MDL-48019 mod_forum: Add sesskey checks when setting tracking prefs
authorAndrew Nicols <andrew@nicols.co.uk>
Mon, 3 Nov 2014 01:49:00 +0000 (09:49 +0800)
committerDan Poltawski <dan@moodle.com>
Wed, 5 Nov 2014 10:35:12 +0000 (10:35 +0000)
This also removes set_url() and changes require_course_login to
require_login as guests cannot set tracking.

mod/forum/deprecatedlib.php
mod/forum/forum.js
mod/forum/index.php
mod/forum/lib.php
mod/forum/settracking.php

index 211ad81..65c6052 100644 (file)
@@ -338,7 +338,10 @@ function forum_get_tracking_link($forum, $messages=array(), $fakelink=true) {
         // use <noscript> to print button in case javascript is not enabled
         $link .= '<noscript>';
     }
-    $url = new moodle_url('/mod/forum/settracking.php', array('id'=>$forum->id));
+    $url = new moodle_url('/mod/forum/settracking.php', array(
+            'id' => $forum->id,
+            'sesskey' => sesskey(),
+        ));
     $link .= $OUTPUT->single_button($url, $linktext, 'get', array('title'=>$linktitle));
 
     if ($fakelink) {
index 749b043..a6881b3 100644 (file)
@@ -13,7 +13,7 @@ function forum_produce_tracking_link(forumid, ltext, ltitle) {
     var elementid = "trackinglink";
     var subs_link = document.getElementById(elementid);
     if(subs_link){
-        subs_link.innerHTML = "<a title='"+ltitle+"' href='"+M.cfg.wwwroot+"/mod/forum/settracking.php?id="+forumid+"'>"+ltext+"<\/a>";
+        subs_link.innerHTML = "<a title='"+ltitle+"' href='"+M.cfg.wwwroot+"/mod/forum/settracking.php?id="+forumid+"&amp;sesskey="+M.cfg.sesskey+"'>"+ltext+"<\/a>";
     }
 }
 
index 43d1d97..a64567b 100644 (file)
@@ -240,7 +240,10 @@ if ($generalforums) {
                 } else if ($forum->trackingtype === FORUM_TRACKING_OFF || ($USER->trackforums == 0)) {
                     $trackedlink = '-';
                 } else {
-                    $aurl = new moodle_url('/mod/forum/settracking.php', array('id'=>$forum->id));
+                    $aurl = new moodle_url('/mod/forum/settracking.php', array(
+                            'id' => $forum->id,
+                            'sesskey' => sesskey(),
+                        ));
                     if (!isset($untracked[$forum->id])) {
                         $trackedlink = $OUTPUT->single_button($aurl, $stryes, 'post', array('title'=>$strnotrackforum));
                     } else {
index de9e678..5f04287 100644 (file)
@@ -7107,7 +7107,10 @@ function forum_extend_settings_navigation(settings_navigation $settingsnav, navi
             } else {
                 $linktext = get_string('trackforum', 'forum');
             }
-            $url = new moodle_url('/mod/forum/settracking.php', array('id'=>$forumobject->id));
+            $url = new moodle_url('/mod/forum/settracking.php', array(
+                    'id' => $forumobject->id,
+                    'sesskey' => sesskey(),
+                ));
             $forumnode->add($linktext, $url, navigation_node::TYPE_SETTING);
         }
     }
index 91c653c..004825f 100644 (file)
@@ -29,11 +29,7 @@ require_once("lib.php");
 $id         = required_param('id',PARAM_INT);                           // The forum to subscribe or unsubscribe to
 $returnpage = optional_param('returnpage', 'index.php', PARAM_FILE);    // Page to return to.
 
-$url = new moodle_url('/mod/forum/settracking.php', array('id'=>$id));
-if ($returnpage !== 'index.php') {
-    $url->param('returnpage', $returnpage);
-}
-$PAGE->set_url($url);
+require_sesskey();
 
 if (! $forum = $DB->get_record("forum", array("id" => $id))) {
     print_error('invalidforumid', 'forum');
@@ -46,8 +42,7 @@ if (! $course = $DB->get_record("course", array("id" => $forum->course))) {
 if (! $cm = get_coursemodule_from_instance("forum", $forum->id, $course->id)) {
     print_error('invalidcoursemodule');
 }
-
-require_course_login($course, false, $cm);
+require_login($course, false, $cm);
 
 $returnto = forum_go_back_to($returnpage.'?id='.$course->id.'&f='.$forum->id);