Uploaded image for project: 'Moodle'
  1. Moodle
  2. MDL-73089

Convert calendar export token to a user key like rss so they are fully revocable



    • Easy


      The calendar export tokens are deterministic based off the users password and a shared password salt.


      This has a few downsides:

      1) if you change your password then all your calendar links break which probably wasn't intended and isn't how other apps work. eg private Google calendars links don't break when you update your google password. There is no warning about this anywhere on the calendar export page, or on the password reset page.

      2) You cannot revoke the token without changing your password

      3) if you use an external auth like saml / oidc then your password is null which means you cannot revoke your calendar token at all if it is compromised


      So proposing to just migrate these tokens to use the same create_user_key / validate_user_key as the rss feeds and other places do. On top of that these keys, and all other user keys, should be manageable in a generic way so they are revocable in a single place along side the rss tokens, see MDL-73088.


        Issue Links



              Unassigned Unassigned
              brendanheywood Brendan Heywood
              Adrian Greeve, Jake Dallimore, Mathew May, Mihail Geshoski, Sujith Haridasan, Andrew Lyons, Huong Nguyen, Jun Pataleta, Michael Hawkins, Shamim Rezaie, Simey Lameze
              1 Vote for this issue
              2 Start watching this issue