From cc4ef9c78b0fcfe813598eb2441f46cb846385aa Mon Sep 17 00:00:00 2001
From: Friederike Schwager <schwager@cil.rwth-aachen.de>
Date: Thu, 22 Aug 2019 15:59:43 +0200
Subject: [PATCH] #9 check sesskey

---
 classes/output/answermenu.php   |  1 +
 classes/output/comment.php      |  2 +-
 classes/output/questionmenu.php |  1 +
 controller.php                  | 10 ++++++++--
 4 files changed, 11 insertions(+), 3 deletions(-)

diff --git a/classes/output/answermenu.php b/classes/output/answermenu.php
index aacebfe..72b3c04 100644
--- a/classes/output/answermenu.php
+++ b/classes/output/answermenu.php
@@ -58,6 +58,7 @@ class answermenu implements \renderable, \templatable {
         $urlparams['annotationid'] = $annotationid;
         $urlparams['itemsperpage'] = $itemsperpage;
         $urlparams['answerfilter'] = $answerfilter;
+        $urlparams['sesskey'] = sesskey();
         $url = new moodle_url($CFG->wwwroot . '/mod/pdfannotator/view.php', $urlparams);
 
         $this->url = $url;
diff --git a/classes/output/comment.php b/classes/output/comment.php
index a6f6b33..1ffe19b 100644
--- a/classes/output/comment.php
+++ b/classes/output/comment.php
@@ -261,7 +261,7 @@ class comment implements \renderable, \templatable {
     private function addforwardbutton($comment, $forwardquestions, $cm) {
         if (!isset($comment->type) && $comment->isquestion && !$comment->isdeleted && $forwardquestions) {
             global $CFG;
-            $urlparams = ['id' => $cm->id, 'action' => 'forwardquestion', 'commentid' => $comment->uuid];
+            $urlparams = ['id' => $cm->id, 'action' => 'forwardquestion', 'commentid' => $comment->uuid, 'sesskey' => sesskey()];
             $url = new moodle_url($CFG->wwwroot . '/mod/pdfannotator/view.php', $urlparams);
 
             $comment->buttons[] = ["classes" => "comment-forward-a", "attributes" => ["name" => "onclick", "value" => "window.location.href = '$url';"],
diff --git a/classes/output/questionmenu.php b/classes/output/questionmenu.php
index c68c0b1..4171436 100644
--- a/classes/output/questionmenu.php
+++ b/classes/output/questionmenu.php
@@ -44,6 +44,7 @@ class questionmenu implements \renderable, \templatable {
         $urlparams['action'] = 'forwardquestion';
         $urlparams['fromoverview'] = '1';
         $urlparams['commentid'] = $commentid;
+        $urlparams['sesskey'] = sesskey();
         $url = new moodle_url($CFG->wwwroot . '/mod/pdfannotator/view.php', $urlparams);
 
         $this->url = $url;
diff --git a/controller.php b/controller.php
index 00a5606..900a3f9 100644
--- a/controller.php
+++ b/controller.php
@@ -28,6 +28,8 @@ $taburl = new moodle_url('/mod/pdfannotator/view.php', array('id' => $id));
 
 $myrenderer = $PAGE->get_renderer('mod_pdfannotator');
 
+require_course_login($pdfannotator->course, true, $cm);
+
 /* * ********************************************** Display overview page *********************************************** */
 
 if ($action === 'overview') {
@@ -36,6 +38,7 @@ if ($action === 'overview') {
 }
 
 if ($action === 'forwardquestion') {
+    require_sesskey();
     require_capability('mod/pdfannotator:forwardquestions', $context);
     require_once($CFG->dirroot . '/mod/pdfannotator/forward_form.php');
     global $USER;
@@ -182,7 +185,7 @@ if ($action === 'overviewquestions') {
  * all answers.
  */
 if ($action === 'subscribeQuestion') {
-
+    require_sesskey();
     require_capability('mod/pdfannotator:subscribe', $context);
 
     global $DB;
@@ -205,7 +208,7 @@ if ($action === 'subscribeQuestion') {
  * answers to questions to which the user is subscribed.
  */
 if ($action === 'unsubscribeQuestion') {
-
+    require_sesskey();
     require_capability('mod/pdfannotator:subscribe', $context);
 
     global $DB;
@@ -306,6 +309,7 @@ if ($action === 'overviewownposts') {
  * (either unread reports (reportfiler == 0) or all reports (reportfilter == 2)).
  */
 if ($action === 'markreportasread') { // XXX Rename key and move it into $action === 'overviewreports'
+    require_sesskey();
     require_capability('mod/pdfannotator:viewreports', $context);
 
     global $DB;
@@ -341,6 +345,7 @@ if ($action === 'markreportasread') { // XXX Rename key and move it into $action
  * (either unread reports (reportfiler == 0) or all reports (reportfilter == 2)).
  */
 if ($action === 'markreportasunread') { // XXX Rename key and move it into $action === 'overviewreports'
+    require_sesskey();
     require_capability('mod/pdfannotator:viewreports', $context);
 
     global $DB;
@@ -484,6 +489,7 @@ if ($action === 'report') {
         echo $myrenderer->pdfannotator_render_tabs($taburl, $action, $pdfannotator->name, $context);
         pdfannotator_display_embed($pdfannotator, $cm, $course, $file);
     } else if ($report = $mform->get_data()) { // Process validated data. $mform->get_data() returns data posted in form.
+        require_sesskey();
         global $USER;
 
         // 1. Notify course manager(s).
-- 
GitLab