Commit bce48f0f authored by Astor Bizard's avatar Astor Bizard
Browse files

Security fix: now checks sesskey and post data for overrides update/delete.

parent aa797e33
...@@ -43,17 +43,24 @@ function vpl_get_overrideactions($id, $overrideid, $editing) { ...@@ -43,17 +43,24 @@ function vpl_get_overrideactions($id, $overrideid, $editing) {
$OUTPUT->pix_icon( 'save', get_string('save'), 'mod_vpl' ) . $OUTPUT->pix_icon( 'save', get_string('save'), 'mod_vpl' ) .
'</span>'; '</span>';
$cancel = '<span class="btn-link override-action-button" onclick="VPL.cancelOverrideForms();">' . $cancel = '<span class="btn-link override-action-button" onclick="VPL.cancelOverrideForms();">' .
$OUTPUT->pix_icon( 'cancel', get_string('cancel'), 'mod_vpl' ) . $OUTPUT->pix_icon( 'cancel', get_string('cancel'), 'mod_vpl' ) .
'</span>'; '</span>';
return $save . $cancel; return $save . $cancel;
} else if ($editing === null) { } else if ($editing === null) {
$edit = '<a href="?id=' . $id . '&edit=' . $overrideid . '">' . $edit = '<a href="?id=' . $id . '&edit=' . $overrideid . '">' .
$OUTPUT->pix_icon( 'editthis', get_string('edit'), 'mod_vpl' ) . $OUTPUT->pix_icon( 'editthis', get_string('edit'), 'mod_vpl' ) .
'</a>'; '</a>';
$deletebuttonid = 'delete_override_' . $overrideid; $deletebuttonid = 'delete_override_' . $overrideid;
$delete = '<a id="' . $deletebuttonid . '" href="?id=' . $id . '&delete=' . $overrideid . '">' . $delete = '<form method="post" style="display:none;">' .
'<input name="id" type="hidden" value="' . $id . '">' .
'<input name="sesskey" type="hidden" value="' . sesskey() . '">' .
'<input name="delete" type="hidden" value="' . $overrideid . '">' .
'<input id="' . $deletebuttonid . '" type="submit">' .
'</form>' .
'<span class="btn-link override-action-button" ' .
'onclick="document.getElementById(\'' . $deletebuttonid .'\').click();">' .
$OUTPUT->pix_icon( 'delete', get_string('delete'), 'mod_vpl' ) . $OUTPUT->pix_icon( 'delete', get_string('delete'), 'mod_vpl' ) .
'</a>'; '</span>';
$PAGE->requires->event_handler('#' . $deletebuttonid, 'click', 'M.util.show_confirm_dialog', $PAGE->requires->event_handler('#' . $deletebuttonid, 'click', 'M.util.show_confirm_dialog',
array('message' => get_string('confirmoverridedeletion', VPL))); array('message' => get_string('confirmoverridedeletion', VPL)));
return $edit . $delete; return $edit . $delete;
...@@ -156,6 +163,7 @@ $update = optional_param('update', null, PARAM_INT); ...@@ -156,6 +163,7 @@ $update = optional_param('update', null, PARAM_INT);
$vpl = new mod_vpl( $id ); $vpl = new mod_vpl( $id );
$vpl->require_capability( VPL_MANAGE_CAPABILITY ); $vpl->require_capability( VPL_MANAGE_CAPABILITY );
$vpl->prepare_page( 'forms/overrides.php', array( 'id' => $id ) ); $vpl->prepare_page( 'forms/overrides.php', array( 'id' => $id ) );
$thisurl = new moodle_url('/mod/vpl/forms/overrides.php', array( 'id' => $id ));
$vplid = $vpl->get_instance()->id; $vplid = $vpl->get_instance()->id;
...@@ -217,6 +225,9 @@ if ($edit !== null || $update !== null) { ...@@ -217,6 +225,9 @@ if ($edit !== null || $update !== null) {
} }
if ($delete !== null) { if ($delete !== null) {
if (data_submitted() === false || !confirm_sesskey()) {
redirect($thisurl, get_string('invaliddataorsesskey', VPL), null, \core\output\notification::NOTIFY_ERROR);
}
$overrideid = $delete; $overrideid = $delete;
if (isset($overrides[$overrideid])) { if (isset($overrides[$overrideid])) {
$override = $overrides[$overrideid]; $override = $overrides[$overrideid];
...@@ -228,10 +239,13 @@ if ($delete !== null) { ...@@ -228,10 +239,13 @@ if ($delete !== null) {
\mod_vpl\event\override_deleted::log($vpl, $overrideid); \mod_vpl\event\override_deleted::log($vpl, $overrideid);
} }
// Properly reload the page. // Properly reload the page.
redirect(new moodle_url('/mod/vpl/forms/overrides.php', array( 'id' => $id ))); redirect($thisurl);
} }
if ($update !== null) { if ($update !== null) {
if (data_submitted() === false || !confirm_sesskey()) {
redirect($thisurl, get_string('invaliddataorsesskey', VPL), null, \core\output\notification::NOTIFY_ERROR);
}
// Update or create an override. // Update or create an override.
$override = $optionsform->get_data(); $override = $optionsform->get_data();
unset($override->id); // The id field of the form is not the override id - do not use it. unset($override->id); // The id field of the form is not the override id - do not use it.
...@@ -324,7 +338,7 @@ if ($update !== null) { ...@@ -324,7 +338,7 @@ if ($update !== null) {
// Do not redirect if validation fails. // Do not redirect if validation fails.
if ($optionsform->is_validated() || $optionsform->is_cancelled()) { if ($optionsform->is_validated() || $optionsform->is_cancelled()) {
// Properly reload the page. // Properly reload the page.
redirect(new moodle_url('/mod/vpl/forms/overrides.php', array( 'id' => $id ))); redirect($thisurl);
} }
} }
......
...@@ -162,6 +162,7 @@ $string ['indicator:socialbreadth_help'] = 'This indicator is based on the socia ...@@ -162,6 +162,7 @@ $string ['indicator:socialbreadth_help'] = 'This indicator is based on the socia
$string ['individualwork'] = 'Individual work'; $string ['individualwork'] = 'Individual work';
$string ['instanceselection'] = 'VPL selection'; $string ['instanceselection'] = 'VPL selection';
$string ['interfacetheme'] = 'Interface theme:'; $string ['interfacetheme'] = 'Interface theme:';
$string ['invaliddataorsesskey'] = 'This action has been prevented for security reasons. Either data has not been submitted properly, or you session key could not be confirmed.';
$string ['isexample'] = 'This activity acts as example'; $string ['isexample'] = 'This activity acts as example';
$string ['jail_servers'] = 'Execution servers list'; $string ['jail_servers'] = 'Execution servers list';
$string ['jail_servers_config'] = 'Execution servers config'; $string ['jail_servers_config'] = 'Execution servers config';
......
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment