Uploaded image for project: 'Moodle'
  1. Moodle
  2. MDL-66376

Enforce app security by using tokenpluginfile.php instead webservice/pluginfile.php

    XMLWordPrintable

Details

    • MOODLE_37_STABLE
    • MOODLE_38_STABLE
    • MDL-66376-master
    • Hide
      1. Enable "Mobile services": Plugins ► Web Services ► Mobile
      2. Create a Token for any site user:
        • Click on Site administration ► Plugins ► Web services ► Manage tokens
        • Click add, select user and service (Mobile Service)
      3. Next, you can do a CURL REST call simulating a WS client:
        • You need to replace the wstoken first with the user token and the URL of your moodle instance

          curl 'http://localhost/m/stable_master/webservice/rest/server.php?moodlewsrestformat=json' --data 'wsfunction=core_webservice_get_site_info&wstoken=e8a8eb4410ad85d6f76ffc7a908fb65a' --compressed | python -m "json.tool"

      4. Confirm that in the response you receive the following field: userprivateaccesskey and that is not empty
      Show
      Enable "Mobile services": Plugins ► Web Services ► Mobile Create a Token for any site user: Click on Site administration ► Plugins ► Web services ► Manage tokens Click add, select user and service (Mobile Service) Next, you can do a CURL REST call simulating a WS client: You need to replace the wstoken first with the user token and the URL of your moodle instance curl 'http://localhost/m/stable_master/webservice/rest/server.php?moodlewsrestformat=json' --data 'wsfunction=core_webservice_get_site_info&wstoken=e8a8eb4410ad85d6f76ffc7a908fb65a' --compressed | python -m "json.tool" Confirm that in the response you receive the following field: userprivateaccesskey and that is not empty

    Description

      We must evaluate if now that we have a tokenpluginfile.php solution we could replace the webservice/pluginfile.php usage by the app.

      The reason, is that most of the requests to webservice/pluginfile.php are done using GET method that displays the user WS token publicly in logs, browser history etc...

      With tokenpluginfile.php we could you user private keys instead that does not allow WS usage (they are using just for fetching files, not requesting WebServices)

      Attachments

        Issue Links

          Activity

            People

              jleyva Juan Leyva
              jleyva Juan Leyva
              Dani Palou Dani Palou
              Jake Dallimore Jake Dallimore
              Jennifer Bauzon Jennifer Bauzon
              Votes:
              0 Vote for this issue
              Watchers:
              4 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved:
                18/Nov/19

                Time Tracking

                  Estimated:
                  Original Estimate - 0 minutes
                  0m
                  Remaining:
                  Remaining Estimate - 0 minutes
                  0m
                  Logged:
                  Time Spent - 1 hour, 1 minute
                  1h 1m