Require sesskey for debug toggle #139 (#140)

* Require sesskey for debug toggle #139

* Fixed code standards issues

classes/form/lastrefresh.php

@@ -14,6 +14,14 @@
 // You should have received a copy of the GNU General Public License
 // along with Moodle.  If not, see <http://www.gnu.org/licenses/>.
 
+/**
+ * Privacy provider.
+ *
+ * @package   local_envbar
+ * @author    Rossco Hellmans <[email protected]>
+ * @copyright Catalyst IT
+ * @license   http://www.gnu.org/copyleft/gpl.html GNU GPL v3 or later
+ */
 namespace local_envbar\form;
 
 use local_envbar\local\envbarlib;

classes/local/envbarlib.php

@@ -37,6 +37,14 @@
     die('Direct access to this script is forbidden.'); // It must be included from a Moodle page.
 }
 
+/**
+ * Environment bar config.
+ *
+ * @package   local_envbar
+ * @author    Nicholas Hoobin <[email protected]>
+ * @copyright Catalyst IT
+ * @license   http://www.gnu.org/copyleft/gpl.html GNU GPL v3 or later
+ */
 class envbarlib {
 
     const ENVBAR_START = '<!-- ENVBARSTART -->';

classes/privacy/provider.php

@@ -13,6 +13,7 @@
 //
 // You should have received a copy of the GNU General Public License
 // along with Moodle.  If not, see <http://www.gnu.org/licenses/>.
+
 /**
  * Privacy provider.
  *
@@ -27,7 +28,8 @@
 use core_privacy\local\legacy_polyfill;
 /**
  * Class provider
- * @package local_envbar\privacy
+ * @copyright 2018 Catalyst IT
+ * @license   http://www.gnu.org/copyleft/gpl.html GNU GPL v3 or later
  */
 class provider implements null_provider {
     use legacy_polyfill;
@@ -40,4 +42,4 @@ class provider implements null_provider {
     public static function _get_reason() {
         return 'privacy:metadata';
     }
-}
+}

renderer.php

@@ -271,7 +271,7 @@ protected function get_debug_text($canedit = false, $config) {
             // Get the url of the current page.
             $currentlink = $ME;
             $debugtogglelink = html_writer::link(
-                new moodle_url('/local/envbar/toggle_debugging.php?redirect=' . base64_encode($currentlink)),
+                new moodle_url('/local/envbar/toggle_debugging.php', ['redirect' => base64_encode($currentlink), 'sesskey' => sesskey()] ),
                 envbarlib::get_debug_toggle_string()
             );
             $debugtext .= $this->get_debug_text_for_admin($config->stringseparator, $debugging, $debugtogglelink);

service/updatelastrefresh.php

@@ -16,8 +16,9 @@
 
 /**
  * This page is pinged to update an env lastrefresh time.
+ *
  * This simple rest point was created outside of moodle's ws to avoid
- *  the overhead and config that comes with it.
+ * the overhead and config that comes with it.
  *
  * @package   local_envbar
  * @author    Rossco Hellmans <[email protected]>

tests/privacy/privacy.php

@@ -15,7 +15,9 @@
 // along with Moodle.  If not, see <http://www.gnu.org/licenses/>.
 
 /**
- * @package   local_objectfs
+ * Tests
+ *
+ * @package   local_envbar
  * @copyright Moodle
  * @license   http://www.gnu.org/copyleft/gpl.html GNU GPL v3 or later
  */
@@ -95,11 +97,18 @@
 
 echo "\n\n== Done ==\n";
 
+/**
+ * Test
+ * @param $component
+ * @param $interface
+ * @return
+ */
 function check_implements($component, $interface) {
         $manager = new \core_privacy\manager();
         $rc = new \ReflectionClass(\core_privacy\manager::class);
         $rcm = $rc->getMethod('component_implements');
         $rcm->setAccessible(true);
 
         return $rcm->invoke($manager, $component, $interface);
-}
+}
+

toggle_debugging.php

@@ -27,11 +27,16 @@
 require_once(dirname(__FILE__) . '/../../config.php');
 require_once($CFG->libdir . '/moodlelib.php');
 
+require_login();
+
 if (!is_siteadmin()) {
     print_error('Access denied.');
 }
 
+require_sesskey();
+
 envbarlib::set_debug_config($CFG->debug);
 // Go back to current page.
 $redirecturl = base64_decode(required_param('redirect', PARAM_RAW));
-redirect($redirecturl);
+redirect($redirecturl);
+