[MDL-74263] Guest access with password support on the app - Moodle Tracker

XML

Word

Printable

Details

Type: Improvement
Status: Closed
Priority: Minor
Resolution: Fixed
Affects Version/s: 3.9.13, DEV backlog
Fix Version/s: 4.3
Component/s: Enrolments
Labels:
- ci
- release_notes
- triaged

Affected Branches:
MOODLE_39_STABLE
Fixed Branches:
MOODLE_403_STABLE
Pull from Repository:
https://github.com/jleyva/moodle.git
Pull Master Branch:
~~MDL-74263~~-master
Pull Master Diff URL:
https://github.com/jleyva/moodle/compare/4ed782dd03...MDL-74263-master
Testing Instructions:
Hide

As an admin, enable “Web services for mobile devices” on Site administration ► Advanced features

Create a new empty course

Enable the "Guest access" enrolment method configured to require a password (any)

In the Plugins global settings for the Enrolment "Guest access" plugin allow the option to "Show hints"

Create a Token in the mobile app service for any user on the site (not an admin account)

Click on Site administration ► Plugins ► Web services ► Manage tokens

Open the console and execute this new curl request, replacing WS_TOKEN with the token you just created and the SITE_URL with yours. Replace also COURSE_ID with the previously created course

curl 'http://SITE_URL/webservice/rest/server.php?moodlewsrestformat=json' --data 'wsfunction=core_course_get_contents&wstoken=WS_TOKEN&courseid=COURSE_ID'

Confirm that:

In the curl request response you receive an error "errorcoursecontextnotvalid"

Now, execute the following curl request, replacing COURSE_PASSWORD with the password you set and ENROL_INSTACE with the id of the enrolment plugin, you can get that id from the delete button to the right of the plugin name in the course Enrolment methods configuration page

curl 'http://SITE_URL/webservice/rest/server.php?moodlewsrestformat=json' --data 'wsfunction=enrol_guest_validate_password&wstoken=WS_TOKEN&instanceid=ENROL_INSTANCE_ID&password=COURSE_PASSWORD'

Confirm that:

In the response you see a field "validated" set to true

Execute again the first CURL request and confirm that:

You don't see an error anymore, and you receive the course contents as part of the response

Now, execute the second CURL request but this time using an incorrect password

Confirm that:

In the response, validated is set to false and the field "hint" contains a "hint" indicating the first letter of the password
Show
As an admin, enable “Web services for mobile devices” on Site administration ► Advanced features Create a new empty course Enable the "Guest access" enrolment method configured to require a password (any) In the Plugins global settings for the Enrolment "Guest access" plugin allow the option to "Show hints" Create a Token in the mobile app service for any user on the site (not an admin account) Click on Site administration ► Plugins ► Web services ► Manage tokens Open the console and execute this new curl request, replacing WS_TOKEN with the token you just created and the SITE_URL with yours. Replace also COURSE_ID with the previously created course curl 'http://SITE_URL/webservice/rest/server.php?moodlewsrestformat=json' --data 'wsfunction=core_course_get_contents&wstoken=WS_TOKEN&courseid=COURSE_ID' Confirm that: In the curl request response you receive an error "errorcoursecontextnotvalid" Now, execute the following curl request, replacing COURSE_PASSWORD with the password you set and ENROL_INSTACE with the id of the enrolment plugin, you can get that id from the delete button to the right of the plugin name in the course Enrolment methods configuration page curl 'http://SITE_URL/webservice/rest/server.php?moodlewsrestformat=json' --data 'wsfunction=enrol_guest_validate_password&wstoken=WS_TOKEN&instanceid=ENROL_INSTANCE_ID&password=COURSE_PASSWORD' Confirm that: In the response you see a field "validated" set to true Execute again the first CURL request and confirm that: You don't see an error anymore, and you receive the course contents as part of the response Now, execute the second CURL request but this time using an incorrect password Confirm that: In the response, validated is set to false and the field "hint" contains a "hint" indicating the first letter of the password

Sprint:
Moodle App 4.3.0

Description

Guest access is checked by calling the enrolment callback try_guestaccess that does:

if ($USER->enrol_guest_passwords[$instance->id] === $instance->password) {

This is not mobile app compatible because it relies on the user session (and WS request are sessionless) so an exception for WS should be applied so instead of of using the session, a permanent stored value via preference can be retrieved.

Some notes:

In web version, the password is kept during the user session
In the proposed WS implementation is always kept (there are no user sessions in the app context and also the app does not support guest users, so it will be always kept in a logged-in user preference)
The previous does not have any security implications (the student knows the password in both cases) and provides a better experience for the app
It will be only reset for the user if it is detected it was changed at course configuration level.

Attachments

- Sort By Name
- Sort By Date
- Ascending
- Descending
- Thumbnails
- List
- Download All

MDL-74263.png
276 kB
14/Jun/23 1:52 PM

Issue Links

blocks

MOBILE-4009 Guest access with password support on the app

Tested

Activity

People

Assignee:: Juan Leyva

Reporter:: Juan Leyva

Peer reviewer:: Rodrigo Mady

Integrator:: Jun Pataleta

Tester:: Ron Carl Alfon Yu

Participants:: CiBoT, Juan Leyva, Jun Pataleta, Rodrigo Mady, Ron Carl Alfon Yu

Component watchers:: David Woloszyn, Huong Nguyen, Jake Dallimore, Meirza, Michael Hawkins, Raquel Ortega, Safat Shahin, Stevani Andolo

Votes:: 1 Vote for this issue

Watchers:: 5 Start watching this issue

Dates

Created:: 18/Mar/22 6:10 PM

Updated:: 2 days ago 11:05 PM

Resolved:: 16/Jun/23 2:23 PM

Fix Release Date:: 9/Oct/23

Time Tracking

Estimated:

Remaining:

Logged:

1d 1h 58m