From 0cc875b7d0e359bb983a8587d91ccbcd874ded7d Mon Sep 17 00:00:00 2001
From: Andrew Robert Nicols <andrew.nicols@luns.net.uk>
Date: Wed, 9 Jan 2013 09:22:37 +1300
Subject: [PATCH] MDL-36600 user: improve course messaging checks

---
 user/message.html      | 1 +
 user/messageselect.php | 5 +++--
 2 files changed, 4 insertions(+), 2 deletions(-)

diff --git a/user/message.html b/user/message.html
index 6426111f060..9446751dac1 100644
--- a/user/message.html
+++ b/user/message.html
@@ -1,5 +1,6 @@
 <form id="theform" method="post" action="messageselect.php">
 <input type="hidden" name="id" value="<?php p($id) ?>" />
+<input type="hidden" name="sesskey" value="<?php echo sesskey() ?>" />
 <input type="hidden" name="returnto" value="<?php p($returnto) ?>" />
 <input type="hidden" name="deluser" value="" />
 <?php echo $OUTPUT->box_start(); ?>
diff --git a/user/messageselect.php b/user/messageselect.php
index d54d26d4133..e7cca967ac3 100644
--- a/user/messageselect.php
+++ b/user/messageselect.php
@@ -91,7 +91,7 @@ $messagebody = $SESSION->emailselect[$id]['messagebody'];
 
 $count = 0;
 
-if ($data = data_submitted()) {
+if (($data = data_submitted()) && confirm_sesskey()) {
     foreach ($data as $k => $v) {
         if (preg_match('/^(user|teacher)(\d+)$/',$k,$m)) {
             if (!array_key_exists($m[2],$SESSION->emailto[$id])) {
@@ -136,12 +136,13 @@ if (!empty($messagebody) && !$edit && !$deluser && ($preview || $send)) {
 <input type="hidden" name="returnto" value="'.s($returnto).'" />
 <input type="hidden" name="id" value="'.$id.'" />
 <input type="hidden" name="format" value="'.$format.'" />
+<input type="hidden" name="sesskey" value="' . sesskey() . '" />
 ';
             echo "<h3>".get_string('previewhtml')."</h3><div class=\"messagepreview\">\n".format_text($messagebody,$format)."\n</div>\n";
             echo '<p align="center"><input type="submit" name="send" value="'.get_string('sendmessage', 'message').'" />'."\n";
             echo '<input type="submit" name="edit" value="'.get_string('update').'" /></p>';
             echo "\n</form>";
-        } else if (!empty($send)) {
+        } else if (!empty($send) && require_sesskey()) {
             $good = 1;
             foreach ($SESSION->emailto[$id] as $user) {
                 $good = $good && message_post_message($USER,$user,$messagebody,$format);
-- 
2.17.1