MDL-47924 mod_lti: Fixing missing sesskey checkings
authorDavid Monllao <davidm@moodle.com>
Wed, 29 Oct 2014 06:00:31 +0000 (14:00 +0800)
committerSam Hemelryk <sam@moodle.com>
Mon, 3 Nov 2014 22:00:51 +0000 (11:00 +1300)
Also fixing a missing capability checking.

mod/lti/instructor_edit_tool_type.php
mod/lti/request_tool.php
mod/lti/return.php

index 7e28380..70a0030 100644 (file)
@@ -36,6 +36,8 @@ $PAGE->set_pagelayout('popup');
 $action = optional_param('action', null, PARAM_TEXT);
 $typeid = optional_param('typeid', null, PARAM_INT);
 
+require_sesskey();
+
 require_capability('mod/lti:addcoursetool', context_course::instance($courseid));
 
 if (!empty($typeid)) {
index b044bf6..14a4062 100644 (file)
@@ -36,6 +36,8 @@ $context = context_module::instance($cm->id);
 
 require_login($course);
 
+require_sesskey();
+
 require_capability('mod/lti:requesttooladd', context_course::instance($lti->course));
 
 $baseurl = lti_get_domain_from_url($lti->toolurl);
index 66e14ce..7ed363c 100644 (file)
@@ -74,21 +74,24 @@ if (!empty($errormsg)) {
 
     echo htmlspecialchars($errormsg);
 
-    $canaddtools = has_capability('mod/lti:addcoursetool', context_course::instance($courseid));
+    if ($unsigned == 1) {
 
-    if ($unsigned == 1 && $canaddtools) {
+        $contextcourse = context_course::instance($courseid);
         echo '<br /><br />';
-
         $links = new stdClass();
-        $coursetooleditor = new moodle_url('/mod/lti/instructor_edit_tool_type.php',
-            array('course' => $courseid, 'action' => 'add'));
-        $links->course_tool_editor = $coursetooleditor->out(false);
 
-        echo get_string('lti_launch_error_unsigned_help', 'lti', $links);
+        if (has_capability('mod/lti:addcoursetool', $contextcourse)) {
+            $coursetooleditor = new moodle_url('/mod/lti/instructor_edit_tool_type.php',
+                array('course' => $courseid, 'action' => 'add', 'sesskey' => sesskey()));
+            $links->course_tool_editor = $coursetooleditor->out(false);
+
+            echo get_string('lti_launch_error_unsigned_help', 'lti', $links);
+        }
 
-        if (!empty($lti)) {
-            $adminrequesturl = new moodle_url('/mod/lti/request_tool.php', array('instanceid' => $lti->id));
+        if (!empty($lti) && has_capability('mod/lti:requesttooladd', $contextcourse)) {
+            $adminrequesturl = new moodle_url('/mod/lti/request_tool.php', array('instanceid' => $lti->id, 'sesskey' => sesskey()));
             $links->admin_request_url = $adminrequesturl->out(false);
+
             echo get_string('lti_launch_error_tool_request', 'lti', $links);
         }
     }