From b30183653c903080dc8c1137db11f626bd92dff2 Mon Sep 17 00:00:00 2001
From: David Monllao <davidm@moodle.com>
Date: Wed, 29 Oct 2014 15:00:03 +0800
Subject: [PATCH] MDL-47950 course: Adding sesskey confirmation when
 duplicating activities

---
 course/mod.php          | 2 +-
 course/modduplicate.php | 4 +++-
 2 files changed, 4 insertions(+), 2 deletions(-)

diff --git a/course/mod.php b/course/mod.php
index 2cca5c7..3247db4 100644
--- a/course/mod.php
+++ b/course/mod.php
@@ -78,7 +78,7 @@ if (!empty($add)) {
     $returntomod = optional_param('return', 0, PARAM_BOOL);
     redirect("$CFG->wwwroot/course/modedit.php?update=$update&return=$returntomod&sr=$sectionreturn");
 
-} else if (!empty($duplicate)) {
+} else if (!empty($duplicate) and confirm_sesskey()) {
      $cm     = get_coursemodule_from_id('', $duplicate, 0, true, MUST_EXIST);
      $course = $DB->get_record('course', array('id' => $cm->course), '*', MUST_EXIST);
 
diff --git a/course/modduplicate.php b/course/modduplicate.php
index ae75273..81eefa6 100644
--- a/course/modduplicate.php
+++ b/course/modduplicate.php
@@ -31,9 +31,11 @@
 require_once(dirname(dirname(__FILE__)) . '/config.php');
 
 $cmid           = required_param('cmid', PARAM_INT);
-$courseid       = optional_param('course', PARAM_INT);
+$courseid       = required_param('course', PARAM_INT);
 $sectionreturn  = optional_param('sr', null, PARAM_INT);
 
+require_sesskey();
+
 debugging('Please use moodle_url(\'/course/mod.php\', array(\'duplicate\' => $cmid
     , \'id\' => $courseid, \'sesskey\' => sesskey(), \'sr\' => $sectionreturn)))
     instead of new moodle_url(\'/course/modduplicate.php\', array(\'cmid\' => $cmid
-- 
1.9.1