Uploaded image for project: 'Moodle'
  1. Moodle
  2. MDL-64439

A deep link to a mod_resource file fails when using the auth pre_loginpage_hook

    XMLWordPrintable

Details

    • MOODLE_33_STABLE, MOODLE_34_STABLE, MOODLE_35_STABLE, MOODLE_36_STABLE
    • MOODLE_35_STABLE, MOODLE_36_STABLE
    • MDL-64439-master
    • Hide

      Set up:

      1. Create course with file activity (upload a text file, for simplicity).
      2. Mark this activity as not visible to students
      3. Copy the resource url eg http://moodle.local/pluginfile.php/2892/mod_resource/content/0/resource1.txt. The easiest way to get this is to view the file resource as the teacher/admin, and copy the resulting URL, which must contain 'pluginfile.php'.
      4. Create some user (testuser1 with password Testuser1@) and enrol them into a course as a MANAGER. Confirm that this user can see the resource when logged in normally in the browser

       

      Scenario for auth_basic

      1. Install https://github.com/catalyst/moodle-auth_basic
      2. enable plugin at admin/settings.php?section=manageauths
      3. Run following command, replacing ONLY the url to the resource with your own (from setup, step 3):

       

      curl -s -c /tmp/cookies -v -L --user testuser1:Testuser1@ http://moodle.local/RESOURCE_URL 2>&1 > /dev/null | egrep 'filename|HTTP'
      

      Expected behaviour: you should 200 server status and filename, i.e. something like 

      > GET /RESOURCE_URL HTTP/1.1
      < HTTP/1.1 200 OK
      < Content-Disposition: inline; filename="download%2F8%2F8%2F3%2F883C0889-72A8-4766-8D07-4BF2F048BE36%2FMoodleAndOffice365WithADFS.pdf"
      

       

      Optional: Scenario for saml2

      (This one is not really required, is harder to test but where the bug was originally found). If you don't have a working saml setup, then please skip this.)

      1. Set up Idp
      2. Install saml plugin https://moodle.org/plugins/auth_saml2
      3. disable basic auth plugin installed previously
      4. enable saml2 plugin admin/settings.php?section=manageauths
      5. Set Dual login to No in saml2 plugin settings
      6. Make sure "Force users to log in" is set to yes in Site security settings
      7. Create a saml user 
      8. Open incognito tab and paste the resource URL (you should be redirected to saml login page)
      9. Fill the username/password and click login

      Expected behavior: Resource file is opened

       

      Note that if you reload the page you will be able to access the resource

      Show
      Set up: Create course with file activity (upload a text file, for simplicity). Mark this activity as not visible to students Copy the resource url eg  http://moodle.local/pluginfile.php/2892/mod_resource/content/0/resource1.txt . The easiest way to get this is to view the file resource as the teacher/admin, and copy the resulting URL, which must contain 'pluginfile.php'. Create some user (testuser1 with password Testuser1@) and enrol them into a course as a MANAGER. Confirm that this user can see the resource when logged in normally in the browser   Scenario for auth_basic Install https://github.com/catalyst/moodle-auth_basic enable plugin at admin/settings.php?section=manageauths Run following command, replacing ONLY the url to the resource with your own (from setup, step 3):   curl -s -c /tmp/cookies -v -L --user testuser1:Testuser1@ http: //moodle.local/RESOURCE_URL 2>&1 > /dev/null | egrep 'filename|HTTP' Expected behaviour: you should 200 server status and filename, i.e. something like  > GET /RESOURCE_URL HTTP/ 1.1 < HTTP/ 1.1 200 OK < Content-Disposition: inline; filename= "download%2F8%2F8%2F3%2F883C0889-72A8-4766-8D07-4BF2F048BE36%2FMoodleAndOffice365WithADFS.pdf"   Optional : Scenario for saml2 (This one is not really required, is harder to test but where the bug was originally found). If you don't have a working saml setup, then please skip this.) Set up Idp Install saml plugin https://moodle.org/plugins/auth_saml2 disable basic auth plugin installed previously enable saml2 plugin admin/settings.php?section=manageauths Set Dual login to No in saml2 plugin settings Make sure "Force users to log in" is set to yes in Site security settings Create a saml user  Open incognito tab and paste the resource URL (you should be redirected to saml login page) Fill the username/password and click login Expected behavior: Resource file is opened   Note that if you reload the page you will be able to access the resource

    Description

      When a user tried to login and view a resource in a single step (ie it was bookmarked or a tab is re-opening) and that resource has been set to not be visible to students, but this user can see it, then it fails. This is because the $cm->uservisible property is staticaly cache in the get_fast_modinfo from before the auth hooks fire.

      Tested with auth_basic and auth_saml2 plugin which both user the pre_loginpage_hook

       

      Actual behavior: you will get redirect 303 for resource page, then 200 status for a course page and no filename, something like 

      > GET /RESOURCE_URL HTTP/1.1
      < HTTP/1.1 303 See Other
      > GET /course/view.php?id=2 HTTP/1.1
      < HTTP/1.1 200 OK
      

       

       

      Attachments

        Issue Links

          Activity

            People

              brendanheywood Brendan Heywood
              ilyatregubov Ilya Tregubov
              Brendan Heywood Brendan Heywood
              Jake Dallimore Jake Dallimore
              Anna Carissa Sadia Anna Carissa Sadia
              Adrian Greeve, Jake Dallimore, Mathew May, Mihail Geshoski, Adrian Greeve, Jake Dallimore, Mathew May, Mihail Geshoski
              Votes:
              1 Vote for this issue
              Watchers:
              6 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved:
                13/May/19

                Time Tracking

                  Estimated:
                  Original Estimate - 0 minutes
                  0m
                  Remaining:
                  Remaining Estimate - 0 minutes
                  0m
                  Logged:
                  Time Spent - 4 hours, 30 minutes
                  4h 30m