-
Improvement
-
Resolution: Unresolved
-
Minor
-
None
-
Future Dev
This is a UX inconsistency in the user/managetoken.php page discovered in MDL-73295.
If you 'reset' an RSS token then a new token is new token is created on the spot. This is what I would expect with a 'reset'. However with a webservice token if you reset it then it just deletes it. Some web service tokens will be auto generated again at some later point, like the mobile app, but some tokens are manually setup and if they have metadata like an expiry date or an ip range then this data is simple gone.
Proposing:
1) At minimum the button is changed to say 'delete' instead of reset. (aligns with lang string used on admin/webservice/tokens.php)
2) use confirm actions to make the flow nicer
3) Ideally also have a proper reset which clones the existing token to a new token with the same metadata and then deletes the old one.
4) Also this page is explicitly limited so that admin users cannot use it. I've had a dig through old trackers and can't see any logical reason or security issue with this. At the very least I think it should show the tokens the same as any other user would and then link to /admin/webservice/tokens.php as a convenience. But I think you should be able to delete or reset tokens here to. Admins are still real users too.
- Discovered while testing
-
MDL-73295 sesskey is exposed in url for /user/managetoken.php
-
- Closed
-