Uploaded image for project: 'Moodle'
  1. Moodle
  2. MDL-76166

Username logging not honoured in complete_user_login

XMLWordPrintable

    • MOODLE_401_STABLE
    • MOODLE_400_STABLE, MOODLE_401_STABLE
    • MDL-76166-username-logging-MOODLE_401_STABLE
    • MDL-76166-username-logging
    • Hide

      1) Set $CFG->headerloguser = 3;

      2) Open the dev tools network tab and turn on preserve logs

      3) Login as anyone, find the POST request which serves the 303 redirect and confirm that it contains a header like this:

      X-MOODLEUSER: admin

      4) Setup a web service token, turn on the 'rest' protocol and then load any webservice function using this token in the browser or via curl:

      https://moodle.localhost/webservice/rest/server.php?wstoken=token&wsfunction=core_webservice_get_site_info

      $ curl -I --insecure -s 'https://master.localhost/webservice/rest/server.php?wstoken=175f9a64f64a4ba38d7770f969b324ec&wsfunction=core_webservice_get_site_info' | grep X-MOODLEUSER
      X-MOODLEUSER: admin

      5) Confirm that the web service also emits the X-MOODLEUSER header matching the user for that token

      6) Upload an image anywhere, eg a mod_label / 'Text & media' instance, save the instance. Then in the dev tools reload the page and find the image url in the network tab eg:

      .../pluginfile.php/204/mod_label/intro/image%20%281%29.png

      then turn that into a tokenplugin pluginfile format by adding the prefix and adding the token query param:

      /webservice/pluginfile.php/204/mod_label/intro/image%20%281%29.png?token=xxxxxx

      7) Confirm that the image loads and that it has the correct X-MOODLEUSER header matching the user for that token.

      You can also confirm this on the cli without cookies using curl and Confirm that the X-MOODLEUSER header is present:

       

      $ curl -I --insecure -s 'https://master.localhost/webservice/pluginfile.php/204/mod_label/intro/image%20%281%29.png?token=175f9a64f64a4ba38d7770f969b324ec' | grep X-MOODLEUSER
      X-MOODLEUSER: admin

       

      8) Visit /calendar/export.php and and select any options and then click 'Get calendar url' and turn that into a curl command which gets the headers:

      curl -I --insecure 'https://moodle.example/calendar/export_execute.php?userid=2&authtoken=xxxxx&preset_what=all&preset_time=weeknow'

      9) Confirm that the ics export has the correct X-MOODLEUSER

      10) Make dodgyapi.php in the root dir which sets the $USER object directly to simulate various dodgy plugins that do this:

       

      <?php
      require_once('config.php');
      $USER = (object)[
          'id' => 1,
          'username' => 'dodgyuser',
      ];
      echo 'hello world';
      

      11) Load this script and confirm the header is set correctly

      $ curl -s -I --insecure 'https://master.localhost/dodgyapi.php' | grep X-MOODLEUSER
      X-MOODLEUSER: dodgyuser

      Show
      1) Set $CFG->headerloguser = 3; 2) Open the dev tools network tab and turn on preserve logs 3) Login as anyone, find the POST request which serves the 303 redirect and confirm that it contains a header like this: X-MOODLEUSER: admin 4) Setup a web service token, turn on the 'rest' protocol and then load any webservice function using this token in the browser or via curl: https://moodle.localhost/webservice/rest/server.php?wstoken=token&wsfunction=core_webservice_get_site_info $ curl -I --insecure -s 'https://master.localhost/webservice/rest/server.php?wstoken=175f9a64f64a4ba38d7770f969b324ec&wsfunction=core_webservice_get_site_info' | grep X-MOODLEUSER X-MOODLEUSER: admin 5) Confirm that the web service also emits the X-MOODLEUSER header matching the user for that token 6) Upload an image anywhere, eg a mod_label / 'Text & media' instance, save the instance. Then in the dev tools reload the page and find the image url in the network tab eg: .../pluginfile.php/204/mod_label/intro/image%20%281%29.png then turn that into a tokenplugin pluginfile format by adding the prefix and adding the token query param: /webservice /pluginfile.php/204/mod_label/intro/image%20%281%29.png ?token=xxxxxx 7) Confirm that the image loads and that it has the correct X-MOODLEUSER header matching the user for that token. You can also confirm this on the cli without cookies using curl and Confirm that the X-MOODLEUSER header is present:   $ curl -I --insecure -s 'https://master.localhost/webservice/pluginfile.php/204/mod_label/intro/image%20%281%29.png?token=175f9a64f64a4ba38d7770f969b324ec' | grep X-MOODLEUSER X-MOODLEUSER: admin   8) Visit /calendar/export.php and and select any options and then click 'Get calendar url' and turn that into a curl command which gets the headers: curl -I --insecure 'https://moodle.example/calendar/export_execute.php?userid=2&authtoken=xxxxx&preset_what=all&preset_time=weeknow' 9) Confirm that the ics export has the correct X-MOODLEUSER 10) Make dodgyapi.php in the root dir which sets the $USER object directly to simulate various dodgy plugins that do this:   <?php require_once( 'config.php' ); $USER = (object)[     'id' => 1 ,   'username' => 'dodgyuser' , ]; echo 'hello world' ; 11) Load this script and confirm the header is set correctly $ curl -s -I --insecure 'https://master.localhost/dodgyapi.php' | grep X-MOODLEUSER X-MOODLEUSER: dodgyuser

      If you have configured $CFG->headerloguser = 3; or $CFG->apacheloguser there is a few places where the username isn't logged but you would expect it to be.

      eg where I found this was:

      /mod/hvp/embed.php?id=123&user_id=456&secret=xxxxx

      which calls complete_user_login() 

      set_access_log_user() is called from require_login() but other places miss out, which includes 
      require_user_key_login() for token based logins, and mobile app launching, the first request during authentication plugins logging the user in.
       
      Almost all these other places call complete_user_login() so I think this username logging should be called there too, and possibly another place in the web services auth code path.

        1. 400.png
          400.png
          434 kB
        2. 401.png
          401.png
          441 kB
        3. Master.png
          Master.png
          419 kB

            brendanheywood Brendan Heywood
            brendanheywood Brendan Heywood
            Matthew Hilton Matthew Hilton
            Sara Arjona (@sarjona) Sara Arjona (@sarjona)
            Ron Carl Alfon Yu Ron Carl Alfon Yu
            Votes:
            0 Vote for this issue
            Watchers:
            6 Start watching this issue

              Created:
              Updated:
              Resolved:

                Estimated:
                Original Estimate - 0 minutes
                0m
                Remaining:
                Remaining Estimate - 0 minutes
                0m
                Logged:
                Time Spent - 3 hours, 33 minutes
                3h 33m

                  Error rendering 'clockify-timesheets-time-tracking-reports:timer-sidebar'. Please contact your Jira administrators.