Uploaded image for project: 'Moodle'
  1. Moodle
  2. MDL-76593

Improve developer / admin UX of Access control exception




      If you are new (or old) to moodle setting up web service keys can be an extremely frustrating experience when things go wrong.

      eg this error message is basically useless and does nothing to help narrow down the problem:

      $ curl  'https://master.localhost/webservice/rest/server.php?wstoken=3a7519027741d5ab563fea23c7ffdfb3&wsfunction=core_get_string&stringid=yes'
      <?xml version="1.0" encoding="UTF-8" ?>
      <EXCEPTION class="webservice_access_exception">
      <MESSAGE>Access control exception</MESSAGE>
      <DEBUGINFO>Access to the function core_get_string() is not allowed.
                           There could be multiple reasons for this:
                           1. The service linked to the user token does not contain the function.
                           2. The service is user-restricted and the user is not listed.
                           3. The service is IP-restricted and the user IP is not listed.
                           4. The service is time-restricted and the time has expired.
                           5. The token is time-restricted and the time has expired.
                           6. The service requires a specific capability which the user does not have.
                           7. The function is called with username/password (no user token is sent)
                           and none of the services has the function to allow the user.
                           These settings can be found in Administration > Site administration
                           > Server > Web services > External services and Manage tokens.</DEBUGINFO>


      I think at absolute minimum, if debugging is on then it should only give you the exact reason which applies. 

      However I think the improved errors should be on for everyone and in production. There may be a perception of improved security here but I think that is largely security through obscurity and isn't a valid argument.

      As an example if you are over your api key rate limit with github then you get an exact error message saying what is going on:


      Or if your user agent was missing:








            Unassigned Unassigned
            brendanheywood Brendan Heywood
            Huong Nguyen, Barbara Ramiro, Bas Brands, Mathew May, David Woloszyn, Jake Dallimore, Meirza, Michael Hawkins, Raquel Ortega, Safat Shahin, Stevani Andolo, Juan Leyva, David Woloszyn, Huong Nguyen, Jake Dallimore, Meirza, Michael Hawkins, Raquel Ortega, Safat Shahin, Stevani Andolo
            1 Vote for this issue
            1 Start watching this issue