Uploaded image for project: 'Moodle'
  1. Moodle
  2. MDL-55003

Web service tokens created by others are not visible to/manageable by administrator

    XMLWordPrintable

    Details

    • Type: Bug
    • Status: Closed
    • Priority: Minor
    • Resolution: Duplicate
    • Affects Version/s: 3.0.4, 3.1.2
    • Fix Version/s: None
    • Component/s: Web Services
    • Labels:
    • Testing Instructions:
      Hide

      1. As an admin, enable web services and create an external service with an arbitrary shortname, e.g. externalservice.
      2. Create a user testuser with the password Testpass1! that is able to access that service (either by allowing all users to use the service, or by restricting the external service to that particular user).
      3. Grant the moodle/webservice:createtoken privilege to that user, e.g. by allowing it for the Authenticated user role.
      4. In the name of the user, create a token by visiting the URL $CFG->wwwroot/login/token.php?service=externalservice&username=testuser&password=Testpass1! and write down the resulting token.
      5. As an administrator, navigate to Site administration -> Plugins -> Web services -> Manage tokens.
      6. Verify that the token from #4 shows up, with first and last name of testuser in the "User" column and the username testuser in the "Creator" column.
      7. Still as an administrator, click "Add".
      8. Select testuser for "User" and externalservice for "Service" and click "Save changes"
      9. Verify that another token shows up, again with first and last name of testuser in the "User" column, but your administrator's username in the "Creator" column.

      Show
      1. As an admin, enable web services and create an external service with an arbitrary shortname, e.g. externalservice . 2. Create a user testuser with the password Testpass1! that is able to access that service (either by allowing all users to use the service, or by restricting the external service to that particular user). 3. Grant the moodle/webservice:createtoken privilege to that user, e.g. by allowing it for the Authenticated user role. 4. In the name of the user, create a token by visiting the URL $CFG->wwwroot/login/token.php?service=externalservice&username=testuser&password=Testpass1! and write down the resulting token. 5. As an administrator, navigate to Site administration -> Plugins -> Web services -> Manage tokens. 6. Verify that the token from #4 shows up, with first and last name of testuser in the "User" column and the username testuser in the "Creator" column. 7. Still as an administrator, click "Add". 8. Select testuser for "User" and externalservice for "Service" and click "Save changes" 9. Verify that another token shows up, again with first and last name of testuser in the "User" column, but your administrator's username in the "Creator" column.
    • Affected Branches:
      MOODLE_30_STABLE, MOODLE_31_STABLE
    • Pull from Repository:
    • Pull Master Branch:
      MDL-55003-wstokenadmin

      Description

      As an administrator, I cannot see web service tokens that are created by others, including other administrator users.

      The admin settings page "webservicetokens" $CFG->wwwroot/admin/settings.php?section=webservicetokens allows managing tokens that authorise access to webservices. I can create tokens for other users, but I will always see only those tokens that I have created.

      I would like to be able to revoke tokens created by others, e.g. in case I detect or get notified of abuse of tokens. In our particular case, however, a former colleague has created tokens for technical users, which I am now unable to change

        Attachments

          Issue Links

            Activity

              People

              Assignee:
              jan.dagefoerde Jan Dageförde
              Reporter:
              jan.dagefoerde Jan Dageförde
              Peer reviewer:
              Ryan Wyllie
              Integrator:
              Dan Poltawski
              Participants:
              Component watchers:
              Juan Leyva, Amaia Anabitarte, Carlos Escobedo, Ferran Recio, Sara Arjona (@sarjona), Víctor Déniz Falcón
              Votes:
              2 Vote for this issue
              Watchers:
              6 Start watching this issue

                Dates

                Created:
                Updated:
                Resolved: