$returntomod = optional_param('return', 0, PARAM_BOOL);
redirect("$CFG->wwwroot/course/modedit.php?update=$update&return=$returntomod&sr=$sectionreturn");
-} else if (!empty($duplicate)) {
+} else if (!empty($duplicate) and confirm_sesskey()) {
$cm = get_coursemodule_from_id('', $duplicate, 0, true, MUST_EXIST);
$course = $DB->get_record('course', array('id' => $cm->course), '*', MUST_EXIST);
require_once(dirname(dirname(__FILE__)) . '/config.php');
$cmid = required_param('cmid', PARAM_INT);
-$courseid = optional_param('course', PARAM_INT);
+$courseid = required_param('course', PARAM_INT);
$sectionreturn = optional_param('sr', null, PARAM_INT);
+require_sesskey();
+
debugging('Please use moodle_url(\'/course/mod.php\', array(\'duplicate\' => $cmid
, \'id\' => $courseid, \'sesskey\' => sesskey(), \'sr\' => $sectionreturn)))
instead of new moodle_url(\'/course/modduplicate.php\', array(\'cmid\' => $cmid
