Comment 4 for bug 1480329

To replicate:

One way to replicate it is to create a form that will simulate a file upload. An easier way to check that the sesskey is being validated, though, is like this:

1. Log in to Mahara and go to "Content -> Files".

2. Using the Firefox (or Chrome) developer tools, open up a live view of the page's source code.

3. Find the hidden form variable with ID "files_sesskey".

4. Delete it, or change its value to "wrongsesskey".

5. Upload a file.

Expected result: The process should error out. Depending on how thorough the Javascript involved is, you may see this error message: "Invalid session key"

Actual result: The file upload finishes successfully