Uploaded image for project: 'Moodle'
  1. Moodle
  2. MDL-67082

embed.php lets you play "restricted" h5p files without being authenticated

    XMLWordPrintable

    Details

    • Type: Bug
    • Status: Closed
    • Priority: Minor
    • Resolution: Fixed
    • Affects Version/s: 3.8
    • Fix Version/s: 3.8
    • Component/s: H5P
    • Labels:
    • Testing Instructions:
      Hide

      Setup

      1. Login as admin.
      2. Create a course "Course 1".
      3. Create a student s1 and enrolled in Course 1.

      Testing scenario 1. Context Course - Course section

      1. Login as admin.
      2. Go to the "Course 1".
      3. Edit one of the sections.
      4. In that section, upload an H5P file attached in the issue arithmetic-quiz.h5p using the "Manage files" button in the Atto editor.
      5. Now click the "Link" button, click "Browse repositories", select "Embedded files" and select the h5p file you just uploaded.
      6. Save the changes.
      7. Copy the URL of the h5p file.
      8. In a new browser where you aren't authenticated or in incognito mode, paste the next URL and change YOURURLH5PFILE for the url copied in step 7.

        http://YOURMOODLESITE/h5p/embed.php?url=YOURURLH5PFILE
        

      9. Expected result: Check that you are not able to view the H5P without being authenticated. And you see this message: Course or activity not accessible. (You are not logged in)
      10. Go to your previous browser or tab where you are logged as admin.
      11. And paste the URL in the step 8.
      12. Expected result: Check that you are able to view the H5P file.

      Testing scenario 2. Context Block - Block HTML

      1. Login as admin.
      2. Go to the "Course 1".
      3. Add Block HTML to the course.
      4. Edit the new Block HTML and upload an H5P file attached in the issue arithmetic-quiz.h5p using the "Manage files" button in the Atto editor.
      5. Now click the "Link" button, click "Browse repositories", select "Embedded files" and select the h5p file you just uploaded.
      6. Save the changes.
      7. Copy the URL of the h5p file.
      8. In a new browser where you aren't authenticated or in incognito mode, paste the next URL and change YOURURLH5PFILE for the url copied in step 7.

        http://YOURMOODLESITE/h5p/embed.php?url=YOURURLH5PFILE

      9. Expected result: Check that you are not able to view the H5P without being authenticated. And you see this message: Course or activity not accessible. (You are not logged in)
      10. Go to your previous browser or tab where you are logged as admin.
      11. And paste the URL in the step 8.
      12. Expected result: Check that you are able to view the H5P file.
      13. Now, go to the Dashboard.
      14. Add Block HTML to the Dashboard.
      15. Edit the new Block HTML and upload an H5P file attached in the issue arithmetic-quiz.h5p using the "Manage files" button in the Atto editor.
      16. Now click the "Link" button, click "Browse repositories", select "Embedded files" and select the h5p file you just uploaded.
      17. Save the changes.
      18. Copy the URL of the h5p file.
      19. In a new browser where you aren't authenticated or in incognito mode, paste the next URL and change YOURURLH5PFILE for the url copied in step 7.

        http://YOURMOODLESITE/h5p/embed.php?url=YOURURLH5PFILE

      20. Expected result: Check that you are not able to view the H5P without being authenticated. And you see this message: Sorry, the requested file could not be found
      21. Go to your previous browser or tab where you are logged as admin.
      22. And paste the URL in the step 19.
      23. Expected result: Check that you are able to view the H5P file.
      24. Login as s1
      25. And paste the URL in the step 19.
      26. Expected result: Check that you are not able to view the H5P without being authenticated. And you see this message: Sorry, the requested file could not be found

      Testing scenario 3. Context Module without get_path_from_pluginfile function implemented.

      1. Login as admin.
      2. Go to the "Course 1".
      3. Add a new activity chat,
      4. Edit the description of the new activity chat and upload an H5P file attached in the issue arithmetic-quiz.h5p using the "Manage files" button in the Atto editor.
      5. Now click the "Link" button, click "Browse repositories", select "Embedded files" and select the h5p file you just uploaded.
      6. Save the changes.
      7. Copy the URL of the h5p file.
      8. In a new browser where you aren't authenticated or in incognito mode, paste the next URL and change YOURURLH5PFILE for the url copied in step 7.

        http://YOURMOODLESITE/h5p/embed.php?url=YOURURLH5PFILE

      9. Expected result: Check that you are not able to view the H5P without being authenticated. And you see this message: Course or activity not accessible. (You are not logged in)
      10. Go to your previous browser or tab where you are logged as admin.
      11. And paste the URL in the step 8.
      12. Expected result: Check that you are able to view the H5P file.

      Testing scenario 4. Context CourseCat

      1. Login as admin.
      2. Go to the course index page: http:/YOURMODDLESITE/course/
      3. Click on Miscellanious category.
      4. Edit the category and upload an H5P file attached in the issue arithmetic-quiz.h5p using the "Manage files" button in the Atto editor. If you don't see the Editor, be sure that the format option is HTML.
      5. Now click the "Link" button, click "Browse repositories", select "Embedded files" and select the h5p file you just uploaded.
      6. Save the changes. Then you have to go again over the steps 2 and 3 to see the URL of the h5p file. Also, you could go direct using the url http://yourmoodlesite/course/index.php?categoryid=1
      7. Copy the URL of the h5p file.
      8. In a new browser where you aren't authenticated or in incognito mode, paste the next URL and change YOURURLH5PFILE for the url copied in step 7.

        http://YOURMOODLESITE/h5p/embed.php?url=YOURURLH5PFILE

      9. Expected result: Check that you are able to view the H5P file.
      10. Go to your previous browser or tab where you are logged as admin.
      11. Go to Site Administration > Security > Site security settings.
      12. Check the option "Force users to log in" (forcelogin).
      13. In a new browser where you aren't authenticated or in incognito mode, paste the same URL in the step 8.
      14. Expected result: Check that you are not able to view the H5P without being authenticated. And you see this message: Course or activity not accessible. (You are not logged in)
      15. Go to your previous browser or tab where you are logged as admin.
      16. And paste the URL in the step 8.
      17. Expected result: Check that you are able to view the H5P file.
      Show
      Setup Login as admin. Create a course "Course 1". Create a student s1 and enrolled in Course 1. Testing scenario 1. Context Course - Course section Login as admin. Go to the "Course 1". Edit one of the sections. In that section, upload an H5P file attached in the issue arithmetic-quiz.h5p using the "Manage files" button in the Atto editor. Now click the "Link" button, click "Browse repositories", select "Embedded files" and select the h5p file you just uploaded. Save the changes. Copy the URL of the h5p file. In a new browser where you aren't authenticated or in incognito mode, paste the next URL and change YOURURLH5PFILE for the url copied in step 7. http://YOURMOODLESITE/h5p/embed.php?url=YOURURLH5PFILE Expected result: Check that you are not able to view the H5P without being authenticated. And you see this message: Course or activity not accessible. (You are not logged in) Go to your previous browser or tab where you are logged as admin. And paste the URL in the step 8. Expected result: Check that you are able to view the H5P file. Testing scenario 2. Context Block - Block HTML Login as admin. Go to the "Course 1". Add Block HTML to the course. Edit the new Block HTML and upload an H5P file attached in the issue arithmetic-quiz.h5p using the "Manage files" button in the Atto editor. Now click the "Link" button, click "Browse repositories", select "Embedded files" and select the h5p file you just uploaded. Save the changes. Copy the URL of the h5p file. In a new browser where you aren't authenticated or in incognito mode, paste the next URL and change YOURURLH5PFILE for the url copied in step 7. http://YOURMOODLESITE/h5p/embed.php?url=YOURURLH5PFILE Expected result: Check that you are not able to view the H5P without being authenticated. And you see this message: Course or activity not accessible. (You are not logged in) Go to your previous browser or tab where you are logged as admin. And paste the URL in the step 8. Expected result: Check that you are able to view the H5P file. Now, go to the Dashboard. Add Block HTML to the Dashboard. Edit the new Block HTML and upload an H5P file attached in the issue arithmetic-quiz.h5p using the "Manage files" button in the Atto editor. Now click the "Link" button, click "Browse repositories", select "Embedded files" and select the h5p file you just uploaded. Save the changes. Copy the URL of the h5p file. In a new browser where you aren't authenticated or in incognito mode, paste the next URL and change YOURURLH5PFILE for the url copied in step 7. http://YOURMOODLESITE/h5p/embed.php?url=YOURURLH5PFILE Expected result: Check that you are not able to view the H5P without being authenticated. And you see this message: Sorry, the requested file could not be found Go to your previous browser or tab where you are logged as admin. And paste the URL in the step 19. Expected result: Check that you are able to view the H5P file. Login as s1 And paste the URL in the step 19. Expected result: Check that you are not able to view the H5P without being authenticated. And you see this message: Sorry, the requested file could not be found Testing scenario 3. Context Module without get_path_from_pluginfile function implemented. Login as admin. Go to the "Course 1". Add a new activity chat, Edit the description of the new activity chat and upload an H5P file attached in the issue arithmetic-quiz.h5p using the "Manage files" button in the Atto editor. Now click the "Link" button, click "Browse repositories", select "Embedded files" and select the h5p file you just uploaded. Save the changes. Copy the URL of the h5p file. In a new browser where you aren't authenticated or in incognito mode, paste the next URL and change YOURURLH5PFILE for the url copied in step 7. http://YOURMOODLESITE/h5p/embed.php?url=YOURURLH5PFILE Expected result:  Check that you are not able to view the H5P without being authenticated. And you see this message:  Course or activity not accessible. (You are not logged in) Go to your previous browser or tab where you are logged as admin. And paste the URL in the step 8. Expected result:  Check that you are able to view the H5P file. Testing scenario 4. Context CourseCat Login as admin. Go to the course index page: http:/YOURMODDLESITE/course/ Click on Miscellanious category. Edit the category and upload an H5P file attached in the issue arithmetic-quiz.h5p using the "Manage files" button in the Atto editor. If you don't see the Editor, be sure that the format option is HTML. Now click the "Link" button, click "Browse repositories", select "Embedded files" and select the h5p file you just uploaded. Save the changes. Then you have to go again over the steps 2 and 3 to see the URL of the h5p file. Also, you could go direct using the url http://yourmoodlesite/course/index.php?categoryid=1 Copy the URL of the h5p file. In a new browser where you aren't authenticated or in incognito mode, paste the next URL and change YOURURLH5PFILE for the url copied in step 7. http://YOURMOODLESITE/h5p/embed.php?url=YOURURLH5PFILE Expected result:  Check that you are able to view the H5P file. Go to your previous browser or tab where you are logged as admin. Go to Site Administration > Security > Site security settings. Check the option " Force users to log in " (forcelogin). In a new browser where you aren't authenticated or in incognito mode, paste the same URL in the step 8. Expected result:  Check that you are not able to view the H5P without being authenticated. And you see this message:  Course or activity not accessible. (You are not logged in) Go to your previous browser or tab where you are logged as admin. And paste the URL in the step 8. Expected result:  Check that you are able to view the H5P file.
    • Affected Branches:
      MOODLE_38_STABLE
    • Fixed Branches:
      MOODLE_38_STABLE
    • Sprint:
      H5P Sprint Relase 3.8

      Description

      Right now the player only checks if the user is authenticated when the contextlevel is "module". There are other cases when it should be checked, e.g. if an h5p is in a section description, and probably with blocks inside a course, etc.

      How to reproduce:

      1. Create a course.
      2. Edit one of the sections.
      3. In that section, upload an H5P file using the "Manage files" button in the Atto editor.
      4. Now click the "Link" button, click "Browse repositories", select "Embedded files" and select the h5p file you just uploaded.
      5. Save the changes.
      6. Copy the URL of the h5p file.
      7. In a new browser where you aren't authenticated or in incognito mode, open the embed.php script and pass the URL of the package. Check that you're able to view the package without being authenticated.

      Please notice that, when fixing this, you need to take into account the preventredirect param added in MDL-67076.

        Attachments

        1. Screenshot_2.png
          Screenshot_2.png
          201 kB
        2. Screenshot_1.png
          Screenshot_1.png
          197 kB
        3. MDL-67082-master.mdk.patch
          6 kB
        4. arithmetic-quiz.h5p
          731 kB

          Issue Links

            Activity

              People

              Assignee:
              cescobedo Carlos Escobedo
              Reporter:
              dpalou Dani Palou
              Peer reviewer:
              Sara Arjona (@sarjona)
              Integrator:
              Adrian Greeve
              Tester:
              Janelle Barcega
              Participants:
              Component watchers:
              Amaia Anabitarte, Carlos Escobedo, Ferran Recio, Sara Arjona (@sarjona)
              Votes:
              0 Vote for this issue
              Watchers:
              5 Start watching this issue

                Dates

                Created:
                Updated:
                Resolved:
                Fix Release Date:
                18/Nov/19

                  Time Tracking

                  Estimated:
                  Original Estimate - Not Specified
                  Not Specified
                  Remaining:
                  Remaining Estimate - 0 minutes
                  0m
                  Logged:
                  Time Spent - 1 day, 1 hour, 2 minutes
                  1d 1h 2m