Uploaded image for project: 'Moodle'
  1. Moodle
  2. MDL-75180

403 on Google repository access controlled link

XMLWordPrintable

    • Icon: Bug Bug
    • Resolution: Unresolved
    • Icon: Minor Minor
    • None
    • 3.9.14, 3.10.11, 3.11.7, 4.0.1
    • Repositories
    • None
    • MOODLE_310_STABLE, MOODLE_311_STABLE, MOODLE_39_STABLE, MOODLE_400_STABLE
    • Hide
      1. Configure a Google Workspace Repository via OAuth2 on the Moodle site.
      2. In a test course, add a file from the repository to the course as a File object and ensure that it is added as an access controlled link.
      3. Save the changes to the course.
      4. Enroll a test user in the course and apply the teacher role to that user.
      5. Perform a log in as operation for the test user and access the course with the new test file.
      6. Attempt to view the file to be presented with a 403 Error.
      Show
      Configure a Google Workspace Repository via OAuth2 on the Moodle site. In a test course, add a file from the repository to the course as a File object and ensure that it is added as an access controlled link. Save the changes to the course. Enroll a test user in the course and apply the teacher role to that user. Perform a log in as operation for the test user and access the course with the new test file. Attempt to view the file to be presented with a 403 Error.

      When selecting a file module from a course that is an access controlled link from the Google Repository as anyone with "edit" permissions in a course, a 403 error is shown preventing the file from being displayed due to an API error assigning write privileges to the item. 

      When the request is processed by the send_file function in the repository/googledocs/lib.php file, it's hitting the second if block where the file is writable by the instructor and eventually getting the the method call "add_temp_writer_to_file" which is trying to create a permission request to the Google API.

       

      Part of the permission request is sending an expiration date for 7 days past the time of the request but Google doesn't actually allow expirationTime to be set for a "writer" role. 

      If the function is modified to create the write permission and then update the permission with a expirationTime, a 400 error is returned stating that writer permissions can not have expiration times. These are only supported on "Commenter" and "Viewer" roles. 

      Modifying the function to add an expiry as a 'reader' role allows the document to be opened and request access to the owner of the document to allow write permissions. 

      This appears to be the only use case where the add_temp_writer_to_file appears to be called in the plugin. If files are added to a course via repository and trusted users have write permissions to the objects in the course, do we want to assume they would have write access to the objects added and just use the add_writer_to_file function to allocate permission? Or, would it be better to write a new function that adds a reader role with a timeout and allows the user accessing the file to request permission from the document owner?

       

       

       

            Unassigned Unassigned
            inkjet2000 Justin Merrill
            Votes:
            7 Vote for this issue
            Watchers:
            8 Start watching this issue

              Created:
              Updated:

                Error rendering 'clockify-timesheets-time-tracking-reports:timer-sidebar'. Please contact your Jira administrators.