Uploaded image for project: 'Moodle'
  1. Moodle
  2. MDL-55003

Web service tokens created by others are not visible to/manageable by administrator

    XMLWordPrintable

Details

    • Bug
    • Resolution: Duplicate
    • Minor
    • None
    • 3.0.4, 3.1.2
    • Web Services
    • MOODLE_30_STABLE, MOODLE_31_STABLE
    • MDL-55003-wstokenadmin
    • Hide

      1. As an admin, enable web services and create an external service with an arbitrary shortname, e.g. externalservice.
      2. Create a user testuser with the password Testpass1! that is able to access that service (either by allowing all users to use the service, or by restricting the external service to that particular user).
      3. Grant the moodle/webservice:createtoken privilege to that user, e.g. by allowing it for the Authenticated user role.
      4. In the name of the user, create a token by visiting the URL $CFG->wwwroot/login/token.php?service=externalservice&username=testuser&password=Testpass1! and write down the resulting token.
      5. As an administrator, navigate to Site administration -> Plugins -> Web services -> Manage tokens.
      6. Verify that the token from #4 shows up, with first and last name of testuser in the "User" column and the username testuser in the "Creator" column.
      7. Still as an administrator, click "Add".
      8. Select testuser for "User" and externalservice for "Service" and click "Save changes"
      9. Verify that another token shows up, again with first and last name of testuser in the "User" column, but your administrator's username in the "Creator" column.

      Show
      1. As an admin, enable web services and create an external service with an arbitrary shortname, e.g. externalservice . 2. Create a user testuser with the password Testpass1! that is able to access that service (either by allowing all users to use the service, or by restricting the external service to that particular user). 3. Grant the moodle/webservice:createtoken privilege to that user, e.g. by allowing it for the Authenticated user role. 4. In the name of the user, create a token by visiting the URL $CFG->wwwroot/login/token.php?service=externalservice&username=testuser&password=Testpass1! and write down the resulting token. 5. As an administrator, navigate to Site administration -> Plugins -> Web services -> Manage tokens. 6. Verify that the token from #4 shows up, with first and last name of testuser in the "User" column and the username testuser in the "Creator" column. 7. Still as an administrator, click "Add". 8. Select testuser for "User" and externalservice for "Service" and click "Save changes" 9. Verify that another token shows up, again with first and last name of testuser in the "User" column, but your administrator's username in the "Creator" column.

    Description

      As an administrator, I cannot see web service tokens that are created by others, including other administrator users.

      The admin settings page "webservicetokens" $CFG->wwwroot/admin/settings.php?section=webservicetokens allows managing tokens that authorise access to webservices. I can create tokens for other users, but I will always see only those tokens that I have created.

      I would like to be able to revoke tokens created by others, e.g. in case I detect or get notified of abuse of tokens. In our particular case, however, a former colleague has created tokens for technical users, which I am now unable to change

      Attachments

        Issue Links

          Activity

            People

              jan.dagefoerde Jan Dageförde
              jan.dagefoerde Jan Dageförde
              Ryan Wyllie Ryan Wyllie
              Dan Poltawski Dan Poltawski
              Votes:
              2 Vote for this issue
              Watchers:
              6 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved:

                Clockify

                  Error rendering 'clockify-timesheets-time-tracking-reports:timer-sidebar'. Please contact your Jira administrators.