-
Bug
-
Resolution: Fixed
-
Minor
-
4.1.5
-
MOODLE_401_STABLE
-
MOODLE_401_STABLE, MOODLE_402_STABLE
-
MDL-79202-401 -
- Covered by automated tests (PHPUnit)
In the web service method `get_autologin_key` for tool_mobile there is an exception call that passes in a `$minutes` variable to show as part of the exception string see[ code here|https://github.com/moodle/moodle/blob/master/admin/tool/mobile/classes/external.php#L321].
The call is:
throw new moodle_exception('autologinkeygenerationlockout', 'tool_mobile', $minutes); |
However, it looks like `moodle_exception` has a different signature to `get_string` so the call for `moodle_exception` looks like it needs to be:
throw new moodle_exception('autologinkeygenerationlockout', 'tool_mobile', '', $minutes); |
Test to expose the issue
(Will need to be updated when fix is applied, to test fix)
- Get or create an existing user that can log in with a username and password. Must not be a site admin.
- You will need to know their internal Moodle user id.
- Using cURL (wget or whatever you like to make requests outside of a browser, run the command:
- curl 'https://webserver/login/token.php?username=testuser&password=sEcReTpAsSwOrD&service=moodle_mobile_app'
- Replace 'webserver' with the domain of your Moodle instance
- You MUST use a HTTPS site for this test
- This command will return a response in the format of: {"token":"7c1bd46b379ecfa6874a49564f4539a7","privatetoken":"IYvPCLomSLYfGTCCX57kZoVBxQWWxQyCVLzeF8dF5rPPCPVUubqgkEtiAAoFzAYM"}
- Within the next 60 seconds, replace the token and private token in the following command (replacing the domain with that of your test site) and then run it:
curl 'https://webserver/webservice/rest/server.php?moodlewsrestformat=json' \
-A "MoodleMobile" \
--data 'privatetoken=IYvPCLomSLYfGTCCX57kZoVBxQWWxQyCVLzeF8dF5rPPCPVUubqgkEtiAAoFzAYM&wsfunction=tool_mobile_get_autologin_key&wstoken=7c1bd46b379ecfa6874a49564f4539a7' - The command will return a response in the format: {"key":"1bf8caab3fe7ed06918909dad5f5ccf8","autologinurl":"https:\/\/webserver\/admin\/tool\/mobile\/autologin.php","warnings":[]}
- Now immediately send the same curl request again
- Confirm you see the response string with the unrelaced '{$a}' variable: {"exception":"moodle_exception","errorcode":"autologinkeygenerationlockout","message":"Auto-login key generation is blocked. You need to wait {$a} minutes between requests."}