-
Bug
-
Resolution: Fixed
-
Minor
-
4.1.3, 4.2, 4.3.2
This one only applies when users share machines. The create/update to the user record is performed before the user is logged in - in auth/lti/auth.php. This is problematic because it uses the logged in user to denote "Who made the change". If someone else's session is still present, it'll report in the logs that they were the one to update the launching user record, which isn't true. This is only a logs problem; the correct user is signed in.
LTI (certainly Moodle's LTI) doesn't really provide a logout mechanism, so this scenario is potentially possible. The user signs out of the platform, not realising that the embedded tool's session is still active. I suspect being based on openid we could build a backchannel logout based on that but it isn't here at present.
To replicate:
- As the admin, set up a tool-platform site association, complete with shared activity (see
MDL-76842for details if you're unsure) - Make sure there is a student s1 in the platform site course
- Launch into the tool as the admin user (at this stage, you'll have sessions in both tool and platform sites)
- Logout of the platform site in which you launched the tool but don't do anything in the tool site (i.e. stay logged in there)
- Now, login to the platform as s1
- Go to the course
- Launch the activity
- Once it loads, log out of both the platform site and the tool site. To log out of the tool site, go to TOOLSITE/login/ and click "Log out" when prompted.
- Login to the tool site as the admin user
- Go to site admin > reports > logs
- Click "Get these logs"
- Note the logs near the top of the report, specifically the user creation logs
Expected: You see "The user with id '0' created the user with id 'xx'."
Actual: You see "The user with id '2' created the user with id 'xx'." (this, for example, is the log you'll see when a new user is created 'by the system' in the case of OAuth 2 authentication)
The same situation presents itself when updating existing users. If the admin user is authenticated in the tool site when the student launches from the platform site (and provided the student has changed their name or email and is eligible for an update), then the log shows "User 2 updated user 'xx'".
Possible solutions:
- Defer the update until after the user is signed in (it'll then show up as an update made by them) - differs from the way auth_oauth2 does it, but that plugin doesn't have this same issue with the existing sessions.
- Force logout for any current user before making the update, then complete login as usual.
- Discovered while testing
-
MDL-76842 task \enrol_lti\local\ltiadvantage\task\sync_members ALWAYS updates each user twice for each tool they are enrolled to
- Closed
- is blocked by
-
MDL-76842 task \enrol_lti\local\ltiadvantage\task\sync_members ALWAYS updates each user twice for each tool they are enrolled to
- Closed