Skip to content

Commit 6802544

Browse files
committed
Admin: Add sec_token to delete courses
1 parent 9699143 commit 6802544

File tree

2 files changed

+15
-6
lines changed

2 files changed

+15
-6
lines changed

main/admin/course_list.php

Lines changed: 8 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -203,7 +203,11 @@ function get_course_data($from, $number_of_items, $column, $direction, $dataFunc
203203
);
204204
$actions[] = Display::url(
205205
Display::return_icon('delete.png', get_lang('Delete')),
206-
$path.'admin/course_list.php?delete_course='.$courseCode,
206+
$path.'admin/course_list.php?'
207+
.http_build_query([
208+
'delete_course' => $courseCode,
209+
'sec_token' => Security::getTokenFromSession(),
210+
]),
207211
[
208212
'onclick' => "javascript: if (!confirm('"
209213
.addslashes(api_htmlentities(get_lang('ConfirmYourChoice'), ENT_QUOTES))."')) return false;",
@@ -372,7 +376,7 @@ function get_course_visibility_icon($visibility)
372376
}
373377
}
374378

375-
if (isset($_POST['action'])) {
379+
if (isset($_POST['action']) && Security::check_token('get')) {
376380
switch ($_POST['action']) {
377381
// Delete selected courses
378382
case 'delete_courses':
@@ -464,7 +468,7 @@ function get_course_visibility_icon($visibility)
464468
'name' => get_lang('PlatformAdmin'),
465469
];
466470
$tool_name = get_lang('CourseList');
467-
if (isset($_GET['delete_course'])) {
471+
if (isset($_GET['delete_course']) && Security::check_token('get')) {
468472
$result = CourseManager::delete_course($_GET['delete_course']);
469473
if ($result) {
470474
Display::addFlash(Display::return_message(get_lang('Deleted')));
@@ -585,6 +589,7 @@ function get_course_visibility_icon($visibility)
585589
}
586590

587591
$parameters = [];
592+
$parameters['sec_token'] = Security::get_token();
588593
if (isset($_GET['keyword'])) {
589594
$parameters = ['keyword' => Security::remove_XSS($_GET['keyword'])];
590595
} elseif (isset($_GET['keyword_code'])) {

main/admin/course_list_admin.php

Lines changed: 7 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -193,7 +193,10 @@ function get_course_data($from, $number_of_items, $column, $direction, $dataFunc
193193
);
194194
$actions[] = Display::url(
195195
Display::return_icon('delete.png', get_lang('Delete')),
196-
$path.'admin/course_list_admin.php?delete_course='.$courseCode,
196+
$path.'admin/course_list_admin.php?'.http_build_query([
197+
'delete_course' => $courseCode,
198+
'sec_token' => Security::getTokenFromSession(),
199+
]),
197200
[
198201
'onclick' => "javascript: if (!confirm('"
199202
.addslashes(api_htmlentities(get_lang('ConfirmYourChoice'), ENT_QUOTES))."')) return false;",
@@ -287,7 +290,7 @@ function get_course_visibility_icon($visibility)
287290
}
288291
}
289292

290-
if (isset($_POST['action'])) {
293+
if (isset($_POST['action']) && Security::check_token('get')) {
291294
switch ($_POST['action']) {
292295
// Delete selected courses
293296
case 'delete_courses':
@@ -379,7 +382,7 @@ function get_course_visibility_icon($visibility)
379382
'name' => get_lang('PlatformAdmin'),
380383
];
381384
$tool_name = get_lang('CourseList');
382-
if (isset($_GET['delete_course'])) {
385+
if (isset($_GET['delete_course']) && Security::check_token('get')) {
383386
$result = CourseManager::delete_course($_GET['delete_course']);
384387
if ($result) {
385388
Display::addFlash(Display::return_message(get_lang('Deleted')));
@@ -460,6 +463,7 @@ function get_course_visibility_icon($visibility)
460463
);
461464

462465
$parameters = [];
466+
$parameters['sec_token'] = Security::get_token();
463467
if (isset($_GET['keyword'])) {
464468
$parameters = ['keyword' => Security::remove_XSS($_GET['keyword'])];
465469
} elseif (isset($_GET['keyword_code'])) {

0 commit comments

Comments
 (0)