Uploaded image for project: 'Moodle'
  1. Moodle
  2. MDL-55003

Web service tokens created by others are not visible to/manageable by administrator

XMLWordPrintable

    • Icon: Bug Bug
    • Resolution: Duplicate
    • Icon: Minor Minor
    • None
    • 3.0.4, 3.1.2
    • Web Services
    • MOODLE_30_STABLE, MOODLE_31_STABLE
    • MDL-55003-wstokenadmin
    • Hide

      1. As an admin, enable web services and create an external service with an arbitrary shortname, e.g. externalservice.
      2. Create a user testuser with the password Testpass1! that is able to access that service (either by allowing all users to use the service, or by restricting the external service to that particular user).
      3. Grant the moodle/webservice:createtoken privilege to that user, e.g. by allowing it for the Authenticated user role.
      4. In the name of the user, create a token by visiting the URL $CFG->wwwroot/login/token.php?service=externalservice&username=testuser&password=Testpass1! and write down the resulting token.
      5. As an administrator, navigate to Site administration -> Plugins -> Web services -> Manage tokens.
      6. Verify that the token from #4 shows up, with first and last name of testuser in the "User" column and the username testuser in the "Creator" column.
      7. Still as an administrator, click "Add".
      8. Select testuser for "User" and externalservice for "Service" and click "Save changes"
      9. Verify that another token shows up, again with first and last name of testuser in the "User" column, but your administrator's username in the "Creator" column.

      Show
      1. As an admin, enable web services and create an external service with an arbitrary shortname, e.g. externalservice . 2. Create a user testuser with the password Testpass1! that is able to access that service (either by allowing all users to use the service, or by restricting the external service to that particular user). 3. Grant the moodle/webservice:createtoken privilege to that user, e.g. by allowing it for the Authenticated user role. 4. In the name of the user, create a token by visiting the URL $CFG->wwwroot/login/token.php?service=externalservice&username=testuser&password=Testpass1! and write down the resulting token. 5. As an administrator, navigate to Site administration -> Plugins -> Web services -> Manage tokens. 6. Verify that the token from #4 shows up, with first and last name of testuser in the "User" column and the username testuser in the "Creator" column. 7. Still as an administrator, click "Add". 8. Select testuser for "User" and externalservice for "Service" and click "Save changes" 9. Verify that another token shows up, again with first and last name of testuser in the "User" column, but your administrator's username in the "Creator" column.

      As an administrator, I cannot see web service tokens that are created by others, including other administrator users.

      The admin settings page "webservicetokens" $CFG->wwwroot/admin/settings.php?section=webservicetokens allows managing tokens that authorise access to webservices. I can create tokens for other users, but I will always see only those tokens that I have created.

      I would like to be able to revoke tokens created by others, e.g. in case I detect or get notified of abuse of tokens. In our particular case, however, a former colleague has created tokens for technical users, which I am now unable to change

            jan.dagefoerde Jan Dageförde
            jan.dagefoerde Jan Dageförde
            Ryan Wyllie Ryan Wyllie
            Dan Poltawski Dan Poltawski
            Votes:
            2 Vote for this issue
            Watchers:
            6 Start watching this issue

              Created:
              Updated:
              Resolved:

                Error rendering 'clockify-timesheets-time-tracking-reports:timer-sidebar'. Please contact your Jira administrators.