Uploaded image for project: 'Moodle'
  1. Moodle
  2. MDL-53832 Upgrade enrol_lti to support LTI v2.0
  3. MDL-55753

Only allow certain consumers for each shared tool in enrol_lti

    XMLWordPrintable

    Details

    • Type: Sub-task
    • Status: Closed
    • Priority: Minor
    • Resolution: Fixed
    • Affects Version/s: 3.2
    • Fix Version/s: None
    • Component/s: Enrolments, LTI provider
    • Labels:
    • Testing Instructions:
      Hide
      Prerequisites

      You will need two moodle sites. One must be a Moodle 3.2 site (SITE A). The other can be 3.1 or above (SITE B)
      Test on oracle

      1. On site A share two tools if you haven't already
      2. Copy the proxy url of the first tool
      3. Go to site B
      4. Go to Site administration ► Plugins ► External tool ► Manage tools
      5. Paste the proxy url
      6. Follow the registration process, until it's successfully added
      7. Go to SITE A, copy the cartridge url of the second tool you shared
      8. Paste it into your browser
      9. Copy the launch url
      10. Log in to the database of site B
      11. Find the database entry in mdl_lti_types that corresponds to the newly created tool (should have the highest id)
      12. Edit that entry
      13. Paste the launch url of the second tool that you copied before
      14. Go to site B
      15. Go to a course and add an external tool
      16. Select the tool type you added.
      17. Save and display
      18. Ensure you receive an error message.
      19. Go to Site administration ► Plugins ► External tool ► Manage tools
      20. Delete the tool type
      21. Copy the same proxy url from SITE A
      22. Go through the process
      23. Go to your course and select the new type
      24. Save and display
      25. Confirm you can successfully access the tool
      26. Go to site A
      27. Copy the cartridge url of the first tool
      28. Go to a course on site B
      29. Create an external tool
      30. Paste the cartridge url
      31. Copy the secret from site A
      32. invent a consumer key
      33. Go to the site
      34. Edit the tool again
      35. On site A, go to the cartridge url of the second tool and copy the launch url from the xml
      36. Change the launch url to the launch url of the second tool
      37. Try to launch
      38. Make sure you get an error.
      Show
      Prerequisites You will need two moodle sites. One must be a Moodle 3.2 site (SITE A). The other can be 3.1 or above (SITE B) Test on oracle On site A share two tools if you haven't already Copy the proxy url of the first tool Go to site B Go to Site administration ► Plugins ► External tool ► Manage tools Paste the proxy url Follow the registration process, until it's successfully added Go to SITE A, copy the cartridge url of the second tool you shared Paste it into your browser Copy the launch url Log in to the database of site B Find the database entry in mdl_lti_types that corresponds to the newly created tool (should have the highest id) Edit that entry Paste the launch url of the second tool that you copied before Go to site B Go to a course and add an external tool Select the tool type you added. Save and display Ensure you receive an error message. Go to Site administration ► Plugins ► External tool ► Manage tools Delete the tool type Copy the same proxy url from SITE A Go through the process Go to your course and select the new type Save and display Confirm you can successfully access the tool Go to site A Copy the cartridge url of the first tool Go to a course on site B Create an external tool Paste the cartridge url Copy the secret from site A invent a consumer key Go to the site Edit the tool again On site A, go to the cartridge url of the second tool and copy the launch url from the xml Change the launch url to the launch url of the second tool Try to launch Make sure you get an error.
    • Affected Branches:
      MOODLE_32_STABLE
    • Pull from Repository:
    • Pull Master Branch:
      MDL-55753-master

      Description

      In moodle we don't want any consumer to be able to access any tool. Instead we want only the specific tool shared to be allowed.

      In the LTI library, it only verifies the consumer and secret. We need to verify that the correct tool is being accessed.

      Possible solution: extend the Consumer class and add a enrol instance id to each consumer. (Add it to the DB too). Then verify on launch that it's the correct launch path for the consumer's corresponding enrolment instance.

        Attachments

          Issue Links

            Activity

              People

              • Assignee:
                johno John Okely
                Reporter:
                johno John Okely
                Peer reviewer:
                Jun Pataleta
                Participants:
                Component watchers:
                Amaia Anabitarte, Bas Brands, Carlos Escobedo, Sara Arjona (@sarjona), Víctor Déniz Falcón, Adrian Greeve, Mihail Geshoski, Peter Dias
              • Votes:
                0 Vote for this issue
                Watchers:
                1 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved: