[MDL-50782] /lib/ajax/service.php should not call require_login - Moodle Tracker

XML

Word

Printable

Details

Type: Bug
Status: Closed
Priority: Minor
Resolution: Fixed
Affects Version/s: 2.9.2
Fix Version/s: 2.9.3
Component/s: JavaScript
Labels:
- ci
- triaged

Affected Branches:
MOODLE_29_STABLE
Fixed Branches:
MOODLE_29_STABLE
Epic Link:
Template Library for 3.0
Pull from Repository:
git://github.com/damyon/moodle.git
Pull Master Branch:
~~MDL-50782~~-master
Pull Master Diff URL:
https://github.com/damyon/moodle/compare/ebdfde7...MDL-50782-master

Testing Instructions:

Hide

You must test this without ~~MDL-50784~~ integrated / in your branch.

Open the template library,
In another browser tab log out
Use the template library without reloading the page - it should still work (because the webservices it uses do not require a session).

Edit lib/db/services.php
Change

'core_output_load_template' => array(

        'classname'   => 'core\output\external',

        'methodname'  => 'load_template',

        'description' => 'Load a template for a renderable',

        'type'        => 'read'

),

to:

'core_output_load_template' => array(

        'classname'   => 'core\output\external',

        'methodname'  => 'load_template',

        'description' => 'Load a template for a renderable',

        'type'        => 'write'

),

Use the template library without reloading the page - it should show exceptions "Web service is not available (it doesn't exist or might be disabled)".

Show

You must test this without MDL-50784 integrated / in your branch. Open the template library, In another browser tab log out Use the template library without reloading the page - it should still work (because the webservices it uses do not require a session). Edit lib/db/services.php Change 'core_output_load_template' => array( 'classname' => 'core\output\external', 'methodname' => 'load_template', 'description' => 'Load a template for a renderable', 'type' => 'read' ), to: 'core_output_load_template' => array( 'classname' => 'core\output\external', 'methodname' => 'load_template', 'description' => 'Load a template for a renderable', 'type' => 'write' ), Use the template library without reloading the page - it should show exceptions "Web service is not available (it doesn't exist or might be disabled)".

Description

Not all ajax services need to be logged in. E.g. blocks that show on the front page would need to work before someone logs in. The webservices themselves need to perform the correct validate_context checks and capability checks anyway, so removing this require_login from the ajax script handler will not reduce security.

Attachments

Issue Links

blocks

MDL-50783 Allow some ajax external functions to be called without a session

Closed

has a non-specific relationship to

MDL-50784 Any external function that is exposed to ajax could be vulnerable to CSRF

Closed

MDL-50783 Allow some ajax external functions to be called without a session

Closed

Activity

People

Assignee:: Damyon Wiese

Reporter:: Damyon Wiese

Peer reviewer:: Frédéric Massart

Integrator:: Andrew Lyons

Tester:: Rajesh Taneja

Participants:: Andrew Lyons, CiBoT, Damyon Wiese, Eloy Lafuente (stronk7), Frédéric Massart, Helen Foster, Petr Skoda, Rajesh Taneja

Component watchers:: David Woloszyn, Huong Nguyen, Jake Dallimore, Meirza, Michael Hawkins, Raquel Ortega, Safat Shahin, Stevani Andolo

Votes:: 0 Vote for this issue

Watchers:: 6 Start watching this issue

Dates

Created:: 08/Jul/15 2:20 PM

Updated:: 19/Nov/15 8:59 PM

Resolved:: 18/Sep/15 12:02 PM

Fix Release Date:: 9/Nov/15