Moodle
  1. Moodle
  2. MDL-33514

Moodle throws error when a meanwhile deleted user fetches rss feed

    Details

    • Type: Bug Bug
    • Status: Closed
    • Priority: Minor Minor
    • Resolution: Fixed
    • Affects Version/s: 2.2.3
    • Fix Version/s: 2.1.8, 2.2.5, 2.3.2
    • Component/s: RSS
    • Labels:
    • Testing Instructions:
      Hide
      1. Go to Admin > Advanced Features:
      2. Enable rss feeds on site
      3. Make blog settings world readable
      4. Create a moodle user
      5. Log in as that user
      6. Go to My Profile > Blog > Add entry
      7. Add a blog entry
      8. Click on the RSS feed link
      9. Visit that url in browser and save link.
      10. Logout and login as admin
      11. Suspend the user you created
      12. Force refresh the link you saved above.
      13. VERIFY: The RSS feed should now display a message about the authentication token being invalid
      14. Un-suspend the user you created
      15. Force refresh the link you saved above.
      16. VERIFY: The RSS feed is visible again
      17. Delete the user you created
      18. Force refresh the link you saved above.
      19. VERIFY: The RSS feed should now display a message about the authentication token being invalid
      Show
      Go to Admin > Advanced Features: Enable rss feeds on site Make blog settings world readable Create a moodle user Log in as that user Go to My Profile > Blog > Add entry Add a blog entry Click on the RSS feed link Visit that url in browser and save link. Logout and login as admin Suspend the user you created Force refresh the link you saved above. VERIFY: The RSS feed should now display a message about the authentication token being invalid Un-suspend the user you created Force refresh the link you saved above. VERIFY: The RSS feed is visible again Delete the user you created Force refresh the link you saved above. VERIFY: The RSS feed should now display a message about the authentication token being invalid
    • Affected Branches:
      MOODLE_22_STABLE
    • Fixed Branches:
      MOODLE_21_STABLE, MOODLE_22_STABLE, MOODLE_23_STABLE
    • Pull Master Branch:
    • Rank:
      41418

      Description

      I have many error messages like these in my Apache error log:

      [Sun Jun 03 04:47:26 2012] [error] [client 72.14.199.147] PHP Notice:  Undefined property: stdClass::$id in /var/www/lib/modinfolib.php on line 1090
      [Sun Jun 03 04:47:26 2012] [error] [client 72.14.199.147] Default exception handler: Fehler in der Kodierung gefunden, den nur ein Programmierer korrigieren kann: Invalid $user parameter in check_user_preferences_loaded() call, missing id field Debug: \n* line 1576 of /lib/moodlelib.php: coding_exception thrown\n* line 1800 of /lib/moodlelib.php: call to check_user_preferences_loaded()\n* line 8363 of /lib/moodlelib.php: call to get_user_preferences()\n* line 536 of /lib/pagelib.php: call to get_user_device_type()\n* line 617 of /lib/pagelib.php: call to moodle_page->magic_get_devicetypeinuse()\n* line 1312 of /lib/pagelib.php: call to moodle_page->__get()\n* line 1261 of /lib/pagelib.php: call to moodle_page->resolve_theme()\n* line 1362 of /lib/setuplib.php: call to moodle_page->initialise_theme_and_output()\n* line 232 of /lib/rsslib.php: call to bootstrap_renderer->__call()\n* line 232 of /lib/rsslib.php: call to bootstrap_renderer->pix_url()\n* line 327 of /lib/rsslib.ph
      p: call to rss_standard_header()\n* line 185 of /rss/file.php: call to rss_geterrorxmlfile()\n* line 148 of /rss/file.php: call to rss_error()\n
      

      Additionally, the HTTP request is denied with a Error 503 in Apache log file:

      [22/May/2012:05:40:33 +0200] "GET /rss/file.php/114/07d3f66b9ac69b2dac896bcab017d34a/mod_forum/7/rss.xml HTTP/1.1" 503 504 "-" "Feedfetcher-Google; (+http://www.google.com/feedfetcher.html; 1 subscribers; feed-id=15453903438458134882)"
      

      I have analyzed this a little bit and found that the security token belongs to a moodle user account which has been deleted meanwhile. Regardless of this, Google Reader tries to fetch some rss feed which this user has subscribed to when he was still active.

      I think Moodle should handle this a little bit more gracefully. Currently, Google Reader gets a HTTP 503 error because Moodle doesn't deal with this cause and outputs a early error ("red on yellow error message"). I would propose to deal with this cause in /lib/modinfolib.php, line 1090, and give Moodle a HTTP 403 or HTTP 404 error.

        Issue Links

          Activity

          Hide
          Dan Poltawski added a comment -

          Hi Alexander,

          Thanks for the report and the detailed analysis, I agree.

          Show
          Dan Poltawski added a comment - Hi Alexander, Thanks for the report and the detailed analysis, I agree.
          Hide
          Dan Poltawski added a comment -

          I have fixed this now by checking the users status when looking for the token.

          While testing/implementing this I discovered two further issues to be fixed:

          • The tokens are not cleaned up when a user is deleted, MDL-33562
          • rss_error isn't returning an appropiate http response code MDL-33564 for the error
          Show
          Dan Poltawski added a comment - I have fixed this now by checking the users status when looking for the token. While testing/implementing this I discovered two further issues to be fixed: The tokens are not cleaned up when a user is deleted, MDL-33562 rss_error isn't returning an appropiate http response code MDL-33564 for the error
          Hide
          Petr Škoda added a comment -

          Hmm, I think this should also exclude suspended user accounts because in other areas we try to block all access (login, notifications, ws, etc.)

          Show
          Petr Škoda added a comment - Hmm, I think this should also exclude suspended user accounts because in other areas we try to block all access (login, notifications, ws, etc.)
          Hide
          Dan Poltawski added a comment -

          Thanks Petr, Added a commit and amended testing instructions

          Show
          Dan Poltawski added a comment - Thanks Petr, Added a commit and amended testing instructions
          Hide
          Sam Hemelryk added a comment -

          Hmm perhaps best to wait until after 2.3 is released for this to land, any objections Dan?

          Show
          Sam Hemelryk added a comment - Hmm perhaps best to wait until after 2.3 is released for this to land, any objections Dan?
          Hide
          Dan Poltawski added a comment -

          Nope, fine here!

          Show
          Dan Poltawski added a comment - Nope, fine here!
          Hide
          Sam Hemelryk added a comment -

          Cool will remove from this integration run now then btw code looks perfect, just overly cautious is all!

          Show
          Sam Hemelryk added a comment - Cool will remove from this integration run now then btw code looks perfect, just overly cautious is all!
          Hide
          Sam Hemelryk added a comment -

          Thanks Dan, this has been integrated now

          Show
          Sam Hemelryk added a comment - Thanks Dan, this has been integrated now
          Hide
          David Monllaó added a comment -

          Tested in 2.1, 2.2, 2.3 and master. It passes.

          In Moodle 2.1 I can't find the suspend option, tried with 'no login' auth type but the RSS is still visible. When the user is deleted the RSS throws the "Your RSS link does not contain a valid authentication token." message

          Show
          David Monllaó added a comment - Tested in 2.1, 2.2, 2.3 and master. It passes. In Moodle 2.1 I can't find the suspend option, tried with 'no login' auth type but the RSS is still visible. When the user is deleted the RSS throws the "Your RSS link does not contain a valid authentication token." message
          Hide
          Dan Poltawski added a comment -

          Congratulations!

          You've made it into the weekly release!

          Thanks for your contribution - here are some random drummers to keep you inspired for the next week!
          http://www.youtube.com/watch?v=_QhpHUmVCmY

          Show
          Dan Poltawski added a comment - Congratulations! You've made it into the weekly release! Thanks for your contribution - here are some random drummers to keep you inspired for the next week! http://www.youtube.com/watch?v=_QhpHUmVCmY

            People

            • Votes:
              0 Vote for this issue
              Watchers:
              2 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved: