Uploaded image for project: 'Moodle'
  1. Moodle
  2. MDL-50783

Allow some ajax external functions to be called without a session

    XMLWordPrintable

Details

    • MOODLE_29_STABLE
    • MOODLE_30_STABLE
    • MDL-50783-master
    • Hide

      Go to the template library, open the browser dev tools and watch the network tab.

      Click some template names, and verify the ajax requests are being served through /lib/ajax/service-nologin.php

      In another tab logout - from the admin tool, without refreshing the page, continue to click template names - the page should keep working and not throw any errors.

      Show
      Go to the template library, open the browser dev tools and watch the network tab. Click some template names, and verify the ajax requests are being served through /lib/ajax/service-nologin.php In another tab logout - from the admin tool, without refreshing the page, continue to click template names - the page should keep working and not throw any errors.

    Description

      There are some external functions that return static data that is completely public. Examples are language strings and templates. If we create a second entry point for these scripts, and introduce a new field to the services.php array to mark the functions that are safe to call this way, we can improve performance. This new script would not lock the session, so it could handle parallel requests - and it would be able to verify whether or not to allow calling this external function in this way.

      An alternative design that was discussed was to have a second ajax.php file in db/ for each component and bypass the webservices for these ajax functions - but I (Damo) would like to encourage/test the webservices framework alongside the ajax external functions.

      Attachments

        Issue Links

          blocks

          New Feature - A new Moodle feature which has yet to be developed. MDL-49279 Add support in moodle plugins for exporting "Mobile app addons"

          • Minor - Minor loss of function where workaround is possible
          • Closed
          has a non-specific relationship to

          Bug - A problem which impairs or prevents Moodle from functioning correctly. MDL-50784 Any external function that is exposed to ajax could be vulnerable to CSRF

          • Minor - Minor loss of function where workaround is possible
          • Closed

          Improvement - An enhancement to an existing Moodle feature. MDL-50032 Allow external functions to add themselves into services

          • Critical - Crashes server, loss of data, severe memory leak
          • Closed
          has been marked as being related by

          Bug - A problem which impairs or prevents Moodle from functioning correctly. MDL-50782 /lib/ajax/service.php should not call require_login

          • Minor - Minor loss of function where workaround is possible
          • Closed
          is blocked by

          Bug - A problem which impairs or prevents Moodle from functioning correctly. MDL-50782 /lib/ajax/service.php should not call require_login

          • Minor - Minor loss of function where workaround is possible
          • Closed

          Activity

            People

              damyon Damyon Wiese
              damyon Damyon Wiese
              Ankit Agarwal Ankit Agarwal
              Andrew Lyons Andrew Lyons
              Rajesh Taneja Rajesh Taneja
              David Woloszyn, Huong Nguyen, Jake Dallimore, Meirza, Michael Hawkins, Raquel Ortega, Safat Shahin, Stevani Andolo, Juan Leyva, David Woloszyn, Huong Nguyen, Jake Dallimore, Meirza, Michael Hawkins, Raquel Ortega, Safat Shahin, Stevani Andolo
              Votes:
              0 Vote for this issue
              Watchers:
              7 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved:
                16/Nov/15