Details
-
Bug
-
Status: Closed
-
Critical
-
Resolution: Fixed
-
2.0.1
-
MOODLE_20_STABLE
-
MOODLE_20_STABLE
Description
When setting up a user account for web services, one of the required steps is to "Enable capabilities for the user".
The last step, and the trickiest, is to grant the right permission to the external system user. It would need the following capabilities:
- "webservice/rest:use, webservice/soap:use, webservice/xmlrpc:use, webservice/amf:use" matching the enabled protocols.
- the required capabilities by the web service functions. These required capabilities are listed when you add a function to the service.
Steps to reproduce:
1. Add a new "External Service" called "Get users"
2. Tick "Enabled" and "Authorized users only", and click "Add Service"
3. Click "Add functions"
4. Select "moodle_user_get_users_by_id" and click "Add functions"
Note that under "Required capabilities", moodle/user:viewdetails is listed as the only capability
5. Visit /admin/settings.php?section=externalservices to see the list of services, and click "Authorized users".
6. Add a user to the list of authorized users.
7. Create a new role with the capabilities webservice/rest:use, webservice/soap:use, webservice/xmlrpc:use, webservice/amf:use and moodle/user:viewdetails
8. Assign the role to the authorized user
9. From your external system, attempt to get the details of a user with a known id, using the protocol of your choice
Expected behaviour:
The user's details are returned
Observed behaviour (REST):
<EXCEPTION class="required_capability_exception">
<MESSAGE>Sorry, but you do not currently have permissions to do that (View user full information)</MESSAGE>
</EXCEPTION>