From 1aabf67ff02208f318f070ca83927e4e8adce6f2 Mon Sep 17 00:00:00 2001
From: Julio Montoya <gugli100@gmail.com>
Date: Mon, 3 May 2010 12:43:48 +0200
Subject: [PATCH] Adding token when changing order of LP items, requires
 testings see CT#967

---
 main/newscorm/learnpath.class.php |  5 +++--
 main/newscorm/lp_controller.php   | 28 +++++++++++++---------------
 2 files changed, 16 insertions(+), 17 deletions(-)

diff --git a/main/newscorm/learnpath.class.php b/main/newscorm/learnpath.class.php
index 16e18ed152..8284e752e2 100755
--- a/main/newscorm/learnpath.class.php
+++ b/main/newscorm/learnpath.class.php
@@ -4319,6 +4319,7 @@ class learnpath {
 		unset ($this->arrMenu);
 
 		if ($is_allowed_to_edit) {
+			$token = Security::get_token();
 			
 			$gradebook = Security :: remove_XSS($_GET['gradebook']);
 			$return .= '<div class="actions">';
@@ -4403,7 +4404,7 @@ class learnpath {
 
 				if ($arrLP[$i]['previous_item_id'] != 0) {
 
-					$return .= '<a href="' . api_get_self() . '?cidReq=' . Security :: remove_XSS($_GET['cidReq']) . '&amp;action=move_item&amp;direction=up&amp;id=' . $arrLP[$i]['id'] . '&amp;lp_id=' . $this->lp_id . '">';
+					$return .= '<a href="' . api_get_self() . '?cidReq=' . Security :: remove_XSS($_GET['cidReq']) . '&amp;action=move_item&amp;direction=up&amp;id=' . $arrLP[$i]['id'] . '&amp;lp_id=' . $this->lp_id . '&amp;sec_token='.$token.'">';
 					$return .= '<img style="margin:1px;" alt="" src="../img/arrow_up_' . ($arrLP[$i]['depth'] % 3) . '.gif" title="' . get_lang('MoveUp') . '"/>';
 					$return .= '</a>';
 
@@ -4411,7 +4412,7 @@ class learnpath {
 					$return .= '<img alt="" src="../img/blanco.png" title="" />';
 
 				if ($arrLP[$i]['next_item_id'] != 0) {
-					$return .= '<a href="' . api_get_self() . '?cidReq=' . Security :: remove_XSS($_GET['cidReq']). '&amp;action=move_item&amp;direction=down&amp;id=' . $arrLP[$i]['id'] . '&amp;lp_id=' . $this->lp_id . '">';
+					$return .= '<a href="' . api_get_self() . '?cidReq=' . Security :: remove_XSS($_GET['cidReq']). '&amp;action=move_item&amp;direction=down&amp;id=' . $arrLP[$i]['id'] . '&amp;lp_id=' . $this->lp_id . '&amp;sec_token='.$token.'">';
 					$return .= '<img style="margin:1px;" src="../img/arrow_down_' . ($arrLP[$i]['depth'] % 3) . '.gif" title="' . get_lang('MoveDown') . '" />';
 
 					$return .= '</a>';
diff --git a/main/newscorm/lp_controller.php b/main/newscorm/lp_controller.php
index 73a976a925..f130da96a3 100755
--- a/main/newscorm/lp_controller.php
+++ b/main/newscorm/lp_controller.php
@@ -424,32 +424,30 @@ switch($action)
 
 	case 'move_item':
 
-		if(!$is_allowed_to_edit){
+		if (!$is_allowed_to_edit) {
 			api_not_allowed(true);
 		}
 
-		if($debug > 0) error_log('New LP - move item action triggered', 0);
+		if ($debug > 0) error_log('New LP - move item action triggered', 0);
 
-		if(!$lp_found){ error_log('New LP - No learnpath given for move item', 0); require('lp_list.php'); }
-		else
-		{
+		if (!$lp_found) { error_log('New LP - No learnpath given for move item', 0); require('lp_list.php'); }
+		else {
 			$_SESSION['refresh'] = 1;
 
-			if(isset($_POST['submit_button']))
-			{
+			if (isset($_POST['submit_button'])) {
 				$_SESSION['oLP']->edit_item($_GET['id'], $_POST['parent'], $_POST['previous'], Security::remove_XSS($_POST['title'], $_POST['description']) );
-
 				$is_success = true;
 			}
 
-			if(isset($_GET['view']) && $_GET['view'] == 'build')
-			{
+			if (isset($_GET['view']) && $_GET['view'] == 'build') {
 				require('lp_move_item.php');
-			}
-			else
-			{
-				$_SESSION['oLP']->move_item($_GET['id'], $_GET['direction']);
-
+			} else {
+				//avoids weird behaviours see CT#967
+				$check = Security::check_token('get');
+				if ($check) {
+					$_SESSION['oLP']->move_item($_GET['id'], $_GET['direction']);					
+				}
+				Security::clear_token();
 				require('lp_admin_view.php');
 			}
 		}