From deaa8a19d88e50eefc0e8946cdc487a77fbd1c7a Mon Sep 17 00:00:00 2001 From: Petr Skoda Date: Thu, 18 Mar 2010 22:54:17 +0000 Subject: [PATCH] MDL-21859 fixed sesskey protection on email actions --- user/view.php | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/user/view.php b/user/view.php index a0701d4a133..121d16c1eb8 100644 --- a/user/view.php +++ b/user/view.php @@ -284,11 +284,11 @@ if ($user->maildisplay == 1 or $emailswitch = ''; if (has_capability('moodle/course:useremail', $coursecontext) or $currentuser) { /// Can use the enable/disable email stuff - if (!empty($enable)) { /// Recieved a parameter to enable the email address + if (!empty($enable) and confirm_sesskey()) { /// Recieved a parameter to enable the email address $DB->set_field('user', 'emailstop', 0, array('id'=>$user->id)); $user->emailstop = 0; } - if (!empty($disable)) { /// Recieved a parameter to disable the email address + if (!empty($disable) and confirm_sesskey()) { /// Recieved a parameter to disable the email address $DB->set_field('user', 'emailstop', 1, array('id'=>$user->id)); $user->emailstop = 1; } @@ -307,7 +307,7 @@ if ($user->maildisplay == 1 or $switchpix = 't/email'; } $emailswitch = " id&course=$course->id&$switchparam=1\">". + "href=\"view.php?id=$user->id&course=$course->id&$switchparam=1&sesskey=".sesskey()."\">". "pix_url("$switchpix") . "\" alt=\"$switchclick\" />"; } else if ($currentuser) { /// Can only re-enable an email this way @@ -317,7 +317,7 @@ if ($user->maildisplay == 1 or $switchclick = get_string('emailenableclick'); $emailswitch = " (id&course=$course->id&enable=1\">$switchtitle)"; + "href=\"view.php?id=$user->id&course=$course->id&enable=1&sesskey=".sesskey()."\">$switchtitle)"; } } -- 2.36.1