From c56ed7bb853bf8cfd7318f1cb48c4e13c419a6b8 Mon Sep 17 00:00:00 2001
From: David Mudrak <david@moodle.com>
Date: Wed, 5 Jan 2011 12:58:25 +0100
Subject: [PATCH] MDL-24561 forum: require sesskey for the course-wide
 subscriptions

mod/forum/index.php allows to subscribe to and unsubscribe from all
forums in the course. However, sesskey was not checked here.
---
 mod/forum/index.php | 14 +++++++++-----
 1 file changed, 9 insertions(+), 5 deletions(-)

diff --git a/mod/forum/index.php b/mod/forum/index.php
index 1b95fb7cfb0..ce365c705cd 100644
--- a/mod/forum/index.php
+++ b/mod/forum/index.php
@@ -31,6 +31,7 @@ $subscribe = optional_param('subscribe', null, PARAM_INT);  // Subscribe/Unsubsc
 
 $url = new moodle_url('/mod/forum/index.php', array('id'=>$id));
 if ($subscribe !== null) {
+    require_sesskey();
     $url->param('subscribe', $subscribe);
 }
 $PAGE->set_url($url);
@@ -410,11 +411,14 @@ echo $OUTPUT->header();
 
 if (!isguestuser()) {
     echo $OUTPUT->box_start('subscription');
-    echo '<span class="helplink">';
-    echo '<a href="index.php?id='.$course->id.'&amp;subscribe=1">'.get_string('allsubscribe', 'forum').'</a>';
-    echo '</span><br /><span class="helplink">';
-    echo '<a href="index.php?id='.$course->id.'&amp;subscribe=0">'.get_string('allunsubscribe', 'forum').'</a>';
-    echo '</span>';
+    echo html_writer::tag('div',
+        html_writer::link(new moodle_url('/mod/forum/index.php', array('id'=>$course->id, 'subscribe'=>1, 'sesskey'=>sesskey())),
+            get_string('allsubscribe', 'forum')),
+        array('class'=>'helplink'));
+    echo html_writer::tag('div',
+        html_writer::link(new moodle_url('/mod/forum/index.php', array('id'=>$course->id, 'subscribe'=>0, 'sesskey'=>sesskey())),
+            get_string('allunsubscribe', 'forum')),
+        array('class'=>'helplink'));
     echo $OUTPUT->box_end();
     echo $OUTPUT->box('&nbsp;', 'clearer');
 }
-- 
2.17.1