('addcertpage', 'customcert')); $addpagehtml = \html_writer::link($addpagelink, $icon . get_string('addcertpage', 'customcert'));
$mform->addElement('html', \html_writer::tag('div', $addpagehtml, array('class' => 'addpage'))); $mform->addElement('html', \html_writer::tag('div', $addpagehtml, array('class' => 'addpage')));
@ -193,9 +200,9 @@ class edit_form extends \moodleform {
} }
$editlink = '/mod/customcert/edit.php'; $editlink = '/mod/customcert/edit.php';
$editlinkparams = array('tid' => $this->tid); $editlinkparams = array('tid' => $this->tid, 'sesskey' => sesskey());
$editelementlink = '/mod/customcert/edit_element.php'; $editelementlink = '/mod/customcert/edit_element.php';
$editelementlinkparams = array('tid' => $this->tid); $editelementlinkparams = array('tid' => $this->tid, 'sesskey' => sesskey());
// Place the ordering arrows. // Place the ordering arrows.
// Only display the move up arrow if it is not the first. // Only display the move up arrow if it is not the first.

114
edit.php
View file

@ -70,60 +70,70 @@ if ($context->contextlevel == CONTEXT_SYSTEM) {
$deleting = false; $deleting = false;
if ($tid) { if ($tid) {
switch ($action) { if ($action && confirm_sesskey()) {
case 'pmoveup' : switch ($action) {
$template->move_item('page', $actionid, 'up'); case 'pmoveup' :
break; $template->move_item('page', $actionid, 'up');
case 'pmovedown' : break;
$template->move_item('page', $actionid, 'down'); case 'pmovedown' :
break; $template->move_item('page', $actionid, 'down');
case 'emoveup' : break;
$template->move_item('element', $actionid, 'up'); case 'emoveup' :
break; $template->move_item('element', $actionid, 'up');
case 'emovedown' : break;
$template->move_item('element', $actionid, 'down'); case 'emovedown' :
break; $template->move_item('element', $actionid, 'down');
case 'addpage' : break;
$template->add_page(); case 'addpage' :
$url = new \moodle_url('/mod/customcert/edit.php', array('tid' => $tid)); $template->add_page();
redirect($url);
break;
case 'deletepage' :
if (!empty($confirm)) { // Check they have confirmed the deletion.
$template->delete_page($actionid);
$url = new \moodle_url('/mod/customcert/edit.php', array('tid' => $tid)); $url = new \moodle_url('/mod/customcert/edit.php', array('tid' => $tid));
redirect($url); redirect($url);
} else { break;
// Set deletion flag to true. case 'deletepage' :
$deleting = true; if (!empty($confirm)) { // Check they have confirmed the deletion.
// Create the message. $template->delete_page($actionid);
$message = get_string('deletepageconfirm', 'customcert'); $url = new \moodle_url('/mod/customcert/edit.php', array('tid' => $tid));
// Create the link options. redirect($url);
$nourl = new moodle_url('/mod/customcert/edit.php', array('tid' => $tid)); } else {
$yesurl = new moodle_url('/mod/customcert/edit.php', array('tid' => $tid, // Set deletion flag to true.
'action' => 'deletepage', $deleting = true;
'aid' => $actionid, // Create the message.
'confirm' => 1, $message = get_string('deletepageconfirm', 'customcert');
'sesskey' => sesskey())); // Create the link options.
} $nourl = new moodle_url('/mod/customcert/edit.php', array('tid' => $tid));
break; $yesurl = new moodle_url('/mod/customcert/edit.php',
case 'deleteelement' : array(
if (!empty($confirm)) { // Check they have confirmed the deletion. 'tid' => $tid,
$template->delete_element($actionid); 'action' => 'deletepage',
} else { 'aid' => $actionid,
// Set deletion flag to true. 'confirm' => 1,
$deleting = true; 'sesskey' => sesskey()
// Create the message. )
$message = get_string('deleteelementconfirm', 'customcert'); );
// Create the link options. }
$nourl = new moodle_url('/mod/customcert/edit.php', array('tid' => $tid)); break;
$yesurl = new moodle_url('/mod/customcert/edit.php', array('tid' => $tid, case 'deleteelement' :
'action' => 'deleteelement', if (!empty($confirm)) { // Check they have confirmed the deletion.
'aid' => $actionid, $template->delete_element($actionid);
'confirm' => 1, } else {
'sesskey' => sesskey())); // Set deletion flag to true.
} $deleting = true;
break; // Create the message.
$message = get_string('deleteelementconfirm', 'customcert');
// Create the link options.
$nourl = new moodle_url('/mod/customcert/edit.php', array('tid' => $tid));
$yesurl = new moodle_url('/mod/customcert/edit.php',
array(
'tid' => $tid,
'action' => 'deleteelement',
'aid' => $actionid,
'confirm' => 1,
'sesskey' => sesskey()
)
);
}
break;
}
} }
} }

5
load_template.php
View file

@ -42,7 +42,7 @@ if ($cm = $template->get_cm()) {
$template->require_manage(); $template->require_manage();
// Check that they have confirmed they wish to load the template. // Check that they have confirmed they wish to load the template.
if ($confirm) { if ($confirm && confirm_sesskey()) {
// First, remove all the existing elements and pages. // First, remove all the existing elements and pages.
$sql = "SELECT e.* $sql = "SELECT e.*
FROM {customcert_elements} e FROM {customcert_elements} e
@ -104,7 +104,8 @@ if ($confirm) {
$nourl = new moodle_url('/mod/customcert/edit.php', array('tid' => $tid)); $nourl = new moodle_url('/mod/customcert/edit.php', array('tid' => $tid));
$yesurl = new moodle_url('/mod/customcert/load_template.php', array('tid' => $tid, $yesurl = new moodle_url('/mod/customcert/load_template.php', array('tid' => $tid,
'ltid' => $ltid, 'ltid' => $ltid,
'confirm' => 1)); 'confirm' => 1,
'sesskey' => sesskey()));
$pageurl = new moodle_url('/mod/customcert/load_template.php', array('tid' => $tid, 'ltid' => $ltid)); $pageurl = new moodle_url('/mod/customcert/load_template.php', array('tid' => $tid, 'ltid' => $ltid));
\mod_customcert\page_helper::page_setup($pageurl, $template->get_context(), get_string('loadtemplate', 'customcert')); \mod_customcert\page_helper::page_setup($pageurl, $template->get_context(), get_string('loadtemplate', 'customcert'));

61
manage_templates.php
View file

@ -53,31 +53,37 @@ $PAGE->navbar->add(get_string('managetemplates', 'customcert'));
// Check if we are deleting a template. // Check if we are deleting a template.
if ($tid) { if ($tid) {
if ($action == 'delete') { if ($action && confirm_sesskey()) {
if (!$confirm) { if ($action == 'delete') {
$nourl = new moodle_url('/mod/customcert/manage_templates.php'); if (!$confirm) {
$yesurl = new moodle_url('/mod/customcert/manage_templates.php', array('tid' => $tid, $nourl = new moodle_url('/mod/customcert/manage_templates.php');
'action' => 'delete', $yesurl = new moodle_url('/mod/customcert/manage_templates.php',
'confirm' => 1, array(
'sesskey' => sesskey())); 'tid' => $tid,
'action' => 'delete',
'confirm' => 1,
'sesskey' => sesskey()
)
);
// Show a confirmation page. // Show a confirmation page.
$strheading = get_string('deleteconfirm', 'customcert'); $strheading = get_string('deleteconfirm', 'customcert');
$PAGE->navbar->add($strheading); $PAGE->navbar->add($strheading);
$PAGE->set_title($strheading); $PAGE->set_title($strheading);
$message = get_string('deletetemplateconfirm', 'customcert'); $message = get_string('deletetemplateconfirm', 'customcert');
echo $OUTPUT->header(); echo $OUTPUT->header();
echo $OUTPUT->heading($strheading); echo $OUTPUT->heading($strheading);
echo $OUTPUT->confirm($message, $yesurl, $nourl); echo $OUTPUT->confirm($message, $yesurl, $nourl);
echo $OUTPUT->footer(); echo $OUTPUT->footer();
exit(); exit();
}
// Delete the template.
$template->delete();
// Redirect back to the manage templates page.
redirect(new moodle_url('/mod/customcert/manage_templates.php'));
} }
// Delete the template.
$template->delete();
// Redirect back to the manage templates page.
redirect(new moodle_url('/mod/customcert/manage_templates.php'));
} }
} }
// Get all the templates that are available. // Get all the templates that are available.
@ -93,8 +99,13 @@ if ($templates = $DB->get_records('customcert_templates', array('contextid' => $
$editicon = $OUTPUT->action_icon($editlink, new \pix_icon('t/edit', get_string('edit'))); $editicon = $OUTPUT->action_icon($editlink, new \pix_icon('t/edit', get_string('edit')));
// Link to delete the element. // Link to delete the element.
$deletelink = new \moodle_url('/mod/customcert/manage_templates.php', array('tid' => $template->id, $deletelink = new \moodle_url('/mod/customcert/manage_templates.php',
'action' => 'delete')); array(
'tid' => $template->id,
'action' => 'delete',
'sesskey' => sesskey()
)
);
$deleteicon = $OUTPUT->action_icon($deletelink, new \pix_icon('t/delete', get_string('delete')), null, $deleteicon = $OUTPUT->action_icon($deletelink, new \pix_icon('t/delete', get_string('delete')), null,
array('class' => 'action-icon delete-icon')); array('class' => 'action-icon delete-icon'));