I noticed that there is no sesskey check performed in the code (apart form the implicit ones coming with moodle forms API). There are actions that modify the database based on incoming user input. In these cases, it is necessary to check for the sesskey via require_sesskey() or confirm_sesskey(). See https://docs.moodle.org/dev/Security:Cross-site_request_forgery for why this is important.
I noticed that there is no sesskey check performed in the code (apart form the implicit ones coming with moodle forms API). There are actions that modify the database based on incoming user input. In these cases, it is necessary to check for the sesskey via
require_sesskey()orconfirm_sesskey(). See https://docs.moodle.org/dev/Security:Cross-site_request_forgery for why this is important.