Details
-
Type:
Improvement
-
Status: Closed
-
Priority:
Major
-
Resolution: Fixed
-
Affects Version/s: 2.0.6, 2.1, 2.2, 3.1.1, 3.4
-
Fix Version/s: 3.4
-
Component/s: Web Services
-
Labels:
-
Testing Instructions:
-
Affected Branches:MOODLE_20_STABLE, MOODLE_21_STABLE, MOODLE_22_STABLE, MOODLE_31_STABLE, MOODLE_34_STABLE
-
Fixed Branches:MOODLE_34_STABLE
-
Pull from Repository:
-
Pull Master Branch:
MDL-28574-master -
Pull Master Diff URL:
-
Documentation link:
-
Sprint:3.4 Sprint 2, 3.4 Sprint 3
Description
original description:
------------------
Admins should see webservice tokens for all users, regardless of who created the token. Currently the list is filtered by 'creatorid' == $USER->id in adminlib.php:admin_setting_managewebservicetokens->output_html()
I'm marking this as a security issue as it obscures external access routes from admin accounts.
------------------
correction to the description from Petr Skoda:
------------------
I think that nobody should see others keys, it is like password. If you use loginas the system knows it is not the user, but if you steal the key or password nobody would know. My -10 for disclosing other normal user keys and to prevent disclosure when logged-in-as. Resetting does not make sense either if you can not gain access to the keys. There is one notable exception though, the webservice users can not login, so there must be a way for admin to setup and use the keys. My +1 to add capability to generate/reset/read keys for webservice users (because they can not use normal login/UI).
Attachments
Issue Links
- has been marked as being related by
-
MDL-53400 Moodle Web Service Token reset
-
- Development in progress
-