Admin: Add sec_token to delete courses

AngelFQC · AngelFQC · commit 68025447a062 · 2023-07-11T10:52:19.000-05:00
diff --git a/main/admin/course_list.php b/main/admin/course_list.php
@@ -203,7 +203,11 @@ function get_course_data($from, $number_of_items, $column, $direction, $dataFunc
         );
         $actions[] = Display::url(
             Display::return_icon('delete.png', get_lang('Delete')),
-            $path.'admin/course_list.php?delete_course='.$courseCode,
+            $path.'admin/course_list.php?'
+                .http_build_query([
+                    'delete_course' => $courseCode,
+                    'sec_token' => Security::getTokenFromSession(),
+                ]),
             [
                 'onclick' => "javascript: if (!confirm('"
                     .addslashes(api_htmlentities(get_lang('ConfirmYourChoice'), ENT_QUOTES))."')) return false;",
@@ -372,7 +376,7 @@ function get_course_visibility_icon($visibility)
     }
 }
 
-if (isset($_POST['action'])) {
+if (isset($_POST['action']) && Security::check_token('get')) {
     switch ($_POST['action']) {
         // Delete selected courses
         case 'delete_courses':
@@ -464,7 +468,7 @@ function get_course_visibility_icon($visibility)
         'name' => get_lang('PlatformAdmin'),
     ];
     $tool_name = get_lang('CourseList');
-    if (isset($_GET['delete_course'])) {
+    if (isset($_GET['delete_course']) && Security::check_token('get')) {
         $result = CourseManager::delete_course($_GET['delete_course']);
         if ($result) {
             Display::addFlash(Display::return_message(get_lang('Deleted')));
@@ -585,6 +589,7 @@ function get_course_visibility_icon($visibility)
     }
 
     $parameters = [];
+    $parameters['sec_token'] = Security::get_token();
     if (isset($_GET['keyword'])) {
         $parameters = ['keyword' => Security::remove_XSS($_GET['keyword'])];
     } elseif (isset($_GET['keyword_code'])) {
diff --git a/main/admin/course_list_admin.php b/main/admin/course_list_admin.php
@@ -193,7 +193,10 @@ function get_course_data($from, $number_of_items, $column, $direction, $dataFunc
         );
         $actions[] = Display::url(
             Display::return_icon('delete.png', get_lang('Delete')),
-            $path.'admin/course_list_admin.php?delete_course='.$courseCode,
+            $path.'admin/course_list_admin.php?'.http_build_query([
+                  'delete_course' => $courseCode,
+                    'sec_token' => Security::getTokenFromSession(),
+                ]),
             [
                 'onclick' => "javascript: if (!confirm('"
                     .addslashes(api_htmlentities(get_lang('ConfirmYourChoice'), ENT_QUOTES))."')) return false;",
@@ -287,7 +290,7 @@ function get_course_visibility_icon($visibility)
     }
 }
 
-if (isset($_POST['action'])) {
+if (isset($_POST['action']) && Security::check_token('get')) {
     switch ($_POST['action']) {
         // Delete selected courses
         case 'delete_courses':
@@ -379,7 +382,7 @@ function get_course_visibility_icon($visibility)
         'name' => get_lang('PlatformAdmin'),
     ];
     $tool_name = get_lang('CourseList');
-    if (isset($_GET['delete_course'])) {
+    if (isset($_GET['delete_course']) && Security::check_token('get')) {
         $result = CourseManager::delete_course($_GET['delete_course']);
         if ($result) {
             Display::addFlash(Display::return_message(get_lang('Deleted')));
@@ -460,6 +463,7 @@ function get_course_visibility_icon($visibility)
     );
 
     $parameters = [];
+    $parameters['sec_token'] = Security::get_token();
     if (isset($_GET['keyword'])) {
         $parameters = ['keyword' => Security::remove_XSS($_GET['keyword'])];
     } elseif (isset($_GET['keyword_code'])) {
