Uploaded image for project: 'Moodle'
  1. Moodle
  2. MDL-78219

Initial user create/update happens before complete_user_login and can result in incorrect logs

XMLWordPrintable

    • MOODLE_401_STABLE, MOODLE_402_STABLE, MOODLE_403_STABLE
    • MOODLE_402_STABLE, MOODLE_403_STABLE
    • MDL-78219-403
    • MDL-78219-main
    • Hide

      Prerequisites

      1. You need two Moodle sites (localhost is fine) - one called 'platform' and one called 'tool'
      2. In the tool site admin settings:
        • Enable enrol_lti and auth_lti plugins
        • Enable "Allow frame embedding"
      3. In BOTH sites:
        • Go to "Administration > Security > HTTP security" and clear all values from the 'curlsecurityblockedhosts' admin setting and save. (to permit localhost-to-localhost calls)

      Course setup

      1. Login to the tool site as the admin
      2. Create a course called 'tool course'
      3. Create an assignment in the course
      4. In another tab, login to the platform site as the admin
      5. Create a course called 'platform course'
      6. Enrol users s1, s2 and s3 into the course as students

      LTI 1.3 setup

      1. Login to the tool site as the admin user
      2. Go to Admin > Plugins > Enrolment plugins > Publish as LTI tool > Tool registration
      3. Click to create a new registration
      4. Name the registration "platform site" and continue
      5. You'll see a dynamic registration URL. Click the "Copy to clipboard" icon to copy it
      6. Now, in another browser tab, login as the admin user to the platform site
      7. Go to to Admin > Plugins > Activities > External tool > Manage tools
      8. Paste the URL value into the "Tool URL" field
      9. Click "Add LTI Advantage"
      10. You should see a tool card now. Click "Activate" on it.
      11. Edit the tool (click the cog)
      12. Set:
        • "Name" to "Moodle LTI Advantage"
        • "Tool configuration usage" to "Show in activity chooser and as a preconfigured tool"
      13. Save the form
      14. Log out of the platform site

      Publish an activity and set up the resource link in the platform

      1. Login to the tool site as the admin user
      2. Go to the course
      3. From the course nav, select "More > Published as LTI tools"
      4. Click to publish a new resource
      5. Select the assignment in the "Tool to be published" field, leaving everything else alone
      6. Save
      7. Logout
      8. Login to the platform site in the new tab
      9. Go to the course
      10. Click to create an activity or resource
      11. Select the "Moodle LTI Advantage" activity tile
      12. When you're taken to the edit form, click "Select content"
      13. Click to bind your account with the admin account in the tool
      14. When you see the list of activities, select the assignment's "Add to course" (add to gradebook will be auto checked and that's ok)
      15. Click "Add content"
      16. The modal should close.
      17. If you're on 4.2, make sure the following is true:
        • Check the "Privacy" section of the form
        • Make sure that all options are checked (accept grades, share names, share email)
      18. Save the activity instance
      19. Log out of the platform site
      20. Log out of the tool site now too - you'll have an existing session but you can trigger logout by visiting SITE/login/ - click Log out when prompted.

      Testing create and update

      1. Open a private browsing session and go to the tool site
      2. In the private browsing session, login as the admin user
      3. In the private browsing session, go to 'Site admin > Reports > Logs'. Leave this tab/window open as we'll use it later.
      4. Now, in a normal browsing session, login to the platform site as the admin user
      5. Go to the course
      6. Launch into the tool (at this stage, you'll have sessions in both tool and platform sites)
      7. Logout of the platform site in which you launched the tool but don't do anything in the tool site (i.e. stay logged in there)
      8. Now, login to the platform as s1
      9. Go to the course
      10. Launch the activity
      11. Switch back to the private browsing session
      12. Click "Get these logs"
      13. Note the logs near the top of the report, specifically the user creation logs
      14. Verify you see the following logs:
        • "User created" (The user with id '0' created the user with id 'xx', where 'xx' is the the id of the new user and is not important)
        • "User has logged in"
        • "Course module viewed"
      15. Switch back to the platform window and refresh the launch page
      16. Switch back to the private browsing session and click "Get these logs" again
      17. Verify you see the following logs for the same user:
        • "User has logged in"
        • "Course module viewed"
      18. Verify you don't see the following logs for the most recent action (check the timestamp to confirm you're looking at only the logs for the action you just took)
        • "User created"
        • "User updated"
      19. Switch back to the platform window
      20. Edit the user's profile
      21. Change their surname and save
      22. Go back to the course
      23. Launch the tool again
      24. Switch back to the private browsing session and click "Get these logs" again
      25. Verify you see the following logs for the same user:
        • "User has logged in"
        • "User updated"
        • "Course module viewed"
      Show
      Prerequisites You need two Moodle sites (localhost is fine) - one called 'platform' and one called 'tool' In the tool site admin settings: Enable enrol_lti and auth_lti plugins Enable "Allow frame embedding" In BOTH sites: Go to "Administration > Security > HTTP security" and clear all values from the 'curlsecurityblockedhosts' admin setting and save. (to permit localhost-to-localhost calls) Course setup Login to the tool site as the admin Create a course called 'tool course' Create an assignment in the course In another tab, login to the platform site as the admin Create a course called 'platform course' Enrol users s1, s2 and s3 into the course as students LTI 1.3 setup Login to the tool site as the admin user Go to Admin > Plugins > Enrolment plugins > Publish as LTI tool > Tool registration Click to create a new registration Name the registration "platform site" and continue You'll see a dynamic registration URL. Click the "Copy to clipboard" icon to copy it Now, in another browser tab, login as the admin user to the platform site Go to to Admin > Plugins > Activities > External tool > Manage tools Paste the URL value into the "Tool URL" field Click "Add LTI Advantage" You should see a tool card now. Click "Activate" on it. Edit the tool (click the cog) Set: "Name" to "Moodle LTI Advantage" "Tool configuration usage" to "Show in activity chooser and as a preconfigured tool" Save the form Log out of the platform site Publish an activity and set up the resource link in the platform Login to the tool site as the admin user Go to the course From the course nav, select "More > Published as LTI tools" Click to publish a new resource Select the assignment in the "Tool to be published" field, leaving everything else alone Save Logout Login to the platform site in the new tab Go to the course Click to create an activity or resource Select the "Moodle LTI Advantage" activity tile When you're taken to the edit form, click "Select content" Click to bind your account with the admin account in the tool When you see the list of activities, select the assignment's "Add to course" (add to gradebook will be auto checked and that's ok) Click "Add content" The modal should close. If you're on 4.2, make sure the following is true: Check the "Privacy" section of the form Make sure that all options are checked (accept grades, share names, share email) Save the activity instance Log out of the platform site Log out of the tool site now too - you'll have an existing session but you can trigger logout by visiting SITE/login/ - click Log out when prompted. Testing create and update Open a private browsing session and go to the tool site In the private browsing session, login as the admin user In the private browsing session, go to 'Site admin > Reports > Logs'. Leave this tab/window open as we'll use it later. Now, in a normal browsing session, login to the platform site as the admin user Go to the course Launch into the tool (at this stage, you'll have sessions in both tool and platform sites) Logout of the platform site in which you launched the tool but don't do anything in the tool site (i.e. stay logged in there) Now, login to the platform as s1 Go to the course Launch the activity Switch back to the private browsing session Click "Get these logs" Note the logs near the top of the report, specifically the user creation logs Verify you see the following logs: "User created" (The user with id '0' created the user with id 'xx', where 'xx' is the the id of the new user and is not important) "User has logged in" "Course module viewed" Switch back to the platform window and refresh the launch page Switch back to the private browsing session and click "Get these logs" again Verify you see the following logs for the same user: "User has logged in" "Course module viewed" Verify you don't see the following logs for the most recent action (check the timestamp to confirm you're looking at only the logs for the action you just took) "User created" "User updated" Switch back to the platform window Edit the user's profile Change their surname and save Go back to the course Launch the tool again Switch back to the private browsing session and click "Get these logs" again Verify you see the following logs for the same user: "User has logged in" "User updated" "Course module viewed"

      This one only applies when users share machines. The create/update to the user record is performed before the user is logged in - in auth/lti/auth.php. This is problematic because it uses the logged in user to denote "Who made the change". If someone else's session is still present, it'll report in the logs that they were the one to update the launching user record, which isn't true. This is only a logs problem; the correct user is signed in.

      LTI (certainly Moodle's LTI) doesn't really provide a logout mechanism, so this scenario is potentially possible. The user signs out of the platform, not realising that the embedded tool's session is still active. I suspect being based on openid we could build a backchannel logout based on that but it isn't here at present.

      To replicate:

      1. As the admin, set up a tool-platform site association, complete with shared activity (see MDL-76842 for details if you're unsure)
      2. Make sure there is a student s1 in the platform site course
      3. Launch into the tool as the admin user (at this stage, you'll have sessions in both tool and platform sites)
      4. Logout of the platform site in which you launched the tool but don't do anything in the tool site (i.e. stay logged in there)
      5. Now, login to the platform as s1
      6. Go to the course
      7. Launch the activity
      8. Once it loads, log out of both the platform site and the tool site. To log out of the tool site, go to TOOLSITE/login/ and click "Log out" when prompted.
      9. Login to the tool site as the admin user
      10. Go to site admin > reports > logs
      11. Click "Get these logs"
      12. Note the logs near the top of the report, specifically the user creation logs
        Expected: You see "The user with id '0' created the user with id 'xx'."
        Actual: You see "The user with id '2' created the user with id 'xx'." (this, for example, is the log you'll see when a new user is created 'by the system' in the case of OAuth 2 authentication)

      The same situation presents itself when updating existing users. If the admin user is authenticated in the tool site when the student launches from the platform site (and provided the student has changed their name or email and is eligible for an update), then the log shows "User 2 updated user 'xx'".

      Possible solutions:

      • Defer the update until after the user is signed in (it'll then show up as an update made by them) - differs from the way auth_oauth2 does it, but that plugin doesn't have this same issue with the existing sessions.
      • Force logout for any current user before making the update, then complete login as usual.

            jaked Jake Dallimore
            jaked Jake Dallimore
            Andrew Lyons Andrew Lyons
            Jun Pataleta Jun Pataleta
            Ron Carl Alfon Yu Ron Carl Alfon Yu
            Votes:
            0 Vote for this issue
            Watchers:
            5 Start watching this issue

              Created:
              Updated:
              Resolved:

                Estimated:
                Original Estimate - 0 minutes
                0m
                Remaining:
                Remaining Estimate - 0 minutes
                0m
                Logged:
                Time Spent - 1 day, 1 hour, 51 minutes
                1d 1h 51m

                  Error rendering 'clockify-timesheets-time-tracking-reports:timer-sidebar'. Please contact your Jira administrators.