Merge remote-tracking branch 'upstream/preprodparkur' into ofaj

3 years ago · d2fd5ff90d
parent c8b0126015 d31b6e35ff
commit d2fd5ff90d
1 changed files with 6 additions and 4 deletions
--- a/main/mySpace/myStudents.php
+++ b/main/mySpace/myStudents.php
@ -506,8 +506,9 @@ switch ($action) {
    case 'send_legal':
        $isBoss = UserManager::userIsBossOfStudent(api_get_user_id(), $student_id);
        // @ofaj
-        if ($isBoss || api_is_platform_admin()) {
+        if (($isBoss || api_is_platform_admin()) && Security::check_token('get')) {
            LegalManager::sendLegal($student_id);
+            Security::clear_token();
            /*
                $currentUserInfo = api_get_user_info();
                $subject = get_lang('SendLegalSubject');
@ -525,7 +526,7 @@ switch ($action) {
        break;
    case 'delete_legal':
        $isBoss = UserManager::userIsBossOfStudent(api_get_user_id(), $student_id);
-        if ($isBoss || api_is_platform_admin()) {
+        if (($isBoss || api_is_platform_admin()) && Security::check_token('get')) {
            $extraFieldValue = new ExtraFieldValue('user');
            $value = $extraFieldValue->get_values_by_handler_and_field_variable(
                $student_id,
@ -535,6 +536,7 @@ switch ($action) {
            if ($result) {
                Display::addFlash(Display::return_message(get_lang('Deleted')));
            }
+            Security::clear_token();
        }
        break;
    case 'reset_lp':
@ -1152,13 +1154,13 @@ $userInfo = [
                            $icon = Display::return_icon('accept.png').' '.api_get_local_time($legalTime);
                            $icon .= ' '.Display::url(
                                    get_lang('DeleteLegal'),
-                                    api_get_self().'?action=delete_legal&student='.$student_id.'&course='.$course_code,
+                                    api_get_self().'?action=delete_legal&sec_token='.$token.'&student='.$student_id.'&course='.$course_code,
                                    ['class' => 'btn btn-danger btn-xs']
                                );
                        } else {
                            $icon .= ' '.Display::url(
                                    get_lang('SendLegal'),
-                                    api_get_self().'?action=send_legal&student='.$student_id.'&course='.$course_code,
+                                    api_get_self().'?action=send_legal&sec_token='.$token.'&student='.$student_id.'&course='.$course_code,
                                    ['class' => 'btn btn-primary btn-xs']
                                );
                        }