Uploaded image for project: 'Moodle'
  1. Moodle
  2. MDL-66376

Enforce app security by using tokenpluginfile.php instead webservice/pluginfile.php

    XMLWordPrintable

    Details

    • Testing Instructions:
      Hide
      1. Enable "Mobile services": Plugins ► Web Services ► Mobile
      2. Create a Token for any site user:
        • Click on Site administration ► Plugins ► Web services ► Manage tokens
        • Click add, select user and service (Mobile Service)
      3. Next, you can do a CURL REST call simulating a WS client:
        • You need to replace the wstoken first with the user token and the URL of your moodle instance

          curl 'http://localhost/m/stable_master/webservice/rest/server.php?moodlewsrestformat=json' --data 'wsfunction=core_webservice_get_site_info&wstoken=e8a8eb4410ad85d6f76ffc7a908fb65a' --compressed | python -m "json.tool"

      4. Confirm that in the response you receive the following field: userprivateaccesskey and that is not empty
      Show
      Enable "Mobile services": Plugins ► Web Services ► Mobile Create a Token for any site user: Click on Site administration ► Plugins ► Web services ► Manage tokens Click add, select user and service (Mobile Service) Next, you can do a CURL REST call simulating a WS client: You need to replace the wstoken first with the user token and the URL of your moodle instance curl 'http://localhost/m/stable_master/webservice/rest/server.php?moodlewsrestformat=json' --data 'wsfunction=core_webservice_get_site_info&wstoken=e8a8eb4410ad85d6f76ffc7a908fb65a' --compressed | python -m "json.tool" Confirm that in the response you receive the following field: userprivateaccesskey and that is not empty
    • Affected Branches:
      MOODLE_37_STABLE
    • Fixed Branches:
      MOODLE_38_STABLE
    • Pull from Repository:
    • Pull Master Branch:
      MDL-66376-master

      Description

      We must evaluate if now that we have a tokenpluginfile.php solution we could replace the webservice/pluginfile.php usage by the app.

      The reason, is that most of the requests to webservice/pluginfile.php are done using GET method that displays the user WS token publicly in logs, browser history etc...

      With tokenpluginfile.php we could you user private keys instead that does not allow WS usage (they are using just for fetching files, not requesting WebServices)

        Attachments

          Issue Links

            Activity

              People

              • Votes:
                0 Vote for this issue
                Watchers:
                4 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved:
                  Fix Release Date:
                  18/Nov/19

                  Time Tracking

                  Estimated:
                  Original Estimate - 0 minutes
                  0m
                  Remaining:
                  Remaining Estimate - 0 minutes
                  0m
                  Logged:
                  Time Spent - 1 hour, 1 minute
                  1h 1m