$emailswitch = '';
if (has_capability('moodle/course:useremail', $coursecontext) or $currentuser) { /// Can use the enable/disable email stuff
- if (!empty($enable)) { /// Recieved a parameter to enable the email address
+ if (!empty($enable) and confirm_sesskey()) { /// Recieved a parameter to enable the email address
$DB->set_field('user', 'emailstop', 0, array('id'=>$user->id));
$user->emailstop = 0;
}
- if (!empty($disable)) { /// Recieved a parameter to disable the email address
+ if (!empty($disable) and confirm_sesskey()) { /// Recieved a parameter to disable the email address
$DB->set_field('user', 'emailstop', 1, array('id'=>$user->id));
$user->emailstop = 1;
}
$switchpix = 't/email';
}
$emailswitch = " <a title=\"$switchclick\" ".
- "href=\"view.php?id=$user->id&course=$course->id&$switchparam=1\">".
+ "href=\"view.php?id=$user->id&course=$course->id&$switchparam=1&sesskey=".sesskey()."\">".
"<img src=\"" . $OUTPUT->pix_url("$switchpix") . "\" alt=\"$switchclick\" /></a>";
} else if ($currentuser) { /// Can only re-enable an email this way
$switchclick = get_string('emailenableclick');
$emailswitch = " (<a title=\"$switchclick\" ".
- "href=\"view.php?id=$user->id&course=$course->id&enable=1\">$switchtitle</a>)";
+ "href=\"view.php?id=$user->id&course=$course->id&enable=1&sesskey=".sesskey()."\">$switchtitle</a>)";
}
}
