Uploaded image for project: 'Moodle'
  1. Moodle
  2. MDL-28574

Manage tokens page should show tokens for all users

    XMLWordPrintable

    Details

    • Testing Instructions:
      Hide

      Test 1

      1. As an admin, enable web services and create an external service with an arbitrary shortname, e.g. externalservice.
      2. Create a user testuser with the password Testpass1! that is able to access that service (either by allowing all users to use the service, or by restricting the external service to that particular user).
      3. Grant the moodle/webservice:createtoken privilege to that user, e.g. by allowing it for the Authenticated user role.
      4. In the name of the user, create a token by visiting the URL $CFG->wwwroot/login/token.php?service=externalservice&username=testuser&password=Testpass1! and write down the resulting token.
      5. As an administrator, navigate to Site administration -> Plugins -> Web services -> Manage tokens.
      6. Verify that the token from #4 shows up, with first and last name of testuser in the "User" column and the username testuser in the "Creator" column.
      7. Still as an administrator, click "Add".
      8. Select testuser for "User" and externalservice for "Service" and click "Save changes"
      9. Verify that another token shows up, again with first and last name of testuser in the "User" column, but your administrator's username in the "Creator" column.
      10. Try deleting the first token (the one not created by the admin)
      11. Make sure the confirmation page makes sense with no errors and it is successfully deleted.

      Accounts with a suitable capability should be able to view or reset any webservice token.

      Test 2

      1. Go to Site Administration > Users > Permissions > Assign system roles
      2. Assign the manager role to a user on your site (any besides admin or the testuser you created)
      3. Grant the moodle/webservice:createtoken privilege to that user, e.g. by allowing it for the Manager role.
      4. Grant the moodle/site:config privilege to that user, e.g. by allowing it for the Manager role.
      5. Log in as the user and go to to Site administration -> Plugins -> Web services -> Manage tokens.
      6. Make sure you can't see the token created in testuser's name
      7. Log out
      8. Log in as admin
      9. Make sure you can see the token created in testuser's name
      10. Copy the delete button url for that token
      11. Log in as the manager user
      12. Paste the url
      13. Make sure you get an error

      Test 3

      1. Grant the moodle/webservice:managealltokens privilege to the manager user, e.g. by allowing it for the Manager role.
      2. Log in as the user and go to to Site administration -> Plugins -> Web services -> Manage tokens.
      3. Make sure you can see the tokens created in the admin user's name and can see the creator collumn
      4. Try to delete one
      5. Make sure you don't get an error

      Test 4

      1. Download test.php attached to this issue
      2. Refresh the manage tokens page. Take note of the performance footer (DB reads and load time)
      3. Run php test.php It will create 10000 tokens
      4. Refresh the page. Make sure the number of DB reads and load time is not much higher
      5. The script will have printed out a command you can run to remove all the extra tokens to reset your site. You can run that
      Show
      Test 1 As an admin, enable web services and create an external service with an arbitrary shortname, e.g. externalservice . Create a user testuser with the password Testpass1! that is able to access that service (either by allowing all users to use the service, or by restricting the external service to that particular user). Grant the moodle/webservice:createtoken privilege to that user, e.g. by allowing it for the Authenticated user role. In the name of the user, create a token by visiting the URL $CFG->wwwroot/login/token.php?service=externalservice&username=testuser&password=Testpass1! and write down the resulting token. As an administrator, navigate to Site administration -> Plugins -> Web services -> Manage tokens. Verify that the token from #4 shows up, with first and last name of testuser in the "User" column and the username testuser in the "Creator" column. Still as an administrator, click "Add". Select testuser for "User" and externalservice for "Service" and click "Save changes" Verify that another token shows up, again with first and last name of testuser in the "User" column, but your administrator's username in the "Creator" column. Try deleting the first token (the one not created by the admin) Make sure the confirmation page makes sense with no errors and it is successfully deleted. Accounts with a suitable capability should be able to view or reset any webservice token. Test 2 Go to Site Administration > Users > Permissions > Assign system roles Assign the manager role to a user on your site (any besides admin or the testuser you created) Grant the moodle/webservice:createtoken privilege to that user, e.g. by allowing it for the Manager role. Grant the moodle/site:config privilege to that user, e.g. by allowing it for the Manager role. Log in as the user and go to to Site administration -> Plugins -> Web services -> Manage tokens. Make sure you can't see the token created in testuser's name Log out Log in as admin Make sure you can see the token created in testuser's name Copy the delete button url for that token Log in as the manager user Paste the url Make sure you get an error Test 3 Grant the moodle/webservice:managealltokens privilege to the manager user, e.g. by allowing it for the Manager role. Log in as the user and go to to Site administration -> Plugins -> Web services -> Manage tokens. Make sure you can see the tokens created in the admin user's name and can see the creator collumn Try to delete one Make sure you don't get an error Test 4 Download test.php attached to this issue Refresh the manage tokens page. Take note of the performance footer (DB reads and load time) Run php test.php It will create 10000 tokens Refresh the page. Make sure the number of DB reads and load time is not much higher The script will have printed out a command you can run to remove all the extra tokens to reset your site. You can run that
    • Affected Branches:
      MOODLE_20_STABLE, MOODLE_21_STABLE, MOODLE_22_STABLE, MOODLE_31_STABLE, MOODLE_34_STABLE
    • Fixed Branches:
      MOODLE_34_STABLE
    • Pull from Repository:
    • Pull Master Branch:
      MDL-28574-master
    • Sprint:
      3.4 Sprint 2, 3.4 Sprint 3

      Description

      original description:
      ------------------

      Admins should see webservice tokens for all users, regardless of who created the token. Currently the list is filtered by 'creatorid' == $USER->id in adminlib.php:admin_setting_managewebservicetokens->output_html()

      I'm marking this as a security issue as it obscures external access routes from admin accounts.

      ------------------
      correction to the description from Petr Skoda:
      ------------------

      I think that nobody should see others keys, it is like password. If you use loginas the system knows it is not the user, but if you steal the key or password nobody would know. My -10 for disclosing other normal user keys and to prevent disclosure when logged-in-as. Resetting does not make sense either if you can not gain access to the keys. There is one notable exception though, the webservice users can not login, so there must be a way for admin to setup and use the keys. My +1 to add capability to generate/reset/read keys for webservice users (because they can not use normal login/UI).

        Attachments

          Issue Links

            Activity

              People

              Assignee:
              johno John Okely
              Reporter:
              mpetrowi Matt Petro
              Peer reviewer:
              Jake Dallimore
              Integrator:
              Andrew Nicols
              Tester:
              Ankit Agarwal
              Participants:
              Component watchers:
              Juan Leyva, Amaia Anabitarte, Carlos Escobedo, Ferran Recio, Sara Arjona (@sarjona)
              Votes:
              11 Vote for this issue
              Watchers:
              18 Start watching this issue

                Dates

                Created:
                Updated:
                Resolved:
                Fix Release Date:
                13/Nov/17