Uploaded image for project: 'Moodle'
  1. Moodle
  2. MDL-53400

Moodle Web Service Token reset

    XMLWordPrintable

Details

    • MOODLE_29_STABLE, MOODLE_30_STABLE

    Description

      Problems:

      • Ordinary users cannot reset Web Service tokens acquired via login/token.php without elevated capabilities.
      • This is either missing moodle functionality AND/OR missing documentation.

      Detailed description:
      If users are capable of acquiring a token via login/token.php, they might not be enabled to reset the token by themselves.
      Tokens issued via login/token.php are valid for a prolonged period of time (3 months on our installation) and have no obvious documented means of resetting the token via WS-API or their profile page.
      A reset mechanism is already in place, but only for e.g. the RSS Feed security token.

      If the token was compromised, it allows access to all functions available to the user, including private information about other users.
      Compromised users are left with no means to block access by themselves until the issued token expires, hence the security issue.

      I tried:

      • looking through the source, but could not find any information regarding token reset.
      • finding the reset in the user's preferences on our own and the demo.moodle.net instance
      • issuing the token via admin panel. The only way to "reset" the token was deleting the issued token.

      Suggested solution:

      • Moodle Mobile and/or Web Service tokens should be manageable via user/managetoken.php without elevated capabilities.
      • Add the functionality for resetting tokens to login/token.php
      • In general: if a user can acquire a token, there must be a way for them to also reset or revoke it (without changing user capabilities)

      Attachments

        Issue Links

          Activity

            People

              Unassigned Unassigned
              -1 David Schmid
              David Woloszyn, Huong Nguyen, Jake Dallimore, Meirza, Michael Hawkins, Raquel Ortega, Safat Shahin, Stevani Andolo, Juan Leyva, David Woloszyn, Huong Nguyen, Jake Dallimore, Meirza, Michael Hawkins, Raquel Ortega, Safat Shahin, Stevani Andolo
              Votes:
              0 Vote for this issue
              Watchers:
              10 Start watching this issue

              Dates

                Created:
                Updated:

                Time Tracking

                  Estimated:
                  Original Estimate - Not Specified
                  Not Specified
                  Remaining:
                  Remaining Estimate - 0 minutes
                  0m
                  Logged:
                  Time Spent - 1 minute
                  1m