Uploaded image for project: 'Moodle'
  1. Moodle
  2. MDL-66376

Enforce app security by using tokenpluginfile.php instead webservice/pluginfile.php

XMLWordPrintable

    • MOODLE_37_STABLE
    • MOODLE_38_STABLE
    • MDL-66376-master
    • Hide
      1. Enable "Mobile services": Plugins ► Web Services ► Mobile
      2. Create a Token for any site user:
        • Click on Site administration ► Plugins ► Web services ► Manage tokens
        • Click add, select user and service (Mobile Service)
      3. Next, you can do a CURL REST call simulating a WS client:
        • You need to replace the wstoken first with the user token and the URL of your moodle instance

          curl 'http://localhost/m/stable_master/webservice/rest/server.php?moodlewsrestformat=json' --data 'wsfunction=core_webservice_get_site_info&wstoken=e8a8eb4410ad85d6f76ffc7a908fb65a' --compressed | python -m "json.tool"

      4. Confirm that in the response you receive the following field: userprivateaccesskey and that is not empty
      Show
      Enable "Mobile services": Plugins ► Web Services ► Mobile Create a Token for any site user: Click on Site administration ► Plugins ► Web services ► Manage tokens Click add, select user and service (Mobile Service) Next, you can do a CURL REST call simulating a WS client: You need to replace the wstoken first with the user token and the URL of your moodle instance curl 'http://localhost/m/stable_master/webservice/rest/server.php?moodlewsrestformat=json' --data 'wsfunction=core_webservice_get_site_info&wstoken=e8a8eb4410ad85d6f76ffc7a908fb65a' --compressed | python -m "json.tool" Confirm that in the response you receive the following field: userprivateaccesskey and that is not empty

      We must evaluate if now that we have a tokenpluginfile.php solution we could replace the webservice/pluginfile.php usage by the app.

      The reason, is that most of the requests to webservice/pluginfile.php are done using GET method that displays the user WS token publicly in logs, browser history etc...

      With tokenpluginfile.php we could you user private keys instead that does not allow WS usage (they are using just for fetching files, not requesting WebServices)

            jleyva Juan Leyva
            jleyva Juan Leyva
            Dani Palou Dani Palou
            Jake Dallimore Jake Dallimore
            Jennifer Bauzon Jennifer Bauzon
            Votes:
            0 Vote for this issue
            Watchers:
            4 Start watching this issue

              Created:
              Updated:
              Resolved:

                Estimated:
                Original Estimate - 0 minutes
                0m
                Remaining:
                Remaining Estimate - 0 minutes
                0m
                Logged:
                Time Spent - 1 hour, 1 minute
                1h 1m

                  Error rendering 'clockify-timesheets-time-tracking-reports:timer-sidebar'. Please contact your Jira administrators.