Status: Development in progress
Affects Version/s: 2.9.4, 3.0.2
Fix Version/s: None
Affected Branches:MOODLE_29_STABLE, MOODLE_30_STABLE
- Ordinary users cannot reset Web Service tokens acquired via login/token.php without elevated capabilities.
- This is either missing moodle functionality AND/OR missing documentation.
If users are capable of acquiring a token via login/token.php, they might not be enabled to reset the token by themselves.
Tokens issued via login/token.php are valid for a prolonged period of time (3 months on our installation) and have no obvious documented means of resetting the token via WS-API or their profile page.
A reset mechanism is already in place, but only for e.g. the RSS Feed security token.
If the token was compromised, it allows access to all functions available to the user, including private information about other users.
Compromised users are left with no means to block access by themselves until the issued token expires, hence the security issue.
- looking through the source, but could not find any information regarding token reset.
- finding the reset in the user's preferences on our own and the demo.moodle.net instance
- issuing the token via admin panel. The only way to "reset" the token was deleting the issued token.
- Moodle Mobile and/or Web Service tokens should be manageable via user/managetoken.php without elevated capabilities.
- Add the functionality for resetting tokens to login/token.php
- In general: if a user can acquire a token, there must be a way for them to also reset or revoke it (without changing user capabilities)