diff --git a/main/inc/lib/CoursesAndSessionsCatalog.class.php b/main/inc/lib/CoursesAndSessionsCatalog.class.php
index 98e1aaf9de..f62b15dda4 100644
--- a/main/inc/lib/CoursesAndSessionsCatalog.class.php
+++ b/main/inc/lib/CoursesAndSessionsCatalog.class.php
@@ -1170,21 +1170,27 @@ class CoursesAndSessionsCatalog
/**
* Display the unregister button of a course in the course catalog.
*
- * @param $course
- * @param $stok
- * @param $search_term
- * @param $categoryCode
+ * @param array $course
+ * @param string $stok
+ * @param string $search_term
+ * @param string $categoryCode
+ * @param int $sessionId
*
* @return string
*/
- public static function return_unregister_button($course, $stok, $search_term, $categoryCode)
+ public static function return_unregister_button($course, $stok, $search_term, $categoryCode, $sessionId = 0)
{
$title = get_lang('Unsubscription');
+ $search_term = Security::remove_XSS($search_term);
+ $categoryCode = Security::remove_XSS($categoryCode);
+ $sessionId = (int) $sessionId;
+
+ $url = api_get_self().'?action=unsubscribe&sec_token='.$stok.'&sid='.$sessionId.'&course_code='.$course['code'].
+ '&search_term='.$search_term.'&category_code='.$categoryCode;
return Display::url(
Display::returnFontAwesomeIcon('sign-in').' '.$title,
- api_get_self().'?action=unsubscribe&sec_token='.$stok
- .'&course_code='.$course['code'].'&search_term='.$search_term.'&category_code='.$categoryCode,
+ $url,
['class' => 'btn btn-danger', 'title' => $title, 'aria-label' => $title]
);
}
diff --git a/main/inc/lib/auth.lib.php b/main/inc/lib/auth.lib.php
index 5910d8af2f..88a22e46f5 100755
--- a/main/inc/lib/auth.lib.php
+++ b/main/inc/lib/auth.lib.php
@@ -302,7 +302,7 @@ class Auth
*
* @return bool True if it success
*/
- public function remove_user_from_course($course_code)
+ public function remove_user_from_course($course_code, $sessionId = 0)
{
$tbl_course_user = Database::get_main_table(TABLE_MAIN_COURSE_USER);
@@ -312,6 +312,11 @@ class Auth
$result = true;
$courseInfo = api_get_course_info($course_code);
+
+ // Check if course can be unsubscribe
+ if ('1' !== $courseInfo['unsubscribe']) {
+ return false;
+ }
$courseId = $courseInfo['real_id'];
// we check (once again) if the user is not course administrator
@@ -328,7 +333,9 @@ class Auth
$result = false;
}
- CourseManager::unsubscribe_user($current_user_id, $course_code);
+ if ($result) {
+ CourseManager::unsubscribe_user($current_user_id, $course_code, $sessionId);
+ }
return $result;
}
diff --git a/main/inc/lib/course.lib.php b/main/inc/lib/course.lib.php
index 1f4d210766..8eaef92793 100755
--- a/main/inc/lib/course.lib.php
+++ b/main/inc/lib/course.lib.php
@@ -4150,14 +4150,14 @@ class CourseManager
$params['course_code'] = $row['course_code'];
$params['code'] = $row['course_code'];
- if ($showCustomIcon === 'true' && $iconName != 'course.png') {
+ if ($showCustomIcon === 'true' && $iconName !== 'course.png') {
$params['thumbnails'] = $course_info['course_image'];
$params['image'] = $course_info['course_image_large'];
}
$thumbnails = null;
$image = null;
- if ($showCustomIcon === 'true' && $iconName != 'course.png') {
+ if ($showCustomIcon === 'true' && $iconName !== 'course.png') {
$thumbnails = $course_info['course_image'];
$image = $course_info['course_image_large'];
} else {
@@ -4177,7 +4177,10 @@ class CourseManager
if (api_is_platform_admin()) {
$params['edit_actions'] .= api_get_path(WEB_CODE_PATH).'course_info/infocours.php?cidReq='.$course_info['code'];
if ($load_dirs) {
- $params['document'] = ''
+ $params['document'] = ''
.Display::returnFontAwesomeIcon('folder-open').'';
$params['document'] .= Display::div(
'',
@@ -4189,7 +4192,10 @@ class CourseManager
}
}
if ($load_dirs) {
- $params['document'] = ''
+ $params['document'] = ''
.Display::returnFontAwesomeIcon('folder-open').'';
$params['document'] .= Display::div(
'',
diff --git a/main/inc/lib/userportal.lib.php b/main/inc/lib/userportal.lib.php
index d281ff7ff2..4844df7d33 100755
--- a/main/inc/lib/userportal.lib.php
+++ b/main/inc/lib/userportal.lib.php
@@ -1993,7 +1993,8 @@ class IndexManager
['code' => $course['course_code']],
Security::get_existing_token(),
'',
- ''
+ '',
+ $session_id
);
}
diff --git a/user_portal.php b/user_portal.php
index ab07cbf440..72c9b2985e 100755
--- a/user_portal.php
+++ b/user_portal.php
@@ -1,4 +1,5 @@
SECTION_COURSES,
'tool_id' => 0,
'tool_id_detail' => 0,
- 'action' => '',
- 'info' => '',
];
Event::registerLog($logInfo);
@@ -66,9 +65,17 @@ if (array_key_exists('action', $_REQUEST)) {
case 'unsubscribe':
if (\Security::check_token('get')) {
$auth = new Auth();
- if ($auth->remove_user_from_course($_GET['course_code'])) {
+ $sessionId = isset($_REQUEST['sid']) ? $_REQUEST['sid'] : 0;
+ $courseCode = isset($_REQUEST['course_code']) ? $_REQUEST['course_code'] : '';
+
+ if (empty($courseCode)) {
+ api_location(api_get_self());
+ }
+
+ if ($auth->remove_user_from_course($courseCode, $sessionId)) {
Display::addFlash(Display::return_message(get_lang('YouAreNowUnsubscribed')));
}
+
header('Location: user_portal.php');
exit;
}