moodle/moodle
3
0
Fork 0
mirror of https://github.com/moodle/moodle.git synced 2025-08-06 17:36:38 +02:00
Code Issues Projects Releases Packages Wiki Activity Actions

MDL-42883 Administration: Check sessionkey before taking action on user profile fields

Browse source
This commit is contained in:
Rajesh Taneja 2013-11-14 10:43:18 +08:00 committed by Dan Poltawski
parent cf3f46344e
commit 3dd7b4f805
1 changed files with 8 additions and 5 deletions
Download patch file Download diff file Expand all files Collapse all files

13
user/profile/index.php
View file

@ -41,20 +41,23 @@ switch ($action) {
break;
case 'deletecategory':
$id = required_param('id', PARAM_INT);
profile_delete_category($id);
if (confirm_sesskey()) {
profile_delete_category($id);
}
redirect($redirect,get_string('deleted'));
break;
case 'deletefield':
$id = required_param('id', PARAM_INT);
$confirm = optional_param('confirm', 0, PARAM_BOOL);
// If no userdata for profile than don't show confirmation.
$datacount = $DB->count_records('user_info_data', array('fieldid'=>$id));
if (data_submitted() and ($confirm and confirm_sesskey()) or $datacount===0) {
if (((data_submitted() and $confirm) or ($datacount === 0)) and confirm_sesskey()) {
profile_delete_field($id);
redirect($redirect,get_string('deleted'));
}
//ask for confirmation
// Ask for confirmation, as there is user data available for field.
$fieldname = $DB->get_field('user_info_field', 'name', array('id'=>$id));
$optionsyes = array ('id'=>$id, 'confirm'=>1, 'action'=>'deletefield', 'sesskey'=>sesskey());
$strheading = get_string('profiledeletefield', 'admin', $fieldname);
@ -173,7 +176,7 @@ function profile_category_icons($category) {
/// Delete
/// Can only delete the last category if there are no fields in it
if ( ($categorycount > 1) or ($fieldcount == 0) ) {
$editstr .= '<a title="'.$strdelete.'" href="index.php?id='.$category->id.'&amp;action=deletecategory';
$editstr .= '<a title="'.$strdelete.'" href="index.php?id='.$category->id.'&amp;action=deletecategory&amp;sesskey='.sesskey();
$editstr .= '"><img src="'.$OUTPUT->pix_url('t/delete') . '" alt="'.$strdelete.'" class="iconsmall" /></a> ';
} else {
$editstr .= '<img src="'.$OUTPUT->pix_url('spacer') . '" alt="" class="iconsmall" /> ';
@ -216,7 +219,7 @@ function profile_field_icons($field) {
$editstr = '<a title="'.$stredit.'" href="index.php?id='.$field->id.'&amp;action=editfield"><img src="'.$OUTPUT->pix_url('t/edit') . '" alt="'.$stredit.'" class="iconsmall" /></a> ';
/// Delete
$editstr .= '<a title="'.$strdelete.'" href="index.php?id='.$field->id.'&amp;action=deletefield';
$editstr .= '<a title="'.$strdelete.'" href="index.php?id='.$field->id.'&amp;action=deletefield&amp;sesskey='.sesskey();
$editstr .= '"><img src="'.$OUTPUT->pix_url('t/delete') . '" alt="'.$strdelete.'" class="iconsmall" /></a> ';
/// Move up