Uploaded image for project: 'Moodle'
  1. Moodle
  2. MDL-52902

CORS header should be sent before the parameters validation

    XMLWordPrintable

    Details

    • Type: Bug
    • Status: Closed
    • Priority: Minor
    • Resolution: Fixed
    • Affects Version/s: 2.9.4, 3.0.2
    • Fix Version/s: 2.9.5, 3.0.3
    • Component/s: Web Services
    • Labels:
    • Testing Instructions:
      Hide
      1. In your Moodle site enable "Mobile services": Plugins ► Web Services ► Mobile
      2. Please, use the attached cors.html file for testing.
      3. You should open that file in a browser (chrome, safari or firefox) using the "File -> Open file" an ensure that the file is opened under the file:// protocol
      4. Enter your site details and your username/password and click Test!
      5. Under the Response.. text you should see a json encoded string contained a generated wstoken
      6. Try to use an invalid password, you should see an exception
      7. Now, leave empty the username and password fields, click Test! you should see a missingparam exception
      Show
      In your Moodle site enable "Mobile services": Plugins ► Web Services ► Mobile Please, use the attached cors.html file for testing. You should open that file in a browser (chrome, safari or firefox) using the "File -> Open file" an ensure that the file is opened under the file:// protocol Enter your site details and your username/password and click Test! Under the Response.. text you should see a json encoded string contained a generated wstoken Try to use an invalid password, you should see an exception Now, leave empty the username and password fields, click Test! you should see a missingparam exception
    • Affected Branches:
      MOODLE_29_STABLE, MOODLE_30_STABLE
    • Fixed Branches:
      MOODLE_29_STABLE, MOODLE_30_STABLE
    • Pull from Repository:
    • Pull Master Branch:
      MDL-52902-master

      Description

      In login/token.php we send a CORS headers after the parameters validation, this is causing some problem in some sites using the Mobile app because to make it work we need to simulate a fake login attempt to bypass the required_parameter checks (if we omit the username/password we got an error before the CORS request), this makes Moodle to log some invalid login attempts.

      The CORS header must be moved about to avoid this, in this way, we'll be able to check if the script is reachable without passing fake parameters.

        Attachments

          Activity

            People

            • Assignee:
              jleyva Juan Leyva
              Reporter:
              jleyva Juan Leyva
              Peer reviewer:
              Simey Lameze
              Integrator:
              David Monllaó
              Tester:
              John Okely
              Participants:
              Component watchers:
              Juan Leyva, Jake Dallimore, Jun Pataleta, Ryan Wyllie
            • Votes:
              0 Vote for this issue
              Watchers:
              4 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved:
                Fix Release Date:
                14/Mar/16