Replacing $_SESSION['sec_token'] with Security::getCurrentToken()

13 years ago · 5672e0f235
parent 67c13364fa
commit 5672e0f235
17 changed files with 60 additions and 52 deletions
--- a/main/admin/access_urls.php
+++ b/main/admin/access_urls.php
@ -112,10 +112,10 @@ echo '</div>';
 //$table = new SortableTable('urls', 'url_count_mask', 'get_url_data_mask',2);
 $sortable_data = UrlManager::get_url_data();
 $urls = array();
-$types = array(1=>'AccessURL',2=>'SincroServer',3=>'SincroClient'); 
+$types = array(1=>'AccessURL',2=>'SincroServer',3=>'SincroClient');
 foreach($sortable_data as $row)  {
    //title
-    $url = Display::url($row['url'], $row['url'], array('target'=>'_blank'));    
+    $url = Display::url($row['url'], $row['url'], array('target'=>'_blank'));
    $name = $row['description'];
    if (!empty($row['branch_name'])) {
        $name = $row['branch_name'];
@ -147,14 +147,14 @@ foreach($sortable_data as $row)  {
    if ($row['id']=='1') {
        $status = Display::return_icon($image.'.gif', get_lang(ucfirst($action)));
    } else {
-        $status = '<a href="access_urls.php?action='.$action.'&amp;url_id='.$row['id'].'&amp;sec_token='.$_SESSION['sec_token'].'">'.Display::return_icon($image.'.gif', get_lang(ucfirst($action))).'</a>';
-    }    
+        $status = '<a href="access_urls.php?action='.$action.'&amp;url_id='.$row['id'].'&amp;sec_token='.Security::getCurrentToken().'">'.Display::return_icon($image.'.gif', get_lang(ucfirst($action))).'</a>';
+    }
    //Actions
    $url_id = $row['id'];
    $actions = Display::url(Display::return_icon('edit.png', get_lang('Edit'), array(), ICON_SIZE_SMALL), "access_url_edit.php?url_id=$url_id");
    if ($url_id != '1') {
-        $actions .= '<a href="access_urls.php?action=delete_url&amp;url_id='.$url_id.'&amp;sec_token='.$_SESSION['sec_token'].'" onclick="javascript:if(!confirm('."'".addslashes(api_htmlentities(get_lang("ConfirmYourChoice"),ENT_QUOTES,$charset))."'".')) return false;">'.Display::return_icon('delete.png', get_lang('Delete'), array(), ICON_SIZE_SMALL).'</a>';
-    }    
+        $actions .= '<a href="access_urls.php?action=delete_url&amp;url_id='.$url_id.'&amp;sec_token='.Security::getCurrentToken().'" onclick="javascript:if(!confirm('."'".addslashes(api_htmlentities(get_lang("ConfirmYourChoice"),ENT_QUOTES,$charset))."'".')) return false;">'.Display::return_icon('delete.png', get_lang('Delete'), array(), ICON_SIZE_SMALL).'</a>';
+    }
    $urls[] = array($url, $name, $type, $tech, $contact, $status, $actions);
 }

--- a/main/admin/calendar_view.php
+++ b/main/admin/calendar_view.php
@ -1,4 +1,4 @@
-<?php // $id: $
+<?php
 /* For licensing terms, see /license.txt */
 /**
 *	@package chamilo.admin
@ -11,7 +11,7 @@ $language_file = 'agenda';
 require_once '../inc/global.inc.php';

 //session
-if(isset($_GET['id_session'])) {
+if (isset($_GET['id_session'])) {
 	$_SESSION['id_session'] = intval($_GET['id_session']);
 }

--- a/main/admin/group_list.php
+++ b/main/admin/group_list.php
@ -174,7 +174,7 @@ function modify_filter($group_id, $url_params, $row) {
    if (api_is_platform_admin()) {
        $result .= '<a href="'.api_get_path(WEB_CODE_PATH).'admin/add_users_to_group.php?id='.$group_id.'">'.Display::return_icon('subscribe_users_social_network.png', get_lang('AddUsersToGroup'), '', ICON_SIZE_SMALL).'</a>';
        $result .= '<a href="group_edit.php?id='.$group_id.'">'.Display::return_icon('edit.png', get_lang('Edit'), array(), ICON_SIZE_SMALL).'</a>&nbsp;&nbsp;';
-        $result .= '<a href="group_list.php?action=delete_group&amp;group_id='.$group_id.'&amp;'.$url_params.'&amp;sec_token='.$_SESSION['sec_token'].'"  onclick="javascript:if(!confirm('."'".addslashes(api_htmlentities(get_lang("ConfirmYourChoice"), ENT_QUOTES, $charset))."'".')) return false;">'.Display::return_icon('delete.png', get_lang('Delete'), array(), ICON_SIZE_SMALL).'</a>';
+        $result .= '<a href="group_list.php?action=delete_group&amp;group_id='.$group_id.'&amp;'.$url_params.'&amp;sec_token='.Security::getCurrentToken().'"  onclick="javascript:if(!confirm('."'".addslashes(api_htmlentities(get_lang("ConfirmYourChoice"), ENT_QUOTES, $charset))."'".')) return false;">'.Display::return_icon('delete.png', get_lang('Delete'), array(), ICON_SIZE_SMALL).'</a>';
    }
    return $result;
 }
@ -205,7 +205,7 @@ function active_filter($active, $url_params, $row) {
    if ($action == 'edit') {
        $result = Display::return_icon($image.'.gif', get_lang('AccountExpired'));
    } elseif ($row['0'] <> $_user['user_id']) { // you cannot lock yourself out otherwise you could disable all the accounts including your own => everybody is locked out and nobody can change it anymore.
-        $result = '<a href="user_list.php?action='.$action.'&amp;user_id='.$row['0'].'&amp;'.$url_params.'&amp;sec_token='.$_SESSION['sec_token'].'">'.Display::return_icon($image.'.gif', get_lang(ucfirst($action))).'</a>';
+        $result = '<a href="user_list.php?action='.$action.'&amp;user_id='.$row['0'].'&amp;'.$url_params.'&amp;sec_token='.Security::getCurrentToken().'">'.Display::return_icon($image.'.gif', get_lang(ucfirst($action))).'</a>';
    }
    return $result;
 }
--- a/main/admin/user_fields.php
+++ b/main/admin/user_fields.php
@ -207,14 +207,14 @@ function order_filter($field_order, $url_params, $row) {
    $return = '';
    // the up icon only has to appear when the row can be moved up (all but the first row)
    if ($row[5] <> 1) {
-        $return .= '<a href="' . api_get_self() . '?action=moveup&field_id=' . $row[0] . '&sec_token=' . $_SESSION['sec_token'] . '">' . Display::return_icon('up.gif', get_lang('Up')) . '</a>';
+        $return .= '<a href="' . api_get_self() . '?action=moveup&field_id=' . $row[0] . '&sec_token=' . Security::getCurrentToken() . '">' . Display::return_icon('up.gif', get_lang('Up')) . '</a>';
    } else {
        $return .= Display::return_icon('blank.gif', '', array('width' => '21px'));
    }

    // the down icon only has to appear when the row can be moved down (all but the last row)
    if ($row[5] <> $number_of_extra_fields) {
-        $return .= '<a href="' . api_get_self() . '?action=movedown&field_id=' . $row[0] . '&sec_token=' . $_SESSION['sec_token'] . '">' . Display::return_icon('down.gif', get_lang('Down')) . '</a>';
+        $return .= '<a href="' . api_get_self() . '?action=movedown&field_id=' . $row[0] . '&sec_token=' . Security::getCurrentToken() . '">' . Display::return_icon('down.gif', get_lang('Down')) . '</a>';
    }
    return $return;
 }
@ -227,7 +227,7 @@ function order_filter($field_order, $url_params, $row) {
 * @return	string	The link
 */
 function modify_visibility($visibility, $url_params, $row) {
-    return ($visibility ? '<a href="' . api_get_self() . '?action=hide_field&field_id=' . $row[0] . '&sec_token=' . $_SESSION['sec_token'] . '">' . Display::return_icon('visible.gif', get_lang('Hide')) . '</a>' : '<a href="' . api_get_self() . '?action=show_field&field_id=' . $row[0] . '&sec_token=' . $_SESSION['sec_token'] . '">' . Display::return_icon('invisible.gif', get_lang('Show')) . '</a>');
+    return ($visibility ? '<a href="' . api_get_self() . '?action=hide_field&field_id=' . $row[0] . '&sec_token=' . Security::getCurrentToken() . '">' . Display::return_icon('visible.gif', get_lang('Hide')) . '</a>' : '<a href="' . api_get_self() . '?action=show_field&field_id=' . $row[0] . '&sec_token=' . Security::getCurrentToken() . '">' . Display::return_icon('invisible.gif', get_lang('Show')) . '</a>');
 }

 /**
@ -238,18 +238,18 @@ function modify_visibility($visibility, $url_params, $row) {
 * @return	string	The link
 */
 function modify_changeability($changeability, $url_params, $row) {
-    return ($changeability ? '<a href="' . api_get_self() . '?action=freeze_field&field_id=' . $row[0] . '&sec_token=' . $_SESSION['sec_token'] . '">' . Display::return_icon('right.gif', get_lang('MakeUnchangeable')) . '</a>' : '<a href="' . api_get_self() . '?action=thaw_field&field_id=' . $row[0] . '&sec_token=' . $_SESSION['sec_token'] . '">' . Display::return_icon('wrong.gif', get_lang('MakeChangeable')) . '</a>');
+    return ($changeability ? '<a href="' . api_get_self() . '?action=freeze_field&field_id=' . $row[0] . '&sec_token=' . Security::getCurrentToken() . '">' . Display::return_icon('right.gif', get_lang('MakeUnchangeable')) . '</a>' : '<a href="' . api_get_self() . '?action=thaw_field&field_id=' . $row[0] . '&sec_token=' . Security::getCurrentToken() . '">' . Display::return_icon('wrong.gif', get_lang('MakeChangeable')) . '</a>');
 }

 function modify_field_filter($changeability, $url_params, $row) {
-    return ($changeability ? '<a href="' . api_get_self() . '?action=filter_off&field_id=' . $row[0] . '&sec_token=' . $_SESSION['sec_token'] . '">' . Display::return_icon('right.gif', get_lang('FilterOff')) . '</a>' : '' .
-                    '<a href="' . api_get_self() . '?action=filter_on&field_id=' . $row[0] . '&sec_token=' . $_SESSION['sec_token'] . '">' . Display::return_icon('wrong.gif', get_lang('FilterOn')) . '</a>');
+    return ($changeability ? '<a href="' . api_get_self() . '?action=filter_off&field_id=' . $row[0] . '&sec_token=' . Security::getCurrentToken() . '">' . Display::return_icon('right.gif', get_lang('FilterOff')) . '</a>' : '' .
+                    '<a href="' . api_get_self() . '?action=filter_on&field_id=' . $row[0] . '&sec_token=' . Security::getCurrentToken() . '">' . Display::return_icon('wrong.gif', get_lang('FilterOn')) . '</a>');
 }

 function edit_filter($id, $url_params, $row) {
    global $charset;
-    $return = '<a href="user_fields_add.php?action=edit&field_id=' . $row[0] . '&field_type=' . $row[2] . '&sec_token=' . $_SESSION['sec_token'] . '">' . Display::return_icon('edit.png', get_lang('Edit')) . '</a>';
-    $return .= ' <a href="' . api_get_self() . '?action=delete&field_id=' . $row[0] . '&sec_token=' . $_SESSION['sec_token'] . '" onclick="javascript:if(!confirm(' . "'" . addslashes(api_htmlentities(get_lang("ConfirmYourChoice"), ENT_QUOTES, $charset)) . "'" . ')) return false;">' .
+    $return = '<a href="user_fields_add.php?action=edit&field_id=' . $row[0] . '&field_type=' . $row[2] . '&sec_token=' . Security::getCurrentToken() . '">' . Display::return_icon('edit.png', get_lang('Edit')) . '</a>';
+    $return .= ' <a href="' . api_get_self() . '?action=delete&field_id=' . $row[0] . '&sec_token=' . Security::getCurrentToken() . '" onclick="javascript:if(!confirm(' . "'" . addslashes(api_htmlentities(get_lang("ConfirmYourChoice"), ENT_QUOTES, $charset)) . "'" . ')) return false;">' .
            Display::return_icon('delete.png', get_lang('Delete')) . '</a>';
    return $return;
 }
--- a/main/admin/user_fields_options.php
+++ b/main/admin/user_fields_options.php
@ -22,7 +22,7 @@ api_protect_admin_script();
 // breadcrumbs
 $interbreadcrumb[] = array('url' => 'index.php', 'name' => get_lang('PlatformAdmin'));
 $interbreadcrumb[] = array('url' => 'user_fields.php', 'name' => get_lang('UserFields'));
-$interbreadcrumb[] = array('url' => 'user_fields_add.php?action=edit&field_id=' . Security::remove_XSS($_GET['field_id']) . '&amp;sec_token=' . $_SESSION['sec_token'], 'name' => get_lang('EditUserFields'));
+$interbreadcrumb[] = array('url' => 'user_fields_add.php?action=edit&field_id=' . Security::remove_XSS($_GET['field_id']) . '&amp;sec_token=' . Security::getCurrentToken(), 'name' => get_lang('EditUserFields'));

 // name of the tools
 $tool_name = get_lang('UserFieldsSortOptions');
@ -111,14 +111,14 @@ function actions_filter($option_id, $url_params, $row) {
    global $number_of_options;

    if ($row[0] <> 1) {
-        $return .= '<a href="' . api_get_self() . '?action=moveup&amp;option_id=' . $option_id . '&amp;field_id=' . Security::remove_XSS($_GET['field_id']) . '&amp;sec_token=' . $_SESSION['sec_token'] . '">' . Display::return_icon('up.gif', get_lang('Up')) . '</a>';
+        $return .= '<a href="' . api_get_self() . '?action=moveup&amp;option_id=' . $option_id . '&amp;field_id=' . Security::remove_XSS($_GET['field_id']) . '&amp;sec_token=' . Security::getCurrentToken() . '">' . Display::return_icon('up.gif', get_lang('Up')) . '</a>';
    } else {
        $return .= Display::return_icon('blank.gif', '', array('width' => '21px'));
    }

    // the down icon only has to appear when the row can be moved down (all but the last row)
    if ($row[0] <> $number_of_options) {
-        $return .= '<a href="' . api_get_self() . '?action=movedown&amp;option_id=' . $option_id . '&amp;field_id=' . Security::remove_XSS($_GET['field_id']) . '&amp;sec_token=' . $_SESSION['sec_token'] . '">' . Display::return_icon('down.gif', get_lang('Down')) . '</a>';
+        $return .= '<a href="' . api_get_self() . '?action=movedown&amp;option_id=' . $option_id . '&amp;field_id=' . Security::remove_XSS($_GET['field_id']) . '&amp;sec_token=' . Security::getCurrentToken() . '">' . Display::return_icon('down.gif', get_lang('Down')) . '</a>';
    }
    return $return;
 }
--- a/main/admin/user_information.php
+++ b/main/admin/user_information.php
@ -40,7 +40,7 @@ if ( isset($_GET['action']) ) {
 $statusname = api_get_status_langvars();
 $login_as_icon = '';
 if (api_is_platform_admin() || (api_is_session_admin() && $row['6'] == $statusname[STUDENT])) {
-        $login_as_icon = '<a href="'.api_get_path(WEB_CODE_PATH).'admin/user_list.php?action=login_as&amp;user_id='.$user['user_id'].'&amp;sec_token='.$_SESSION['sec_token'].'">'.Display::return_icon('login_as.gif', get_lang('LoginAs')).'</a>';
+        $login_as_icon = '<a href="'.api_get_path(WEB_CODE_PATH).'admin/user_list.php?action=login_as&amp;user_id='.$user['user_id'].'&amp;sec_token='.Security::getCurrentToken().'">'.Display::return_icon('login_as.gif', get_lang('LoginAs')).'</a>';
 }
 echo '<div class="actions"><a href="'.api_get_path(WEB_CODE_PATH).'mySpace/myStudents.php?student='.intval($_GET['user_id']).'" title="'.get_lang('Reporting').'">'.Display::return_icon('statistics.png',get_lang('Reporting'),'',  ICON_SIZE_MEDIUM).'</a>'.$login_as_icon.'</div>';

@ -87,22 +87,22 @@ if (count($sessions) > 0) {
    $header[] = array ('', false);

    foreach ($sessions as $session_item) {
-        
+
        $data = array ();
        $personal_course_list = array();
        $id_session = $session_item['session_id'];
-                
+
        foreach ($session_item['courses'] as $my_course) {
            $course_info = api_get_course_info($my_course['code']);
            $row = array ();
            $row[] = $my_course['code'];
            $row[] = $course_info['title'];
            //$row[] = $my_course['status'] == STUDENT ? get_lang('Student') : get_lang('Teacher');
-            
+
            $roles = api_detect_user_roles($user['user_id'], $my_course['code'], $id_session);
            $row[] = api_get_roles_to_string($roles);
-        
-            
+
+
            $tools = '<a href="course_information.php?code='.$course_info['code'].'&id_session='.$id_session.'">'.Display::return_icon('synthese_view.gif', get_lang('Overview')).'</a>'.
                    '<a href="'.api_get_path(WEB_COURSE_PATH).$course_info['path'].'?id_session='.$id_session.'">'.Display::return_icon('course_home.gif', get_lang('CourseHomepage')).'</a>';

@ -138,7 +138,7 @@ if (Database::num_rows($res) > 0) {
        $row = array ();
        $row[] = $course->code;
        $row[] = $course->title;
-        
+
        //$row[] = $course->status == STUDENT ? get_lang('Student') : get_lang('Teacher');
        $roles = api_detect_user_roles($user['user_id'], $course->code);
        $row[] = api_get_roles_to_string($roles);
@ -153,7 +153,7 @@ if (Database::num_rows($res) > 0) {
        $data[] = $row;
    }
    echo Display::page_subheader(get_lang('Courses'));
-    Display :: display_sortable_table($header, $data, array (), array (), array ('user_id' => intval($_GET['user_id'])));    
+    Display :: display_sortable_table($header, $data, array (), array (), array ('user_id' => intval($_GET['user_id'])));
 } else {
    Display::display_warning_message(get_lang('NoCoursesForThisUser'));
 }
@ -182,7 +182,7 @@ if (Database::num_rows($res) > 0) {
    echo '<blockquote>';
    Display :: display_sortable_table($header, $data, array (), array (), array ('user_id' => intval($_GET['user_id'])));
    echo '</blockquote>';
-} else {    
+} else {
    echo '<p>'.get_lang('NoClassesForThisUser').'</p>';
 }*/

@ -190,7 +190,7 @@ if (Database::num_rows($res) > 0) {
 * Show the URL in which this user is subscribed
 */
 global $_configuration;
-if ($_configuration['multiple_access_urls']) {    
+if ($_configuration['multiple_access_urls']) {
    $url_list= UrlManager::get_access_url_from_user($user['user_id']);
    if (count($url_list) > 0) {
        $header = array();
@ -201,8 +201,8 @@ if ($_configuration['multiple_access_urls']) {
            $row[] = Display::url($url['url'], $url['url']);
            $data[] = $row;
        }
-        echo '<p><b>'.get_lang('URLList').'</b></p>';        
-        Display :: display_sortable_table($header, $data, array (), array (), array ('user_id' => intval($_GET['user_id'])));        
+        echo '<p><b>'.get_lang('URLList').'</b></p>';
+        Display :: display_sortable_table($header, $data, array (), array (), array ('user_id' => intval($_GET['user_id'])));
    } else {
        echo '<p>'.get_lang('NoUrlForThisUser').'</p>';
    }
--- a/main/admin/user_list.php
+++ b/main/admin/user_list.php
@ -481,11 +481,11 @@ function modify_filter($user_id, $url_params, $row) {
    if (api_is_platform_admin() || (api_is_session_admin() && $current_user_status_label == $statusname[STUDENT])) {
    	if (!$user_is_anonymous) {
            if (api_global_admin_can_edit_admin($user_id)) {
-                $result .= '<a href="user_list.php?action=login_as&amp;user_id='.$user_id.'&amp;sec_token='.$_SESSION['sec_token'].'">'.Display::return_icon('login_as.gif', get_lang('LoginAs')).'</a>&nbsp;&nbsp;';
+                $result .= '<a href="user_list.php?action=login_as&amp;user_id='.$user_id.'&amp;sec_token='.Security::getCurrentToken().'">'.Display::return_icon('login_as.gif', get_lang('LoginAs')).'</a>&nbsp;&nbsp;';
            } else {
                $result .= Display::return_icon('login_as_na.gif', get_lang('LoginAs')).'&nbsp;&nbsp;';
            }
-            //$result .= '<a href="user_list.php?action=login_as&amp;user_id='.$user_id.'&amp;sec_token='.$_SESSION['sec_token'].'">'.Display::return_icon('login_as.gif', get_lang('LoginAs')).'</a>&nbsp;&nbsp;';
+            //$result .= '<a href="user_list.php?action=login_as&amp;user_id='.$user_id.'&amp;sec_token='.Security::getCurrentToken().'">'.Display::return_icon('login_as.gif', get_lang('LoginAs')).'</a>&nbsp;&nbsp;';
    	} else {
    		$result .= Display::return_icon('login_as_na.gif', get_lang('LoginAs')).'&nbsp;&nbsp;';
    	}
@ -536,7 +536,7 @@ function modify_filter($user_id, $url_params, $row) {
        if ($delete_user_available) {
            if ($user_id != api_get_user_id() && !$user_is_anonymous && api_global_admin_can_edit_admin($user_id)) {
                // you cannot lock yourself out otherwise you could disable all the accounts including your own => everybody is locked out and nobody can change it anymore.
-                $result .= ' <a href="user_list.php?action=delete_user&amp;user_id='.$user_id.'&amp;'.$url_params.'&amp;sec_token='.$_SESSION['sec_token'].'"  onclick="javascript:if(!confirm('."'".addslashes(api_htmlentities(get_lang("ConfirmYourChoice"),ENT_QUOTES,$charset))."'".')) return false;">'.Display::return_icon('delete.png', get_lang('Delete'), array(), ICON_SIZE_SMALL).'</a>';
+                $result .= ' <a href="user_list.php?action=delete_user&amp;user_id='.$user_id.'&amp;'.$url_params.'&amp;sec_token='.Security::getCurrentToken().'"  onclick="javascript:if(!confirm('."'".addslashes(api_htmlentities(get_lang("ConfirmYourChoice"),ENT_QUOTES,$charset))."'".')) return false;">'.Display::return_icon('delete.png', get_lang('Delete'), array(), ICON_SIZE_SMALL).'</a>';
            } else {
                $result .= Display::return_icon('delete_na.png', get_lang('Delete'), array(), ICON_SIZE_SMALL);
            }
@ -870,7 +870,7 @@ if ($table->get_total_number_of_items() == 0) {
                    $row_table = array();
                    $row_table[] =  api_get_person_name($user['firstname'], $user['lastname']).' ('.$user['username'].') ';
                    $row_table[] =  $access_info_to_string;
-                    $url = api_get_self().'?action=add_user_to_my_url&user_id='.$user['user_id'].'&sec_token='.$_SESSION['sec_token'];
+                    $url = api_get_self().'?action=add_user_to_my_url&user_id='.$user['user_id'].'&sec_token='.Security::getCurrentToken();
                    $row_table[] =  Display::url(get_lang('AddUserToMyURL'), $url, array('class' => 'btn'));

                    foreach ($row_table as $cell) {
--- a/main/announcements/announcements.php
+++ b/main/announcements/announcements.php
@ -129,7 +129,7 @@ if (!empty($group_id)) {

 /* 	Sessions */

-$ctok = $_SESSION['sec_token'];
+$ctok = Security::getCurrentToken();
 $stok = Security::get_token();
 $to = null;
 $email_ann = null;
--- a/main/auth/courses.php
+++ b/main/auth/courses.php
@ -114,7 +114,7 @@ if (empty($nameTools)) {
 // course description controller object
 $courses_controller = new CoursesController();

-$ctok = isset($_SESSION['sec_token']) ? $_SESSION['sec_token'] : null;
+$ctok = Security::getCurrentToken();

 // We are moving a course or category of the user up/down the list (=Sort My Courses).
 if (isset($_GET['move'])) {
--- a/main/auth/ldap/authldap.php
+++ b/main/auth/ldap/authldap.php
@ -465,7 +465,7 @@ function ldap_get_user_data($from, $number_of_items, $column, $direction) {
 function modify_filter($user_id,$url_params, $row) {
    $url_params_id="id[]=".$row[0];
    //$url_params_id="id=".$row[0];
-    $result .= '<a href="ldap_users_list.php?action=add_user&amp;user_id='.$user_id.'&amp;id_session='.Security::remove_XSS($_GET['id_session']).'&amp;'.$url_params_id.'&amp;sec_token='.$_SESSION['sec_token'].'"  onclick="javascript:if(!confirm('."'".addslashes(api_htmlentities(get_lang("ConfirmYourChoice"), ENT_QUOTES, api_get_system_encoding()))."'".')) return false;">'.Display::return_icon('add_user.gif', get_lang('AddUsers')).'</a>';
+    $result .= '<a href="ldap_users_list.php?action=add_user&amp;user_id='.$user_id.'&amp;id_session='.Security::remove_XSS($_GET['id_session']).'&amp;'.$url_params_id.'&amp;sec_token='.Security::getCurrentToken().'"  onclick="javascript:if(!confirm('."'".addslashes(api_htmlentities(get_lang("ConfirmYourChoice"), ENT_QUOTES, api_get_system_encoding()))."'".')) return false;">'.Display::return_icon('add_user.gif', get_lang('AddUsers')).'</a>';
    return $result;
 }

--- a/main/coursecopy/copy_course.php
+++ b/main/coursecopy/copy_course.php
@ -11,14 +11,15 @@ $language_file = array('exercice', 'coursebackup', 'admin');

 // Setting the global file that gets the general configuration, the databases, the languages, ...
 require_once '../inc/global.inc.php';
-$current_course_tool = TOOL_COURSE_MAINTENANCE;
-api_protect_course_script(true);

 // Including additional libraries
 require_once 'classes/CourseBuilder.class.php';
 require_once 'classes/CourseRestorer.class.php';
 require_once 'classes/CourseSelectForm.class.php';

+$current_course_tool = TOOL_COURSE_MAINTENANCE;
+api_protect_course_script(true);
+
 // Notice for unauthorized people.
 if (!api_is_allowed_to_edit()) {
    api_not_allowed(true);
@ -78,6 +79,7 @@ if ((isset($_POST['action']) && $_POST['action'] == 'course_select_form') || (is
        $sql .= ' AND cu.status=1 ';
    }
    $sql .= ' AND target_course_code IS NULL AND cu.user_id = '.$user_info['user_id'].' AND c.code != '."'".$course_info['sysCode']."'".' ORDER BY title ASC';
+
    $res = Database::query($sql);
    if (Database::num_rows($res) == 0) {
        Display::display_normal_message(get_lang('NoDestinationCoursesAvailable'));
--- a/main/inc/lib/auth.lib.php
+++ b/main/inc/lib/auth.lib.php
@ -642,9 +642,9 @@ class Auth {
            $message = get_lang('CourseRequiresPassword') . '<br />';
            $message .= $all_course_information['title'].' ('.$all_course_information['visual_code'].') ';

-            $action  = api_get_path(WEB_CODE_PATH) . "auth/courses.php?action=subscribe_user_with_password&sec_token=" . $_SESSION['sec_token'];
+            $action  = api_get_path(WEB_CODE_PATH) . "auth/courses.php?action=subscribe_user_with_password&sec_token=" . Security::getCurrentToken();
            $form = new FormValidator('subscribe_user_with_password', 'post', $action);
-            $form->addElement('hidden', 'sec_token', $_SESSION['sec_token']);
+            $form->addElement('hidden', 'sec_token', Security::getCurrentToken());
            $form->addElement('hidden', 'subscribe_user_with_password', $all_course_information['code']);
            $form->addElement('text', 'course_registration_code');
            $form->addElement('button', 'submit', get_lang('SubmitRegistrationCode'));
--- a/main/inc/lib/security.lib.php
+++ b/main/inc/lib/security.lib.php
@ -126,27 +126,29 @@ class Security
     */
    public static function check_token($request_type = 'post')
    {
+        $currentSessionToken = Security::getCurrentToken();
+
        switch ($request_type) {
            case 'request':
-                if (isset($_SESSION['sec_token']) && isset($_REQUEST['sec_token']) && $_SESSION['sec_token'] === $_REQUEST['sec_token']) {
+                if (isset($currentSessionToken) && isset($_REQUEST['sec_token']) && $currentSessionToken === $_REQUEST['sec_token']) {
                    return true;
                }

                return false;
            case 'get':
-                if (isset($_SESSION['sec_token']) && isset($_GET['sec_token']) && $_SESSION['sec_token'] === $_GET['sec_token']) {
+                if (isset($currentSessionToken) && isset($_GET['sec_token']) && $currentSessionToken === $_GET['sec_token']) {
                    return true;
                }

                return false;
            case 'post':
-                if (isset($_SESSION['sec_token']) && isset($_POST['sec_token']) && $_SESSION['sec_token'] === $_POST['sec_token']) {
+                if (isset($currentSessionToken) && isset($_POST['sec_token']) && $currentSessionToken === $_POST['sec_token']) {
                    return true;
                }

                return false;
            default:
-                if (isset($_SESSION['sec_token']) && isset($request_type) && $_SESSION['sec_token'] === $request_type) {
+                if (isset($currentSessionToken) && isset($request_type) && $currentSessionToken === $request_type) {
                    return true;
                }

@ -214,6 +216,10 @@ class Security
        return $token;
    }

+    public function getCurrentToken() {
+        return isset($_SESSION['sec_token']) ? $_SESSION['sec_token'] : null;
+    }
+
    /**
     * Gets the user agent in the session to later check it with check_ua() to prevent
     * most cases of session hijacking.
--- a/main/inc/lib/template.lib.php
+++ b/main/inc/lib/template.lib.php
@ -267,6 +267,7 @@ class Template

            $new_messages = MessageManager::get_new_messages();
            $user_info['messages_count'] = $new_messages != 0 ? Display::label($new_messages, 'warning') : null;
+
            $messages_invitations_count = GroupPortalManager::get_groups_by_user_count(
                $user_info['user_id'],
                GROUP_USER_PERMISSION_PENDING_INVITATION,
--- a/main/inc/lib/usermanager.lib.php
+++ b/main/inc/lib/usermanager.lib.php
@ -3932,8 +3932,6 @@ class UserManager {
                     // if ($currentTimestamp - $timestamp > 184590 )
                        if ($currentTimestamp - $timestamp > $inactive_time && UserManager::delete_user($student_id )) {
                            Display :: display_normal_message(get_lang('UserDeleted'));
-                                //avec validation:
-                                //  $result .= '<a href="user_list.php?action=delete_user&amp;user_id='.$student_id.'&amp;'.$url_params.'&amp;sec_token='.$_SESSION['sec_token'].'"  onclick="javascript:if(!confirm('."'".addslashes(api_htmlentities(get_lang("ConfirmYourChoice"),ENT_QUOTES,$charset))."'".')) return false;">'.Display::return_icon('delete.gif', get_lang('Delete')).'</a>';
                            echo '<p>','id',$student_id ,':',$last_login_date,'</p>';
                        }
                    }
--- a/main/social/group_topics.php
+++ b/main/social/group_topics.php
@ -46,7 +46,8 @@ if (isset($_REQUEST['action']) && $_REQUEST['action'] == 'delete') {
 }

 // save message group
-if (isset($_POST['token']) && $_POST['token'] === $_SESSION['sec_token']) {
+$currentToken = Security::getCurrentToken();
+if (isset($_POST['token']) && $_POST['token'] === $currentToken) {

 	if (isset($_POST['action'])) {
 		$title        = isset($_POST['title']) ? $_POST['title'] : null;
--- a/main/user/user.php
+++ b/main/user/user.php
@ -619,7 +619,7 @@ function modify_filter($user_id) {
    //if platform admin, show the login_as icon (this drastically shortens
    // time taken by support to test things out)
    if (api_is_platform_admin()) {
-        $result .= ' <a href="'.api_get_path(WEB_CODE_PATH).'admin/user_list.php?action=login_as&amp;user_id='.$user_id.'&amp;sec_token='.$_SESSION['sec_token'].'">'.Display::return_icon('login_as.gif', get_lang('LoginAs')).'</a>&nbsp;&nbsp;';
+        $result .= ' <a href="'.api_get_path(WEB_CODE_PATH).'admin/user_list.php?action=login_as&amp;user_id='.$user_id.'&amp;sec_token='.Security::getCurrentToken().'">'.Display::return_icon('login_as.gif', get_lang('LoginAs')).'</a>&nbsp;&nbsp;';
    }

 	if (api_is_allowed_to_edit(null, true)) {