Feature #7297
Add CSRF token to course backup import method
Status:
Feature implemented
Priority:
Normal
Assignee:
Daniel Barreto
Category:
Backup
Target version:
Complexity:
Normal
SCRUM pts - complexity:
?
Description
In the course backup import method, there doesn't seem to be a CSRF protection, which also means that a simple refresh of the page re-executes the import.
This is an issue, in particular in distributed clusters, as the cluster itself might decide, if the operation takes too long, to ask another back-end, and in this case you end up with as many import as the number of back-ends.
Please add CSRF validation to course export, course import and course copy.
Associated revisions
History
Updated by
Updated by Yannick Warnier about 7 years ago
- Estimated time set to 1.00 h
Julio, I think this shouldn't take you too long and it's going to be complicated to assign to anyone else.
This requires changes to the formValidator in the backups to use the Security class and add a token
Updated by Yannick Warnier about 7 years ago
- Assignee changed from Julio Montoya to Daniel Barreto
Updated by Daniel Barreto about 7 years ago
Updated by Daniel Barreto - % Done changed from 0 to 40
Things done:
- Add Security token(generate, add to form, check, clear) into these scripts:
main/coursecopy/copy_course.php main/coursecopy/copy_course_session.php main/coursecopy/create_backup.php main/coursecopy/import_backup.php main/coursecopy/recycle_course.php
Send PR#389
Updated by Yannick Warnier about 7 years ago
- Status changed from Assigned to Feature implemented
- % Done changed from 40 to 100
Reviewed and merged.
Minor - code indentation - refs #7297