[MDL-55752] enrol_lti: Don't use token in launch requests - Moodle Tracker

XML

Word

Printable

Details

Type: Sub-task
Status: Closed
Priority: Minor
Resolution: Fixed
Affects Version/s: 3.2
Fix Version/s: None
Component/s: Enrolments, LTI provider
Labels:
- triaged

Affected Branches:
MOODLE_32_STABLE
Pull from Repository:
https://github.com/xow/moodle.git
Pull Master Branch:
~~MDL-55752~~-master
Pull Master Diff URL:
https://github.com/xow/moodle/compare/2234e7b...MDL-55752-master
Testing Instructions:
Hide

Proxy Tests

Go to SITE A

Go to your list of tools

Copy the url in the Proxy URL column for one of the tools

Go to SITE B

Go to Site administration ► Plugins ► External tool ► Manage tools

Paste the url you copied into the box, but don't click add

Change the token part of the url to something else such as "ASDF123"

Click add

Make sure that there is an error displayed

Click cancel

Paste the URL and this time click add with the correct token

Click continue

Click save

The tool should successfully be added.

Go to a course

Add an external tool

Select the type as the tool you just added

Save and display

Verify it works as expected and you log into SITE A correctly

Go to SITE A

Go to your list of tools

Copy the url in the Cartridge URL column for one of the tools

Go to the cartridge

Copy the launch url from the XML

Go to SITE B

Go to Site administration ► Plugins ► External tool ► Manage tools

Paste the url you copied into the box and click add

Make sure you get an error

Go to SITE A

Go to your list of tools

Copy the url in the Proxy URL column for one of the tools

Go to SITE B

Go to a course

Add an external tool

Paste the proxy URL as the launch url
Show
Proxy Tests Go to SITE A Go to your list of tools Copy the url in the Proxy URL column for one of the tools Go to SITE B Go to Site administration ► Plugins ► External tool ► Manage tools Paste the url you copied into the box, but don't click add Change the token part of the url to something else such as "ASDF123" Click add Make sure that there is an error displayed Click cancel Paste the URL and this time click add with the correct token Click continue Click save The tool should successfully be added. Go to a course Add an external tool Select the type as the tool you just added Save and display Verify it works as expected and you log into SITE A correctly Go to SITE A Go to your list of tools Copy the url in the Cartridge URL column for one of the tools Go to the cartridge Copy the launch url from the XML Go to SITE B Go to Site administration ► Plugins ► External tool ► Manage tools Paste the url you copied into the box and click add Make sure you get an error Go to SITE A Go to your list of tools Copy the url in the Proxy URL column for one of the tools Go to SITE B Go to a course Add an external tool Paste the proxy URL as the launch url

Description

If you are a student on a site that uses a moodle shared LTI tool proxy, you can easily just copy that url and put it on your own LTI consumer and set up the proxy. We need to make sure this isn't possible

During this issue we may want to look into combining tool.php and proxy.php so proxy.php only does the registration and tool.php only does launches. This may help us separate the launches and uses of the tool

Attachments

Issue Links

has to be done before

MDL-55753 Only allow certain consumers for each shared tool in enrol_lti

Closed

Activity

People

Assignee:: John Okely

Reporter:: John Okely

Peer reviewer:: Jun Pataleta

Participants:: CiBoT, John Okely, Jun Pataleta

Component watchers:: David Woloszyn, Huong Nguyen, Jake Dallimore, Meirza, Michael Hawkins, Raquel Ortega, Safat Shahin, Stevani Andolo, David Woloszyn, Huong Nguyen, Jake Dallimore, Meirza, Michael Hawkins, Raquel Ortega, Safat Shahin, Stevani Andolo

Votes:: 0 Vote for this issue

Watchers:: 1 Start watching this issue

Dates

Created:: 29/Aug/16 10:24 PM

Updated:: 14/Nov/16 6:13 PM

Resolved:: 31/Aug/16 12:21 AM