One way to replicate it is to create a form that will simulate a file upload. An easier way to check that the sesskey is being validated, though, is like this:
1. Log in to Mahara and go to "Content -> Files".
2. Using the Firefox (or Chrome) developer tools, open up a live view of the page's source code.
3. Find the hidden form variable with ID "files_sesskey".
4. Delete it, or change its value to "wrongsesskey".
5. Upload a file.
Expected result: The process should error out. Depending on how thorough the Javascript involved is, you may see this error message: "Invalid session key"
Actual result: The file upload finishes successfully
To replicate:
One way to replicate it is to create a form that will simulate a file upload. An easier way to check that the sesskey is being validated, though, is like this:
1. Log in to Mahara and go to "Content -> Files".
2. Using the Firefox (or Chrome) developer tools, open up a live view of the page's source code.
3. Find the hidden form variable with ID "files_sesskey".
4. Delete it, or change its value to "wrongsesskey".
5. Upload a file.
Expected result: The process should error out. Depending on how thorough the Javascript involved is, you may see this error message: "Invalid session key"
Actual result: The file upload finishes successfully