Uploaded image for project: 'Moodle'
  1. Moodle
  2. MDL-73089

Convert calendar export token to a user key like rss so they are fully revocable

    XMLWordPrintable

Details

    • Easy

    Description

      The calendar export tokens are deterministic based off the users password and a shared password salt.

      https://github.com/moodle/moodle/blob/master/calendar/lib.php#L3922

      This has a few downsides:

      1) if you change your password then all your calendar links break which probably wasn't intended and isn't how other apps work. eg private Google calendars links don't break when you update your google password. There is no warning about this anywhere on the calendar export page, or on the password reset page.

      2) You cannot revoke the token without changing your password

      3) if you use an external auth like saml / oidc then your password is null which means you cannot revoke your calendar token at all if it is compromised

       

      So proposing to just migrate these tokens to use the same create_user_key / validate_user_key as the rss feeds and other places do. On top of that these keys, and all other user keys, should be manageable in a generic way so they are revocable in a single place along side the rss tokens, see MDL-73088.

      Attachments

        Issue Links

          Activity

            People

              Unassigned Unassigned
              brendanheywood Brendan Heywood
              Adrian Greeve, Jake Dallimore, Mathew May, Mihail Geshoski, Sujith Haridasan, Andrew Lyons, Huong Nguyen, Jun Pataleta, Michael Hawkins, Shamim Rezaie, Simey Lameze
              Votes:
              1 Vote for this issue
              Watchers:
              2 Start watching this issue

              Dates

                Created:
                Updated: