Uploaded image for project: 'Moodle'
  1. Moodle
  2. MDL-60030

Allow to execute Moodle WS without login using REST, SOAP and XML-RPC

    XMLWordPrintable

    Details

    • Type: Improvement
    • Status: Open
    • Priority: Minor
    • Resolution: Unresolved
    • Affects Version/s: 3.4
    • Fix Version/s: None
    • Component/s: Web Services
    • Labels:
    • Testing Instructions:
      Hide
      1. Enable Web services
      2. Enable all protocols
      3. Create a service and add several functions to it, make sure at least one function has 'loginrequired'=>false and one does not. Examples are "core_fetch_notifications" and "core_webservice_get_site_info"
      4. Make sure the capabilities to use all webservices are enabled in Authenticated and Unauthenticated users roles
      5. Create a token for some user (not admin) for use with the service above
      6. Access each WS function via each protocol for both simple (username/password) authentication and token authentication.
      7. Remove credentials from each call and make sure you can execute only functions that have loginrequired->false
      8. Try fiddling with parameters - specify wrong token or username or password, wrong function, etc. Try revoking caps to use WS
      9. In SOAP make sure wsdl=1 returns only available functions for both auth user and guest

      Examples of calling WS with REST:
      curl "http://YOURSITE/webservice/rest/server.php?wsfunction=core_webservice_get_site_info&wstoken=TOKEN"
      curl "http://YOURSITE/webservice/rest/simpleserver.php?wsfunction=core_webservice_get_site_info&wsusername=USERNAME&wspassword=PASSWORD"

      Examples of requesting WSDL with SOAP:
      http://YOURSITE/webservice/soap/simpleserver.php?wsdl=1&wsusername=USERNAME&wspassword=PASSWORD
      http://YOURSITE/webservice/soap/server.php?wsdl=1&wstoken=TOKEN

      But using Site administration>Development>WS test client is probably the best way to test all WS. If MDL-60033 is not integrated yet, cherry-pick it for testing

      Show
      Enable Web services Enable all protocols Create a service and add several functions to it, make sure at least one function has 'loginrequired'=>false and one does not. Examples are "core_fetch_notifications" and "core_webservice_get_site_info" Make sure the capabilities to use all webservices are enabled in Authenticated and Unauthenticated users roles Create a token for some user (not admin) for use with the service above Access each WS function via each protocol for both simple (username/password) authentication and token authentication. Remove credentials from each call and make sure you can execute only functions that have loginrequired->false Try fiddling with parameters - specify wrong token or username or password, wrong function, etc. Try revoking caps to use WS In SOAP make sure wsdl=1 returns only available functions for both auth user and guest Examples of calling WS with REST: curl "http://YOURSITE/webservice/rest/server.php?wsfunction=core_webservice_get_site_info&wstoken=TOKEN" curl "http://YOURSITE/webservice/rest/simpleserver.php?wsfunction=core_webservice_get_site_info&wsusername=USERNAME&wspassword=PASSWORD" Examples of requesting WSDL with SOAP: http://YOURSITE/webservice/soap/simpleserver.php?wsdl=1&wsusername=USERNAME&wspassword=PASSWORD http://YOURSITE/webservice/soap/server.php?wsdl=1&wstoken=TOKEN But using Site administration>Development>WS test client is probably the best way to test all WS. If MDL-60033 is not integrated yet, cherry-pick it for testing
    • Affected Branches:
      MOODLE_34_STABLE
    • Pull Master Branch:
      wip-MDL-60030-master

      Description

      /lib/ajax/service-nologin.php allows to call WS functions without login if they define 'requirelogin'=>false

      Currently it is impossible to call moodle WS through REST without a valid token regardless of 'requirelogin'=>false
      Same for XML-RPC and SOAP

        Attachments

          Issue Links

            Activity

              People

              Assignee:
              Unassigned
              Reporter:
              marina Marina Glancy
              Participants:
              Component watchers:
              Juan Leyva, Amaia Anabitarte, Carlos Escobedo, Ferran Recio, Sara Arjona (@sarjona), Víctor Déniz Falcón
              Votes:
              0 Vote for this issue
              Watchers:
              3 Start watching this issue

                Dates

                Created:
                Updated: