MDL-55034 blog: update external blog deletion to not leak sesskey.

paulholden · Jan 7, 2025 · 4de1ec8 · 4de1ec8
1 parent 7bf1f87
commit 4de1ec8
Showing 1 changed file with 26 additions and 17 deletions.
diff --git a/blog/external_blogs.php b/blog/external_blogs.php
@@ -34,15 +34,21 @@
 require_capability('moodle/blog:manageexternal', $context);
 
 $delete = optional_param('delete', null, PARAM_INT);
+$confirm = optional_param('confirm', false, PARAM_BOOL);
 
 $strexternalblogs = get_string('externalblogs', 'blog');
 $straddnewexternalblog = get_string('addnewexternalblog', 'blog');
 $strblogs = get_string('blogs', 'blog');
-$message = null;
 
-if ($delete && confirm_sesskey()) {
-    $externalblog = $DB->get_record('blog_external', array('id' => $delete));
-    if ($externalblog->userid == $USER->id) {
+$PAGE->set_title("{$strblogs}: {$strexternalblogs}");
+$PAGE->set_pagelayout('standard');
+
+if ($delete) {
+    $externalblog = $DB->get_record('blog_external', ['id' => $delete, 'userid' => $USER->id], '*', MUST_EXIST);
+
+    if ($confirm) {
+        require_sesskey();
+
         // Delete the external blog.
         $DB->delete_records('blog_external', array('id' => $delete));
 
@@ -60,23 +66,28 @@
         $event = \core\event\blog_external_removed::create($eventparms);
         $event->add_record_snapshot('blog_external', $externalblog);
         $event->trigger();
-        $message = get_string('externalblogdeleted', 'blog');
+
+        redirect($PAGE->url, get_string('externalblogdeleted', 'blog'));
+    } else {
+        echo $OUTPUT->header();
+        echo $OUTPUT->heading("{$strexternalblogs}: " . s($externalblog->name), 2);
+
+        echo $OUTPUT->confirm(
+            get_string('deleteexternalblog', 'blog'),
+            new moodle_url($PAGE->url->out_omit_querystring(), ['delete' => $delete, 'confirm' => 1]),
+            $PAGE->url,
+        );
+
+        echo $OUTPUT->footer();
+        die;
     }
 }
 
 $blogs = $DB->get_records('blog_external', array('userid' => $USER->id));
 
-$PAGE->set_heading(fullname($USER));
-$PAGE->set_title("$strblogs: $strexternalblogs");
-$PAGE->set_pagelayout('standard');
-
 echo $OUTPUT->header();
 echo $OUTPUT->heading($strexternalblogs, 2);
 
-if (!empty($message)) {
-    echo $OUTPUT->notification($message);
-}
-
 echo $OUTPUT->box_start('generalbox boxaligncenter');
 
 if (!empty($blogs)) {
@@ -99,10 +110,8 @@
         $editurl = new moodle_url('/blog/external_blog_edit.php', array('id' => $blog->id));
         $editicon = $OUTPUT->action_icon($editurl, new pix_icon('t/edit', get_string('editexternalblog', 'blog')));
 
-        $deletelink = new moodle_url('/blog/external_blogs.php', array('delete' => $blog->id, 'sesskey' => sesskey()));
-        $action = new confirm_action(get_string('externalblogdeleteconfirm', 'blog'));
-        $deleteicon = $OUTPUT->action_icon($deletelink, new pix_icon('t/delete', get_string('deleteexternalblog', 'blog')),
-                                           $action);
+        $deletelink = new moodle_url('/blog/external_blogs.php', ['delete' => $blog->id]);
+        $deleteicon = $OUTPUT->action_icon($deletelink, new pix_icon('t/delete', get_string('deleteexternalblog', 'blog')));
 
         $table->data[] = new html_table_row(array($blog->name,
                                                   $blog->url,