Uploaded image for project: 'Moodle app'
  1. Moodle app
  2. MOBILE-4108

Don't allow using auto-login if redirect URL doesn't belong to site

    XMLWordPrintable

Details

    • Improvement
    • Status: Waiting for testing
    • Minor
    • Resolution: Unresolved
    • 4.0.1
    • None
    • Authentication
    • Hide

      This issue only needs to be tested in 1 device.

      1. Login in master site.
      2. Go to Dashboard and scroll down until you see the block with title "Proportion of site which is stupid".
      3. At the bottom of the block you will see a link saying "A link to Google". Click it. Check that Google is opened in browser.
      4. In that same browser, open the master site. Check that you aren't authenticated (before this patch, you were authenticated in the site before being redirected to Google).
      5. Back in the app, open the MM Dev course and go to the General section.
      6. Click "Link to Site administration (not supported in app, so opened in browser)". Check that the browser is opened and you're automatically authenticated (you will probably see an error saying you don't have permissions to view that page).
      Show
      This issue only needs to be tested in 1 device. Login in master site. Go to Dashboard and scroll down until you see the block with title "Proportion of site which is stupid". At the bottom of the block you will see a link saying "A link to Google". Click it. Check that Google is opened in browser. In that same browser, open the master site. Check that you aren't authenticated (before this patch, you were authenticated in the site before being redirected to Google). Back in the app, open the MM Dev course and go to the General section. Click "Link to Site administration (not supported in app, so opened in browser)". Check that the browser is opened and you're automatically authenticated (you will probably see an error saying you don't have permissions to view that page).
    • MOODLE_400_STABLE
    • Moodle App 4.1.0

    Description

      In most places of the app we only use the auto-login feature if the URL to open belongs to the site, but there are some cases where this doesn't happen and it can be a security issue.

      We should always make sure that the redirect URL belongs to the site before using the auto-login feature.

      Attachments

        Activity

          People

            dpalou Dani Palou
            dpalou Dani Palou
            Noel De Martin Noel De Martin
            Votes:
            0 Vote for this issue
            Watchers:
            2 Start watching this issue

            Dates

              Created:
              Updated: