[CONTRIB-6062] Domoscio: mod_domoscio_create_notion_form - Moodle Tracker

XML

Word

Printable

Details

Type: Bug
Status: Open
Priority: Minor
Resolution: Unresolved
Affects Version/s: 3.0
Fix Version/s: None
Component/s: Module: Domoscio
Labels:
None

Affected Branches:
MOODLE_30_STABLE

Description

This is very weird usage of the mforms API. What is the point of such a form mod_domoscio_create_notion_form if it is not actually used to transfer and validate the data?

Among other consequences, the delete_notion.php is not protected against CSRF so any teacher can become a subject of a malicious attack like

<img width="1" height="1" src=".../url/to/delete_notion.php?d=1&kn=1" />

Attachments

Activity

People

Assignee:: Benoit Praly

Reporter:: David Mudrák (@mudrd8mz)

Participants:: Benoit Praly, David Mudrák (@mudrd8mz)

Votes:: 0 Vote for this issue

Watchers:: 1 Start watching this issue

Dates

Created:: 17/Dec/15 2:31 AM

Updated:: 17/Dec/15 2:31 AM