1) Set $CFG->headerloguser = 3;
2) Open the dev tools network tab and turn on preserve logs
3) Login as anyone, find the POST request which serves the 303 redirect and confirm that it contains a header like this:
4) Setup a web service token, turn on the 'rest' protocol and then load any webservice function using this token in the browser or via curl:
https://moodle.localhost/webservice/rest/server.php?wstoken=token&wsfunction=core_webservice_get_site_info
$ curl -I --insecure -s 'https://master.localhost/webservice/rest/server.php?wstoken=175f9a64f64a4ba38d7770f969b324ec&wsfunction=core_webservice_get_site_info' | grep X-MOODLEUSER
|
X-MOODLEUSER: admin
|
5) Confirm that the web service also emits the X-MOODLEUSER header matching the user for that token
6) Upload an image anywhere, eg a mod_label / 'Text & media' instance, save the instance. Then in the dev tools reload the page and find the image url in the network tab eg:
.../pluginfile.php/204/mod_label/intro/image%20%281%29.png
then turn that into a tokenplugin pluginfile format by adding the prefix and adding the token query param:
/webservice/pluginfile.php/204/mod_label/intro/image%20%281%29.png?token=xxxxxx
7) Confirm that the image loads and that it has the correct X-MOODLEUSER header matching the user for that token.
You can also confirm this on the cli without cookies using curl and Confirm that the X-MOODLEUSER header is present:
$ curl -I --insecure -s 'https://master.localhost/webservice/pluginfile.php/204/mod_label/intro/image%20%281%29.png?token=175f9a64f64a4ba38d7770f969b324ec' | grep X-MOODLEUSER
|
X-MOODLEUSER: admin
|
8) Visit /calendar/export.php and and select any options and then click 'Get calendar url' and turn that into a curl command which gets the headers:
curl -I --insecure 'https://moodle.example/calendar/export_execute.php?userid=2&authtoken=xxxxx&preset_what=all&preset_time=weeknow'
|
9) Confirm that the ics export has the correct X-MOODLEUSER
10) Make dodgyapi.php in the root dir which sets the $USER object directly to simulate various dodgy plugins that do this:
<?php
|
require_once('config.php');
|
$USER = (object)[
|
'id' => 1,
|
'username' => 'dodgyuser',
|
];
|
echo 'hello world';
|
11) Load this script and confirm the header is set correctly
$ curl -s -I --insecure 'https://master.localhost/dodgyapi.php' | grep X-MOODLEUSER
|
X-MOODLEUSER: dodgyuser
|