MDL-85333 mod_lti: Update sesskey handling for LTI pages

Author: bwalkerl

public/mod/lti/classes/output/tool_configure_page.php

@@ -53,7 +53,7 @@ public function export_for_template(renderer_base $output) {
         $keyhelp = new help_icon('resourcekey', 'mod_lti');
         $secrethelp = new help_icon('password', 'mod_lti');
 
-        $url = new moodle_url('/mod/lti/typessettings.php', array('sesskey' => sesskey(), 'returnto' => 'toolconfigure'));
+        $url = new moodle_url('/mod/lti/typessettings.php', ['returnto' => 'toolconfigure']);
         $data->configuremanualurl = $url->out();
         $url = new moodle_url('/admin/settings.php?section=modsettinglti');
         $data->managetoolsurl = $url->out();

public/mod/lti/locallib.php

@@ -1769,6 +1769,7 @@ function lti_get_tool_table($tools, $id) {
 
             $updateurl = clone($baseurl);
             $updateurl->param('action', 'update');
+            $updateurl->remove_params('sesskey');
             $updatehtml = $OUTPUT->action_icon($updateurl,
                     new \pix_icon('t/edit', $update, '', array('class' => 'iconsmall')), null,
                     array('title' => $update, 'class' => 'editing_update'));
@@ -1871,6 +1872,7 @@ function lti_get_tool_proxy_table($toolproxies, $id) {
 
             $updateurl = clone($baseurl);
             $updateurl->param('action', 'update');
+            $updateurl->remove_params('sesskey');
             $updatehtml = $OUTPUT->action_icon($updateurl,
                     new \pix_icon('t/edit', $update, '', array('class' => 'iconsmall')), null,
                     array('title' => $update, 'class' => 'editing_update'));
@@ -4073,8 +4075,11 @@ function get_tool_type_icon_url(stdClass $type) {
  * @return string The url to edit the tool type
  */
 function get_tool_type_edit_url(stdClass $type) {
-    $url = new moodle_url('/mod/lti/typessettings.php',
-                          array('action' => 'update', 'id' => $type->id, 'sesskey' => sesskey(), 'returnto' => 'toolconfigure'));
+    $url = new moodle_url('/mod/lti/typessettings.php', [
+        'action' => 'update',
+        'id' => $type->id,
+        'returnto' => 'toolconfigure',
+    ]);
     return $url->out();
 }
 
@@ -4086,8 +4091,11 @@ function get_tool_type_edit_url(stdClass $type) {
  * @return string The url to edit the tool type
  */
 function get_tool_proxy_edit_url(stdClass $proxy) {
-    $url = new moodle_url('/mod/lti/registersettings.php',
-                          array('action' => 'update', 'id' => $proxy->id, 'sesskey' => sesskey(), 'returnto' => 'toolconfigure'));
+    $url = new moodle_url('/mod/lti/registersettings.php', [
+        'action' => 'update',
+        'id' => $proxy->id,
+        'returnto' => 'toolconfigure',
+    ]);
     return $url->out();
 }
 

public/mod/lti/registersettings.php

@@ -61,9 +61,8 @@
     $redirect = $returnurl;
 }
 
-require_sesskey();
-
 if ($action == 'delete') {
+    require_sesskey();
     lti_delete_tool_proxy($id);
     redirect($redirect);
 }
@@ -81,6 +80,7 @@
 if ($form->is_cancelled()) {
     redirect($redirect);
 } else if ($data = $form->get_data()) {
+    require_sesskey();
     $id = lti_add_tool_proxy($data);
     redirect($redirect);
 } else {

public/mod/lti/settings.php

@@ -131,7 +131,7 @@
     $addtype = get_string('addtype', 'lti');
     $config = get_string('manage_tool_proxies', 'lti');
 
-    $addtypeurl = "{$CFG->wwwroot}/mod/lti/typessettings.php?action=add&sesskey={$USER->sesskey}";
+    $addtypeurl = "{$CFG->wwwroot}/mod/lti/typessettings.php?action=add";
 
     $template = <<< EOD
 <div id="lti_tabs" class="yui-navset">

public/mod/lti/templates/tool_configure.mustache

@@ -31,7 +31,7 @@
 
     Example context (json):
     {
-        "configuremanualurl":"https://some.tool.example/mod/lti/typessettings.php?sesskey=OKl37bHflL&returnto=toolconfigure",
+        "configuremanualurl":"https://some.tool.example/mod/lti/typessettings.php?returnto=toolconfigure",
         "managetoolsurl":"https://some.tool.example/admin/settings.php?section=modsettinglti",
         "managetoolproxiesurl":"https://some.tool.example/mod/lti/toolproxies.php"
     }

public/mod/lti/toolproxies.php

@@ -88,7 +88,7 @@
 $registertype = get_string('registertype', 'lti');
 $config = get_string('manage_tools', 'lti');
 
-$registertypeurl = "{$CFG->wwwroot}/mod/lti/registersettings.php?action=add&sesskey={$USER->sesskey}&tab=tool_proxy";
+$registertypeurl = "{$CFG->wwwroot}/mod/lti/registersettings.php?action=add&tab=tool_proxy";
 
 $template = <<< EOD
 <div id="tp_tabs" class="yui-navset">

public/mod/lti/toolssettings.php

@@ -43,19 +43,20 @@
 // No guest autologin.
 require_login(0, false);
 
-require_sesskey();
-
 // Check this is for a tool created from a tool proxy.
 $err = empty($id);
 if (!$err) {
     $type = lti_get_type_type_config($id);
     $err = empty($type->toolproxyid);
 }
 if ($err) {
-    $params = array('action' => $action, 'id' => $id, 'sesskey' => sesskey(), 'tab' => $tab);
-    if (!empty($returnto)) {
-        $params['returnto'] = $returnto;
-    }
+    $params = array_filter([
+        'action' => $action,
+        'id' => $id,
+        'sesskey' => optional_param('sesskey', '', PARAM_RAW),
+        'tab' => $tab,
+        'returnto' => $returnto,
+    ]);
     $redirect = new moodle_url('/mod/lti/typessettings.php', $params);
     redirect($redirect);
 }
@@ -77,9 +78,11 @@
 }
 
 if ($action == 'accept') {
+    require_sesskey();
     lti_set_state_for_type($id, LTI_TOOL_STATE_CONFIGURED);
     redirect($redirect);
 } else if (($action == 'reject') || ($action == 'delete')) {
+    require_sesskey();
     lti_set_state_for_type($id, LTI_TOOL_STATE_REJECTED);
     redirect($redirect);
 }
@@ -93,6 +96,7 @@
 $form = new mod_lti_edit_types_form($pageurl, (object)array('isadmin' => true, 'istool' => true));
 
 if ($data = $form->get_data()) {
+    require_sesskey();
     $type = new stdClass();
     if (!empty($id)) {
         $type->id = $id;

public/mod/lti/typessettings.php

@@ -65,17 +65,17 @@
 // No guest autologin.
 require_login(0, false);
 
-require_sesskey();
-
 // Check this is not for a tool created from a tool proxy.
 if (!empty($id)) {
     $type = lti_get_type_type_config($id);
     if (!empty($type->toolproxyid)) {
-        $sesskey = required_param('sesskey', PARAM_RAW);
-        $params = array('action' => $action, 'id' => $id, 'sesskey' => $sesskey, 'tab' => $tab);
-        if (!empty($returnto)) {
-            $params['returnto'] = $returnto;
-        }
+        $params = array_filter([
+            'action' => $action,
+            'id' => $id,
+            'sesskey' => optional_param('sesskey', '', PARAM_RAW),
+            'tab' => $tab,
+            'returnto' => $returnto,
+        ]);
         $redirect = new moodle_url('/mod/lti/toolssettings.php', $params);
         redirect($redirect);
     }
@@ -111,12 +111,15 @@
 }
 
 if ($action == 'accept') {
+    require_sesskey();
     lti_set_state_for_type($id, LTI_TOOL_STATE_CONFIGURED);
     redirect($redirect);
 } else if ($action == 'reject') {
+    require_sesskey();
     lti_set_state_for_type($id, LTI_TOOL_STATE_REJECTED);
     redirect($redirect);
 } else if ($action == 'delete') {
+    require_sesskey();
     lti_delete_type($id);
     redirect($redirect);
 }
@@ -140,6 +143,7 @@
 );
 
 if ($data = $form->get_data()) {
+    require_sesskey();
     $type = new stdClass();
     if (!empty($id)) {
         $type->id = $id;