Commit bce48f0f authored by Astor Bizard's avatar Astor Bizard
Browse files

Security fix: now checks sesskey and post data for overrides update/delete.

parent aa797e33
......@@ -43,17 +43,24 @@ function vpl_get_overrideactions($id, $overrideid, $editing) {
$OUTPUT->pix_icon( 'save', get_string('save'), 'mod_vpl' ) .
'</span>';
$cancel = '<span class="btn-link override-action-button" onclick="VPL.cancelOverrideForms();">' .
$OUTPUT->pix_icon( 'cancel', get_string('cancel'), 'mod_vpl' ) .
'</span>';
$OUTPUT->pix_icon( 'cancel', get_string('cancel'), 'mod_vpl' ) .
'</span>';
return $save . $cancel;
} else if ($editing === null) {
$edit = '<a href="?id=' . $id . '&edit=' . $overrideid . '">' .
$OUTPUT->pix_icon( 'editthis', get_string('edit'), 'mod_vpl' ) .
'</a>';
$deletebuttonid = 'delete_override_' . $overrideid;
$delete = '<a id="' . $deletebuttonid . '" href="?id=' . $id . '&delete=' . $overrideid . '">' .
$delete = '<form method="post" style="display:none;">' .
'<input name="id" type="hidden" value="' . $id . '">' .
'<input name="sesskey" type="hidden" value="' . sesskey() . '">' .
'<input name="delete" type="hidden" value="' . $overrideid . '">' .
'<input id="' . $deletebuttonid . '" type="submit">' .
'</form>' .
'<span class="btn-link override-action-button" ' .
'onclick="document.getElementById(\'' . $deletebuttonid .'\').click();">' .
$OUTPUT->pix_icon( 'delete', get_string('delete'), 'mod_vpl' ) .
'</a>';
'</span>';
$PAGE->requires->event_handler('#' . $deletebuttonid, 'click', 'M.util.show_confirm_dialog',
array('message' => get_string('confirmoverridedeletion', VPL)));
return $edit . $delete;
......@@ -156,6 +163,7 @@ $update = optional_param('update', null, PARAM_INT);
$vpl = new mod_vpl( $id );
$vpl->require_capability( VPL_MANAGE_CAPABILITY );
$vpl->prepare_page( 'forms/overrides.php', array( 'id' => $id ) );
$thisurl = new moodle_url('/mod/vpl/forms/overrides.php', array( 'id' => $id ));
$vplid = $vpl->get_instance()->id;
......@@ -217,6 +225,9 @@ if ($edit !== null || $update !== null) {
}
if ($delete !== null) {
if (data_submitted() === false || !confirm_sesskey()) {
redirect($thisurl, get_string('invaliddataorsesskey', VPL), null, \core\output\notification::NOTIFY_ERROR);
}
$overrideid = $delete;
if (isset($overrides[$overrideid])) {
$override = $overrides[$overrideid];
......@@ -228,10 +239,13 @@ if ($delete !== null) {
\mod_vpl\event\override_deleted::log($vpl, $overrideid);
}
// Properly reload the page.
redirect(new moodle_url('/mod/vpl/forms/overrides.php', array( 'id' => $id )));
redirect($thisurl);
}
if ($update !== null) {
if (data_submitted() === false || !confirm_sesskey()) {
redirect($thisurl, get_string('invaliddataorsesskey', VPL), null, \core\output\notification::NOTIFY_ERROR);
}
// Update or create an override.
$override = $optionsform->get_data();
unset($override->id); // The id field of the form is not the override id - do not use it.
......@@ -324,7 +338,7 @@ if ($update !== null) {
// Do not redirect if validation fails.
if ($optionsform->is_validated() || $optionsform->is_cancelled()) {
// Properly reload the page.
redirect(new moodle_url('/mod/vpl/forms/overrides.php', array( 'id' => $id )));
redirect($thisurl);
}
}
......
......@@ -162,6 +162,7 @@ $string ['indicator:socialbreadth_help'] = 'This indicator is based on the socia
$string ['individualwork'] = 'Individual work';
$string ['instanceselection'] = 'VPL selection';
$string ['interfacetheme'] = 'Interface theme:';
$string ['invaliddataorsesskey'] = 'This action has been prevented for security reasons. Either data has not been submitted properly, or you session key could not be confirmed.';
$string ['isexample'] = 'This activity acts as example';
$string ['jail_servers'] = 'Execution servers list';
$string ['jail_servers_config'] = 'Execution servers config';
......
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment