diff --git a/app/controllers/course/grouping.php b/app/controllers/course/grouping.php
index e35728255ca71386a23d56758fb5b9dfdbd5d1ab..526217f66c794b985898aaf9ceca4af9d6dd8c50 100644
--- a/app/controllers/course/grouping.php
+++ b/app/controllers/course/grouping.php
@@ -267,6 +267,7 @@ class Course_GroupingController extends AuthenticatedController
*/
public function action_action()
{
+ CSRFProtection::verifyUnsafeRequest();
if (Request::submitted('single_action')) {
list($course_id, $permission) = explode('-', Request::get('single_action'));
@@ -327,6 +328,8 @@ class Course_GroupingController extends AuthenticatedController
*/
public function move_members_action($source_id)
{
+ CSRFProtection::verifyUnsafeRequest();
+
$source = Seminar::getInstance($source_id);
$target = Seminar::getInstance(Request::option('target'));
@@ -459,6 +462,7 @@ class Course_GroupingController extends AuthenticatedController
*/
public function unassign_parent_action()
{
+ CSRFProtection::verifyUnsafeRequest();
$parent = $this->course->parent_course;
$this->course->parent_course = null;
NotificationCenter::postNotification('CourseWillRemoveFromGroup', $this->course->id, $parent);
@@ -477,6 +481,8 @@ class Course_GroupingController extends AuthenticatedController
*/
public function assign_child_action()
{
+ CSRFProtection::verifyUnsafeRequest();
+
if ($child = Request::option('child')) {
$child_course = Course::find($child);
diff --git a/app/views/course/grouping/children.php b/app/views/course/grouping/children.php
index 789b0ce6349277eadc7cc316f2207d55458f44c7..9e7a239766de0e82cccb7ab6b6f31d90eb981165 100644
--- a/app/views/course/grouping/children.php
+++ b/app/views/course/grouping/children.php
@@ -1,4 +1,5 @@
<form class="default" method="post" action="<?= $controller->url_for('course/grouping/assign_child') ?>">
+ <?= CSRFProtection::tokenTag() ?>
<fieldset>
<legend>
<?= _('Bereits zugeordnet') ?>
diff --git a/app/views/course/grouping/members.php b/app/views/course/grouping/members.php
index 7a12273cf6a0bfde3486d5ba38011e9fbc666a7e..3c3b022040f12b4e4dae9c63710b7bba237a1bd0 100644
--- a/app/views/course/grouping/members.php
+++ b/app/views/course/grouping/members.php
@@ -1,6 +1,7 @@
<? if (!empty($courses)) : ?>
<form class="default" action="<?= $controller->url_for('course/grouping/action') ?>" method="post"
data-dialog="size=auto">
+ <?= CSRFProtection::tokenTag() ?>
<section class="studip">
<? foreach ($courses as $child) : ?>
<article class="studip toggle" id="<?= $child->id ?>">
@@ -8,6 +9,7 @@
<h1>
<input type="checkbox" name="courses[]" value="<?= $child->id ?>" class="courses"
data-activates="#actions-courses">
+
<a href="<?= ContentBoxHelper::href($child->id, ['contentbox_type' => 'news']) ?>"
data-course-id="<?= $child->id ?>"
data-get-members-url="<?= $controller->url_for('course/grouping/child_course_members', $child->id) ?>"
diff --git a/app/views/course/grouping/move_members_target.php b/app/views/course/grouping/move_members_target.php
index 0322f92d778faceae6a8c2907679082144154056..793fc195f27ba7b28c069faadd0c1217940a0b55 100644
--- a/app/views/course/grouping/move_members_target.php
+++ b/app/views/course/grouping/move_members_target.php
@@ -1,4 +1,5 @@
<form class="default" action="<?= $controller->url_for('course/grouping/move_members', $source_id) ?>" method="post">
+ <?= CSRFProtection::tokenTag() ?>
<fieldset>
<legend><?= _('Personen verschieben') ?></legend>
diff --git a/app/views/course/grouping/parent.php b/app/views/course/grouping/parent.php
index 64c1b394b6ac7f2f12f03e615c7ee165fa15656a..1278cc3690a08c8d925b275a4f24edfeab37d391 100644
--- a/app/views/course/grouping/parent.php
+++ b/app/views/course/grouping/parent.php
@@ -1,5 +1,6 @@
<? if ($parent) : ?>
<form class="default" method="post" action="<?= $controller->url_for('course/grouping/unassign_parent') ?>">
+ <?= CSRFProtection::tokenTag() ?>
<fieldset>
<legend><?= _('Veranstaltung zuordnen') ?></legend>
<section>