Uploaded image for project: 'Moodle'
  1. Moodle
  2. MDL-52070

Some capabilities checks (mod/modname:view) in external functions are redundant

XMLWordPrintable

    • Icon: Improvement Improvement
    • Resolution: Won't Do
    • Icon: Minor Minor
    • None
    • 3.0
    • Web Services
    • MOODLE_30_STABLE
    • MDL-52070-master
    • Hide
      1. Create a course with a student, the course must have at least one section.
      2. Create a mod_lti activity:
      3. Edit the Student course role, and remove the mod_lti:view capability from the Student role.
      4. Enable "Mobile services": Plugins ► Web Services ► Mobile
      5. Create a Token for the student user:
        • Click on Site administration ► Plugins ► Web services ► Manage tokens
      6. Next, you can do a CURL REST call simulating a WS client with the student user .
        • You need to replace the wstoken, ltiid (the lti instance value) and the URL of your moodle instance

          curl 'http://localhost/m/stable_master/webservice/rest/server.php?moodlewsrestformat=json' --data 'ltiid=2&wsfunction=mod_lti_view_lti&wstoken=ffbe3a3002f235bf9d01fd9369e10b66' --compressed

      7. Confirm that
        • You get a requireloginerror exception
      8. You can repeat the same steps for the imscp, folder, page, url and resource modules, removing the mod_x capability and replacing the name of the parameters and the function name in the CURL call with each module:

        curl 'http://localhost/m/stable_master/webservice/rest/server.php?moodlewsrestformat=json' --data 'imscpid=2&wsfunction=mod_imscp_view_imscp&wstoken=ffbe3a3002f235bf9d01fd9369e10b66' --compressed

        etc...

      Show
      Create a course with a student, the course must have at least one section. Create a mod_lti activity: Edit the Student course role, and remove the mod_lti:view capability from the Student role. Enable "Mobile services": Plugins ► Web Services ► Mobile Create a Token for the student user: Click on Site administration ► Plugins ► Web services ► Manage tokens Next, you can do a CURL REST call simulating a WS client with the student user . You need to replace the wstoken, ltiid (the lti instance value) and the URL of your moodle instance curl 'http://localhost/m/stable_master/webservice/rest/server.php?moodlewsrestformat=json' --data 'ltiid=2&wsfunction=mod_lti_view_lti&wstoken=ffbe3a3002f235bf9d01fd9369e10b66' --compressed Confirm that You get a requireloginerror exception You can repeat the same steps for the imscp, folder, page, url and resource modules, removing the mod_x capability and replacing the name of the parameters and the function name in the CURL call with each module: curl 'http://localhost/m/stable_master/webservice/rest/server.php?moodlewsrestformat=json' --data 'imscpid=2&wsfunction=mod_imscp_view_imscp&wstoken=ffbe3a3002f235bf9d01fd9369e10b66' --compressed etc...

      When validate_context is called for a module, the module visibility and the view capability (if is used by the module) is checked:

      https://github.com/moodle/moodle/blob/master/lib/modinfolib.php#L1921

      Some external functions (LTI, imscp, folder, page, url, resource, assign) checks that capability after calling validate_context. We should avoid that double check.

            Unassigned Unassigned
            jleyva Juan Leyva
            Dan Poltawski Dan Poltawski
            Votes:
            0 Vote for this issue
            Watchers:
            3 Start watching this issue

              Created:
              Updated:
              Resolved:

                Error rendering 'clockify-timesheets-time-tracking-reports:timer-sidebar'. Please contact your Jira administrators.