Uploaded image for project: 'Moodle'
  1. Moodle
  2. MDL-69095

QR with automatic login works only when https is enabled and we dont check this before setting the default value

    XMLWordPrintable

    Details

    • Type: Bug
    • Status: Closed
    • Priority: Minor
    • Resolution: Fixed
    • Affects Version/s: 3.9, 3.10, 4.0
    • Fix Version/s: 3.9.2
    • Component/s: Other
    • Labels:
    • Testing Instructions:
      Hide
      Test default value of "QR code access" in http installations
      1. Do a new local installation from scratch (using the code with the patch) ensuring the site will be under HTTP (insecure)
      2. Go to Site administration > Mobile app and check "Enable web services for mobile services" and then Save changes
      3. Go to Site administration > Mobile app > Mobile authentication and check that:
        • The "QR code access" setting is set to "QR code with site URL"
        • In the "QR code access" settings you only see two possible options: 1: "Access via QR code disabled" and 2: "QR code with site URL"
      Test Moodle app subscription
      1. Do a new local installation from scratch (using the code with the patch) ensuring the site will be under HTTPS this time (can use ngrok https tunnel for that).
      2. Go to Site administration > Mobile app and check "Enable web services for mobile services" and then Save changes
      3. Go to Site administration > Mobile app > Mobile authentication, find the "QR code access" setting and check that:
        • Is set to "QR code with autologin"
      4. To test this issue, you need to make a couple of minor code changes in the source code to force your Moodle site to use other site credentials for testing a free subscription
      5. Open this file admin/tool/mobile/classes/api.php
      6. In the get_subscription_information() function do the following changes:
        • After the global $CFG; line add this line: $CFG->airnotifieraccesskey = 'X'; where X is the Airnotifer access key for the "Free site" you will find in the protected comment bellow.
        • Replace the $CFG->wwwroot in this line: 'siteurl' => $CFG->wwwroot, with the Site URL value you for the "Free site" will find in the protected comment bellow
      7. Go to Site administration > Mobile app > Moodle subscription and check that:
        • Under the QR Login Subscription feature you see this message with a red background: "This feature is configured on your site but it is not included in your Moodle app plan. Thus, the setting will have no effect."
      8. Now, go to Site administration > Mobile app > Mobile authentication
      9. Set the "QR code access" field to "QR code with site URL" Save changes
      10. Go to Site administration > Mobile app > Moodle subscription and check that:
      11. You don't see the red message anymore under the QR login section
      Show
      Test default value of "QR code access" in http installations Do a new local installation from scratch (using the code with the patch) ensuring the site will be under HTTP (insecure) Go to Site administration > Mobile app and check "Enable web services for mobile services" and then Save changes Go to Site administration > Mobile app > Mobile authentication and check that: The "QR code access" setting is set to "QR code with site URL" In the "QR code access" settings you only see two possible options: 1: "Access via QR code disabled" and 2: "QR code with site URL" Test Moodle app subscription Do a new local installation from scratch (using the code with the patch) ensuring the site will be under HTTPS this time (can use ngrok https tunnel for that). Go to Site administration > Mobile app and check "Enable web services for mobile services" and then Save changes Go to Site administration > Mobile app > Mobile authentication, find the "QR code access" setting and check that: Is set to "QR code with autologin" To test this issue, you need to make a couple of minor code changes in the source code to force your Moodle site to use other site credentials for testing a free subscription Open this file admin/tool/mobile/classes/api.php In the get_subscription_information() function do the following changes: After the global $CFG; line add this line: $CFG->airnotifieraccesskey = 'X'; where X is the Airnotifer access key for the "Free site" you will find in the protected comment bellow. Replace the $CFG->wwwroot in this line: 'siteurl' => $CFG->wwwroot, with the Site URL value you for the "Free site" will find in the protected comment bellow Go to Site administration > Mobile app > Moodle subscription and check that: Under the QR Login Subscription feature you see this message with a red background: "This feature is configured on your site but it is not included in your Moodle app plan. Thus, the setting will have no effect." Now, go to Site administration > Mobile app > Mobile authentication Set the "QR code access" field to "QR code with site URL" Save changes Go to Site administration > Mobile app > Moodle subscription and check that: You don't see the red message anymore under the QR login section
    • Affected Branches:
      MOODLE_310_STABLE, MOODLE_39_STABLE, MOODLE_400_STABLE
    • Fixed Branches:
      MOODLE_39_STABLE
    • Pull from Repository:
    • Pull 3.9 Branch:
    • Pull 3.9 Diff URL:
    • Pull Master Branch:
      MDL-69095-master
    • Pull Master Diff URL:

      Description

      The "QR code access" default value is set to "QR code with automatic login" that requires the site to use https, but we don't check if the site is really using https before setting the default value.

      Apart from that, it does not clearly indicate that requires https to work so we may have admins confused with this.

      And finally, we need to indicate that the setting requires a Pro/Premium subscription plan in both the help message and in the subscription page (if we detect he is trying to use the auto-login version).

        Attachments

          Activity

            People

            Assignee:
            jleyva Juan Leyva
            Reporter:
            jleyva Juan Leyva
            Peer reviewer:
            Dani Palou
            Integrator:
            Eloy Lafuente (stronk7)
            Tester:
            Pau Ferrer
            Participants:
            Component watchers:
            Adrian Greeve, Jake Dallimore, Mathew May, Mihail Geshoski, Peter Dias
            Votes:
            0 Vote for this issue
            Watchers:
            6 Start watching this issue

              Dates

              Created:
              Updated:
              Resolved:
              Fix Release Date:
              14/Sep/20

                Time Tracking

                Estimated:
                Original Estimate - 0 minutes
                0m
                Remaining:
                Remaining Estimate - 0 minutes
                0m
                Logged:
                Time Spent - 1 day, 2 hours, 51 minutes
                1d 2h 51m