MDL-48020 mod_forum: Add missing sesskey check in AJAX subscription
[moodle.git] / mod / forum / subscribe_ajax.php
CommitLineData
ebfb73db
AN
1<?php
2// This file is part of Moodle - http://moodle.org/
3//
4// Moodle is free software: you can redistribute it and/or modify
5// it under the terms of the GNU General Public License as published by
6// the Free Software Foundation, either version 3 of the License, or
7// (at your option) any later version.
8//
9// Moodle is distributed in the hope that it will be useful,
10// but WITHOUT ANY WARRANTY; without even the implied warranty of
11// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
12// GNU General Public License for more details.
13//
14// You should have received a copy of the GNU General Public License
15// along with Moodle. If not, see <http://www.gnu.org/licenses/>.
16
17/**
18 * Subscribe to or unsubscribe from a forum discussion.
19 *
20 * @package mod_forum
21 * @copyright 2014 Andrew Nicols <andrew@nicols.co.uk>
22 * @license http://www.gnu.org/copyleft/gpl.html GNU GPL v3 or later
23 */
24
25define('AJAX_SCRIPT', true);
26require_once(dirname(dirname(__DIR__)) . '/config.php');
27require_once($CFG->dirroot . '/mod/forum/lib.php');
28
29$forumid = required_param('forumid', PARAM_INT); // The forum to subscribe or unsubscribe.
30$discussionid = optional_param('discussionid', null, PARAM_INT); // The discussionid to subscribe.
79b4fb12 31$includetext = optional_param('includetext', false, PARAM_BOOL);
ebfb73db
AN
32
33$forum = $DB->get_record('forum', array('id' => $forumid), '*', MUST_EXIST);
34$course = $DB->get_record('course', array('id' => $forum->course), '*', MUST_EXIST);
35$discussion = $DB->get_record('forum_discussions', array('id' => $discussionid), '*', MUST_EXIST);
36$cm = get_coursemodule_from_instance('forum', $forum->id, $course->id, false, MUST_EXIST);
37$context = context_module::instance($cm->id);
38
a6d7a812 39require_sesskey();
ebfb73db 40require_login($course, false, $cm);
71bc139d 41require_capability('mod/forum:viewdiscussion', $context);
ebfb73db
AN
42
43$return = new stdClass();
44
45if (!\mod_forum\subscriptions::is_subscribable($forum)) {
46 // Nothing to do. We won't actually output any content here though.
47 echo json_encode($return);
48 die;
49}
50
4238983e 51if (\mod_forum\subscriptions::is_subscribed($USER->id, $forum, $discussion->id, $cm)) {
ebfb73db
AN
52 // The user is subscribed, unsubscribe them.
53 \mod_forum\subscriptions::unsubscribe_user_from_discussion($USER->id, $discussion, $context);
54} else {
55 // The user is unsubscribed, subscribe them.
56 \mod_forum\subscriptions::subscribe_user_to_discussion($USER->id, $discussion, $context);
57}
58
59// Now return the updated subscription icon.
79b4fb12 60$return->icon = forum_get_discussion_subscription_icon($forum, $discussion->id, null, $includetext);
ebfb73db
AN
61echo json_encode($return);
62die;