[MDL-66376] Enforce app security by using tokenpluginfile.php instead webservice/pluginfile.php - Moodle Tracker

XML

Word

Printable

Details

Type: Improvement
Status: Closed
Priority: Minor
Resolution: Fixed
Affects Version/s: 3.7.1
Fix Version/s: 3.8
Component/s: Web Services
Labels:

Affected Branches:
MOODLE_37_STABLE
Fixed Branches:
MOODLE_38_STABLE
Pull from Repository:
git://github.com/jleyva/moodle.git
Pull Main Branch:
~~MDL-66376~~-master
Pull Main Diff URL:
https://github.com/jleyva/moodle/compare/0dca957716...MDL-66376-master
Testing Instructions:
Hide

Enable "Mobile services": Plugins ► Web Services ► Mobile

Create a Token for any site user:

Click on Site administration ► Plugins ► Web services ► Manage tokens

Click add, select user and service (Mobile Service)

Next, you can do a CURL REST call simulating a WS client:

You need to replace the wstoken first with the user token and the URL of your moodle instance

curl 'http://localhost/m/stable_master/webservice/rest/server.php?moodlewsrestformat=json' --data 'wsfunction=core_webservice_get_site_info&wstoken=e8a8eb4410ad85d6f76ffc7a908fb65a' --compressed | python -m "json.tool"

Confirm that in the response you receive the following field: userprivateaccesskey and that is not empty
Show
Enable "Mobile services": Plugins ► Web Services ► Mobile Create a Token for any site user: Click on Site administration ► Plugins ► Web services ► Manage tokens Click add, select user and service (Mobile Service) Next, you can do a CURL REST call simulating a WS client: You need to replace the wstoken first with the user token and the URL of your moodle instance curl 'http://localhost/m/stable_master/webservice/rest/server.php?moodlewsrestformat=json' --data 'wsfunction=core_webservice_get_site_info&wstoken=e8a8eb4410ad85d6f76ffc7a908fb65a' --compressed | python -m "json.tool" Confirm that in the response you receive the following field: userprivateaccesskey and that is not empty

Description

We must evaluate if now that we have a tokenpluginfile.php solution we could replace the webservice/pluginfile.php usage by the app.

The reason, is that most of the requests to webservice/pluginfile.php are done using GET method that displays the user WS token publicly in logs, browser history etc...

With tokenpluginfile.php we could you user private keys instead that does not allow WS usage (they are using just for fetching files, not requesting WebServices)

Attachments

- Sort By Name
- Sort By Date
- Ascending
- Descending
- Thumbnails
- List
- Download All

MDL-66376.png
161 kB
04/Sep/19 10:15 AM

Issue Links

blocks

MOBILE-3164 Stop using WS tokens to retrieve images. Use tokenpluginfile.php instead.

Closed

Activity

People

Assignee:: Juan Leyva

Reporter:: Juan Leyva

Peer reviewer:: Dani Palou

Integrator:: Jake Dallimore

Tester:: Jennifer Bauzon

Participants:: CiBoT, Dani Palou, Jake Dallimore, Jennifer Bauzon, Juan Leyva

Votes:: 0 Vote for this issue

Watchers:: 4 Start watching this issue

Dates

Created:: 12/Aug/19 6:14 PM

Updated:: 14/Nov/19 4:06 PM

Resolved:: 06/Sep/19 12:31 AM

Fix Release Date:: 18/Nov/19

Time Tracking

Estimated:

Remaining:

Logged:

1h 1m