MDL-53696 forum: Check discussion in forum

diff --git a/mod/forum/subscribe.php b/mod/forum/subscribe.php
index ab209b0..74e9c30 100644 (file)
--- a/mod/forum/subscribe.php
+++ b/mod/forum/subscribe.php
@@ -53,7 +53,9 @@ if (!is_null($sesskey)) {
 }
 if (!is_null($discussionid)) {
     $url->param('d', $discussionid);
-    $discussion = $DB->get_record('forum_discussions', array('id' => $discussionid), '*', MUST_EXIST);
+    if (!$discussion = $DB->get_record('forum_discussions', array('id' => $discussionid, 'forum' => $id))) {
+        print_error('invaliddiscussionid', 'forum');
+    }
 }
 $PAGE->set_url($url);
 

diff --git a/mod/forum/subscribe_ajax.php b/mod/forum/subscribe_ajax.php
index fe7b43e..cf6bb70 100644 (file)
--- a/mod/forum/subscribe_ajax.php
+++ b/mod/forum/subscribe_ajax.php
@@ -32,7 +32,9 @@ $includetext    = optional_param('includetext', false, PARAM_BOOL);
 
 $forum          = $DB->get_record('forum', array('id' => $forumid), '*', MUST_EXIST);
 $course         = $DB->get_record('course', array('id' => $forum->course), '*', MUST_EXIST);
-$discussion     = $DB->get_record('forum_discussions', array('id' => $discussionid), '*', MUST_EXIST);
+if (!$discussion = $DB->get_record('forum_discussions', array('id' => $discussionid, 'forum' => $forumid))) {
+    print_error('invaliddiscussionid', 'forum');
+}
 $cm             = get_coursemodule_from_instance('forum', $forum->id, $course->id, false, MUST_EXIST);
 $context        = context_module::instance($cm->id);