MDL-69807 blocks: remove redundant sesskey loading edit/delete page.
authorPaul Holden <paulh@moodle.com>
Fri, 16 Oct 2020 13:54:25 +0000 (14:54 +0100)
committerPaul Holden <paulh@moodle.com>
Mon, 19 Oct 2020 21:40:45 +0000 (22:40 +0100)
lib/blocklib.php

index 0ca4559..849f848 100644 (file)
@@ -1282,8 +1282,10 @@ class block_manager {
         if ($this->page->user_can_edit_blocks() || $block->user_can_edit()) {
             // Edit config icon - always show - needed for positioning UI.
             $str = new lang_string('configureblock', 'block', $blocktitle);
+            $editactionurl = new moodle_url($actionurl, ['bui_editid' => $block->instance->id]);
+            $editactionurl->remove_params(['sesskey']);
             $controls[] = new action_menu_link_secondary(
-                new moodle_url($actionurl, array('bui_editid' => $block->instance->id)),
+                $editactionurl,
                 new pix_icon('t/edit', $str, 'moodle', array('class' => 'iconsmall', 'title' => '')),
                 $str,
                 array('class' => 'editing_edit')
@@ -1346,8 +1348,10 @@ class block_manager {
         if ($this->user_can_delete_block($block)) {
             // Delete icon.
             $str = new lang_string('deleteblock', 'block', $blocktitle);
+            $deleteactionurl = new moodle_url($actionurl, ['bui_deleteid' => $block->instance->id]);
+            $deleteactionurl->remove_params(['sesskey']);
             $controls[] = new action_menu_link_secondary(
-                new moodle_url($actionurl, array('bui_deleteid' => $block->instance->id)),
+                $deleteactionurl,
                 new pix_icon('t/delete', $str, 'moodle', array('class' => 'iconsmall', 'title' => '')),
                 $str,
                 array('class' => 'editing_delete')
@@ -1497,7 +1501,6 @@ class block_manager {
             return false;
         }
 
-        require_sesskey();
         $block = $this->page->blocks->find_instance($blockid);
         if (!$this->user_can_delete_block($block)) {
             throw new moodle_exception('nopermissions', '', $this->page->url->out(), get_string('deleteablock'));
@@ -1563,6 +1566,8 @@ class block_manager {
             // Make sure that nothing else happens after we have displayed this form.
             exit;
         } else {
+            require_sesskey();
+
             blocks_delete_instance($block->instance);
             // bui_deleteid and bui_confirm should not be in the PAGE url.
             $this->page->ensure_param_not_in_url('bui_deleteid');
@@ -1616,7 +1621,6 @@ class block_manager {
             return false;
         }
 
-        require_sesskey();
         require_once($CFG->dirroot . '/blocks/edit_form.php');
 
         $block = $this->find_instance($blockid);