MDL-42883 Administration: Check sessionkey before taking action on user profile fields
authorRajesh Taneja <rajesh@moodle.com>
Thu, 14 Nov 2013 02:58:27 +0000 (10:58 +0800)
committerDan Poltawski <dan@moodle.com>
Mon, 6 Jan 2014 05:59:23 +0000 (13:59 +0800)
user/profile/index.php

index 0617d17..17ab381 100644 (file)
@@ -41,20 +41,23 @@ switch ($action) {
         break;
     case 'deletecategory':
         $id      = required_param('id', PARAM_INT);
-        profile_delete_category($id);
+        if (confirm_sesskey()) {
+            profile_delete_category($id);
+        }
         redirect($redirect,get_string('deleted'));
         break;
     case 'deletefield':
         $id      = required_param('id', PARAM_INT);
         $confirm = optional_param('confirm', 0, PARAM_BOOL);
 
+        // If no userdata for profile than don't show confirmation.
         $datacount = $DB->count_records('user_info_data', array('fieldid'=>$id));
-        if (data_submitted() and ($confirm and confirm_sesskey()) or $datacount===0) {
+        if (((data_submitted() and $confirm) or ($datacount === 0)) and confirm_sesskey()) {
             profile_delete_field($id);
             redirect($redirect,get_string('deleted'));
         }
 
-        //ask for confirmation
+        // Ask for confirmation, as there is user data available for field.
         $fieldname = $DB->get_field('user_info_field', 'name', array('id'=>$id));
         $optionsyes = array ('id'=>$id, 'confirm'=>1, 'action'=>'deletefield', 'sesskey'=>sesskey());
         $strheading = get_string('profiledeletefield', 'admin', $fieldname);
@@ -173,7 +176,7 @@ function profile_category_icons($category) {
     /// Delete
     /// Can only delete the last category if there are no fields in it
     if ( ($categorycount > 1) or ($fieldcount == 0) ) {
-        $editstr .= '<a title="'.$strdelete.'" href="index.php?id='.$category->id.'&amp;action=deletecategory';
+        $editstr .= '<a title="'.$strdelete.'" href="index.php?id='.$category->id.'&amp;action=deletecategory&amp;sesskey='.sesskey();
         $editstr .= '"><img src="'.$OUTPUT->pix_url('t/delete') . '" alt="'.$strdelete.'" class="iconsmall" /></a> ';
     } else {
         $editstr .= '<img src="'.$OUTPUT->pix_url('spacer') . '" alt="" class="iconsmall" /> ';
@@ -216,7 +219,7 @@ function profile_field_icons($field) {
     $editstr = '<a title="'.$stredit.'" href="index.php?id='.$field->id.'&amp;action=editfield"><img src="'.$OUTPUT->pix_url('t/edit') . '" alt="'.$stredit.'" class="iconsmall" /></a> ';
 
     /// Delete
-    $editstr .= '<a title="'.$strdelete.'" href="index.php?id='.$field->id.'&amp;action=deletefield';
+    $editstr .= '<a title="'.$strdelete.'" href="index.php?id='.$field->id.'&amp;action=deletefield&amp;sesskey='.sesskey();
     $editstr .= '"><img src="'.$OUTPUT->pix_url('t/delete') . '" alt="'.$strdelete.'" class="iconsmall" /></a> ';
 
     /// Move up