Uploaded image for project: 'Moodle'
  1. Moodle
  2. MDL-56182

Domain matching in external tool URLs causes incorrect matches

    XMLWordPrintable

    Details

    • Testing Instructions:
      Hide

      Pre-requisites

      1. On another site than the one you're testing which does not need to be integration
      2. Enable LTI Auth and LTI Enrol plugins
      3. Create two courses and enable the LTI enrolment method

      Test

      1. On your testing instance, register both courses from your other site as tools.
        • The URLs provided will contain view.php?id=X
      2. Head to a course and add a new External tool
      3. Enter the URL of the first tool and save
      4. Create a second external tool with the URL of the second tool and save
      5. Confirm that both external tools point to their corresponding courses
        • Prior to the patch, when entering one of the URLs in the form, you'd get a match on the other course

      Regression testing

      1. Create a tool type with a simple URL (ideally http://lti.tools)
      2. Set the key to "key" and the secret to "secret"
      3. Login as a teacher and create a tool with the same URL but extended, e.g.
      4. (don't enter a consumer key or secret here)
      5. Confirm that the URL is matched to the tool registered at step 1.
      6. Save and display
      7. Confirm that you see the tool and it loads correctly with no errors about consumer key or secret
      Show
      Pre-requisites On another site than the one you're testing which does not need to be integration Enable LTI Auth and LTI Enrol plugins Create two courses and enable the LTI enrolment method Test On your testing instance, register both courses from your other site as tools. The URLs provided will contain view.php?id=X Head to a course and add a new External tool Enter the URL of the first tool and save Create a second external tool with the URL of the second tool and save Confirm that both external tools point to their corresponding courses Prior to the patch, when entering one of the URLs in the form, you'd get a match on the other course Regression testing Create a tool type with a simple URL (ideally http://lti.tools ) Set the key to "key" and the secret to "secret" Login as a teacher and create a tool with the same URL but extended, e.g. http://lti.tools/test/tp.php (don't enter a consumer key or secret here) Confirm that the URL is matched to the tool registered at step 1. Save and display Confirm that you see the tool and it loads correctly with no errors about consumer key or secret
    • Workaround:
      Hide
      • Do not define external tool types. Instead just give connection details to teacher (partial workaround)
      • Modify /etc/hosts of your moodle server and create aliases to the URL of the tool and use a different one each time (only works for self hosted, non cloud based instances. May not work with all tools)
      Show
      Do not define external tool types. Instead just give connection details to teacher (partial workaround) Modify /etc/hosts of your moodle server and create aliases to the URL of the tool and use a different one each time (only works for self hosted, non cloud based instances. May not work with all tools)
    • Affected Branches:
      MOODLE_31_STABLE
    • Fixed Branches:
      MOODLE_31_STABLE
    • Pull from Repository:
    • Pull Master Branch:
      MDL-56182-master

      Description

      In the LTI module, when you have an external tool type added, when you add an instance with a launch url that contains that tool type's url, it will match the wrong tool.

      e.g. if you add a tool type with a url of

      http://example.com/path?tool=1

      and then later add an instance with this url

      http://example.com/path2

      it will override your settings with the settings for the tool type (because it only matches domains)

      This makes using two tools with the same domain unusable

      This has been reported by Monash College.

        Attachments

          Activity

            People

            Assignee:
            fred Frédéric Massart
            Reporter:
            johno John Okely
            Peer reviewer:
            Mark Nelson
            Integrator:
            Dan Poltawski
            Tester:
            Jun Pataleta
            Participants:
            Component watchers:
            Adrian Greeve, Jake Dallimore, Mathew May, Mihail Geshoski, Peter Dias
            Votes:
            2 Vote for this issue
            Watchers:
            5 Start watching this issue

              Dates

              Created:
              Updated:
              Resolved:
              Fix Release Date:
              9/Jan/17