Uploaded image for project: 'Moodle'
  1. Moodle
  2. MDL-52070

Some capabilities checks (mod/modname:view) in external functions are redundant

    XMLWordPrintable

    Details

    • Type: Improvement
    • Status: Reopened
    • Priority: Minor
    • Resolution: Unresolved
    • Affects Version/s: 3.0
    • Fix Version/s: None
    • Component/s: Web Services
    • Labels:
    • Testing Instructions:
      Hide
      1. Create a course with a student, the course must have at least one section.
      2. Create a mod_lti activity:
      3. Edit the Student course role, and remove the mod_lti:view capability from the Student role.
      4. Enable "Mobile services": Plugins ► Web Services ► Mobile
      5. Create a Token for the student user:
        • Click on Site administration ► Plugins ► Web services ► Manage tokens
      6. Next, you can do a CURL REST call simulating a WS client with the student user .
        • You need to replace the wstoken, ltiid (the lti instance value) and the URL of your moodle instance

          curl 'http://localhost/m/stable_master/webservice/rest/server.php?moodlewsrestformat=json' --data 'ltiid=2&wsfunction=mod_lti_view_lti&wstoken=ffbe3a3002f235bf9d01fd9369e10b66' --compressed

      7. Confirm that
        • You get a requireloginerror exception
      8. You can repeat the same steps for the imscp, folder, page, url and resource modules, removing the mod_x capability and replacing the name of the parameters and the function name in the CURL call with each module:

        curl 'http://localhost/m/stable_master/webservice/rest/server.php?moodlewsrestformat=json' --data 'imscpid=2&wsfunction=mod_imscp_view_imscp&wstoken=ffbe3a3002f235bf9d01fd9369e10b66' --compressed

        etc...

      Show
      Create a course with a student, the course must have at least one section. Create a mod_lti activity: Edit the Student course role, and remove the mod_lti:view capability from the Student role. Enable "Mobile services": Plugins ► Web Services ► Mobile Create a Token for the student user: Click on Site administration ► Plugins ► Web services ► Manage tokens Next, you can do a CURL REST call simulating a WS client with the student user . You need to replace the wstoken, ltiid (the lti instance value) and the URL of your moodle instance curl 'http://localhost/m/stable_master/webservice/rest/server.php?moodlewsrestformat=json' --data 'ltiid=2&wsfunction=mod_lti_view_lti&wstoken=ffbe3a3002f235bf9d01fd9369e10b66' --compressed Confirm that You get a requireloginerror exception You can repeat the same steps for the imscp, folder, page, url and resource modules, removing the mod_x capability and replacing the name of the parameters and the function name in the CURL call with each module: curl 'http://localhost/m/stable_master/webservice/rest/server.php?moodlewsrestformat=json' --data 'imscpid=2&wsfunction=mod_imscp_view_imscp&wstoken=ffbe3a3002f235bf9d01fd9369e10b66' --compressed etc...
    • Affected Branches:
      MOODLE_30_STABLE
    • Pull from Repository:
    • Pull Master Branch:
      MDL-52070-master

      Description

      When validate_context is called for a module, the module visibility and the view capability (if is used by the module) is checked:

      https://github.com/moodle/moodle/blob/master/lib/modinfolib.php#L1921

      Some external functions (LTI, imscp, folder, page, url, resource, assign) checks that capability after calling validate_context. We should avoid that double check.

        Attachments

          Issue Links

            Activity

              People

              Assignee:
              Unassigned Unassigned
              Reporter:
              jleyva Juan Leyva
              Integrator:
              Dan Poltawski Dan Poltawski
              Participants:
              Component watchers:
              Juan Leyva, Amaia Anabitarte, Carlos Escobedo, Ferran Recio, Ilya Tregubov, Sara Arjona (@sarjona)
              Votes:
              0 Vote for this issue
              Watchers:
              2 Start watching this issue

                Dates

                Created:
                Updated: