I have a question concerning the moodle functions require_login, require_capability and require_sesskey.
Moodle core code fires the require_sesskey function (or an if statement with confirm_sesskey) before executing some code that changes the database. It is also recommended by this dev doc site: https://docs.moodle.org/dev/Security#Don.27t_trust_any_input_from_users
The PHP Doc comments says for
require_sesskey:
Check the session key using confirm_sesskey(), and cause a fatal error if it does not match.
confirm_sesskey:
Check the sesskey and return true of false for whether it is valid. (You might like to imagine this function is called sesskey_is_valid().)
Every script that lets the user perform a significant action (that is, changes data in the database) should check the sesskey before doing the action. Depending on your code flow, you may want to use the require_sesskey() helper function.
Why is this required and is it really needed when I already checked with require_login and require_capability? IMHO require_login have to deal with the session key also. I couldn't find any helpful documentation about how moodle handles with the session key in the actual functions.