Uploaded image for project: 'Moodle'
  1. Moodle
  2. MDL-64439

A deep link to a mod_resource file fails when using the auth pre_loginpage_hook

    XMLWordPrintable

    Details

    • Testing Instructions:
      Hide

      Set up:

      1. Create course with file activity (upload a text file, for simplicity).
      2. Mark this activity as not visible to students
      3. Copy the resource url eg http://moodle.local/pluginfile.php/2892/mod_resource/content/0/resource1.txt. The easiest way to get this is to view the file resource as the teacher/admin, and copy the resulting URL, which must contain 'pluginfile.php'.
      4. Create some user (testuser1 with password Testuser1@) and enrol them into a course as a MANAGER. Confirm that this user can see the resource when logged in normally in the browser

       

      Scenario for auth_basic

      1. Install https://github.com/catalyst/moodle-auth_basic
      2. enable plugin at admin/settings.php?section=manageauths
      3. Run following command, replacing ONLY the url to the resource with your own (from setup, step 3):

       

      curl -s -c /tmp/cookies -v -L --user testuser1:Testuser1@ http://moodle.local/RESOURCE_URL 2>&1 > /dev/null | egrep 'filename|HTTP'
      

      Expected behaviour: you should 200 server status and filename, i.e. something like 

      > GET /RESOURCE_URL HTTP/1.1
      < HTTP/1.1 200 OK
      < Content-Disposition: inline; filename="download%2F8%2F8%2F3%2F883C0889-72A8-4766-8D07-4BF2F048BE36%2FMoodleAndOffice365WithADFS.pdf"
      

       

      Optional: Scenario for saml2

      (This one is not really required, is harder to test but where the bug was originally found). If you don't have a working saml setup, then please skip this.)

      1. Set up Idp
      2. Install saml plugin https://moodle.org/plugins/auth_saml2
      3. disable basic auth plugin installed previously
      4. enable saml2 plugin admin/settings.php?section=manageauths
      5. Set Dual login to No in saml2 plugin settings
      6. Make sure "Force users to log in" is set to yes in Site security settings
      7. Create a saml user 
      8. Open incognito tab and paste the resource URL (you should be redirected to saml login page)
      9. Fill the username/password and click login

      Expected behavior: Resource file is opened

       

      Note that if you reload the page you will be able to access the resource

      Show
      Set up: Create course with file activity (upload a text file, for simplicity). Mark this activity as not visible to students Copy the resource url eg  http://moodle.local/pluginfile.php/2892/mod_resource/content/0/resource1.txt . The easiest way to get this is to view the file resource as the teacher/admin, and copy the resulting URL, which must contain 'pluginfile.php'. Create some user (testuser1 with password Testuser1@) and enrol them into a course as a MANAGER. Confirm that this user can see the resource when logged in normally in the browser   Scenario for auth_basic Install https://github.com/catalyst/moodle-auth_basic enable plugin at admin/settings.php?section=manageauths Run following command, replacing ONLY the url to the resource with your own (from setup, step 3):   curl -s -c /tmp/cookies -v -L --user testuser1:Testuser1@ http: //moodle.local/RESOURCE_URL 2>&1 > /dev/null | egrep 'filename|HTTP' Expected behaviour: you should 200 server status and filename, i.e. something like  > GET /RESOURCE_URL HTTP/ 1.1 < HTTP/ 1.1 200 OK < Content-Disposition: inline; filename= "download%2F8%2F8%2F3%2F883C0889-72A8-4766-8D07-4BF2F048BE36%2FMoodleAndOffice365WithADFS.pdf"   Optional : Scenario for saml2 (This one is not really required, is harder to test but where the bug was originally found). If you don't have a working saml setup, then please skip this.) Set up Idp Install saml plugin https://moodle.org/plugins/auth_saml2 disable basic auth plugin installed previously enable saml2 plugin admin/settings.php?section=manageauths Set Dual login to No in saml2 plugin settings Make sure "Force users to log in" is set to yes in Site security settings Create a saml user  Open incognito tab and paste the resource URL (you should be redirected to saml login page) Fill the username/password and click login Expected behavior: Resource file is opened   Note that if you reload the page you will be able to access the resource
    • Affected Branches:
      MOODLE_33_STABLE, MOODLE_34_STABLE, MOODLE_35_STABLE, MOODLE_36_STABLE
    • Fixed Branches:
      MOODLE_35_STABLE, MOODLE_36_STABLE
    • Pull 3.5 Branch:
      MDL-64439-MOODLE_35_STABLE
    • Pull 3.6 Branch:
      MDL-64439-MOODLE_36_STABLE
    • Pull Master Branch:
      MDL-64439-master

      Description

      When a user tried to login and view a resource in a single step (ie it was bookmarked or a tab is re-opening) and that resource has been set to not be visible to students, but this user can see it, then it fails. This is because the $cm->uservisible property is staticaly cache in the get_fast_modinfo from before the auth hooks fire.

      Tested with auth_basic and auth_saml2 plugin which both user the pre_loginpage_hook

       

      Actual behavior: you will get redirect 303 for resource page, then 200 status for a course page and no filename, something like 

      > GET /RESOURCE_URL HTTP/1.1
      < HTTP/1.1 303 See Other
      > GET /course/view.php?id=2 HTTP/1.1
      < HTTP/1.1 200 OK
      

       

       

        Attachments

          Issue Links

            Activity

              People

              • Votes:
                1 Vote for this issue
                Watchers:
                6 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved:
                  Fix Release Date:
                  13/May/19

                  Time Tracking

                  Estimated:
                  Original Estimate - 0 minutes
                  0m
                  Remaining:
                  Remaining Estimate - 0 minutes
                  0m
                  Logged:
                  Time Spent - 4 hours, 30 minutes
                  4h 30m