Uploaded image for project: 'Moodle'
  1. Moodle
  2. MDL-83954

Enhancing access control in the core Deep Linking API

XMLWordPrintable

    • MDL-83954-rebased
    • Hide

      Setup

      1. Create two Moodle sites running on localhost - one designated 'platform', one 'tool'.
      2. In both sites, go to admin settings and clear all values from the 'curlsecurityblockedhosts' admin setting and save.
      3. In the platform site, create a course called "Platform course" and enrol a teacher.
      4. In the tool site, create a course called "Tool course", with:
        • An assignment called "Assign 1" with a max grade of 80.
        • An assignment called "Assign 2" with default settings.
        • A file resource (representing a non-graded activity).
        • A teacher enrolled.
      5. In the tool site admin settings:
        • Enable enrol_lti and auth_lti plugins.
        • Enable "Allow frame embedding".
      6. On the tool site, go to Admin > Plugins > Enrolments > Publish as LTI tool > Tool registration.
      7. Click ‘Register a platform’, enter a name for the platform and click "Continue".
      8. Once the platform is registered, keep this page with the registration details open, we'll need it shortly.
      9. On the platform site, go to 'Admin > General > LTI > Manage tools'.
      10. In the ‘Add tool’ section, paste the dynamic registration URL from the registration details on the tool site and click ‘Add LTI Advantage’.
      11. Once the tool is created click on ‘Activate’.
      12. Now, go to the ‘Platform course’ course and select ‘LTI external tools’ from the secondary navigation.
      13. Enable ‘Show in activity chooser’ for the tool.

      Deep link launch

      1. Log out of both the platform and tool sites completely.
      2. In the platform site, login at the teacher.
      3. Go to the "Platform course" course.
      4. Click to add a new activity, selecting the Tool.
      5. When the edit page loads, click the "Select content" button.
      6. Verify you're asked to link your tool account.
      7. Proceed to link your account by clicking the "Link this account" button.
      8. Verify you see "No resources or activities are published yet" in the resulting modal pane. (We'll need to publish some resources first)
      9. Go to the tool site's course 'Tool course'.
      10. From the menu, select "Published as LTI Tools"
      11. In the "LTI Advantage" tab, click "Add".
      12. Enter the following values:
        • Set "Tool to be published" to "Assign 1".
        • Save.
      13. Repeat steps 9-10 and publish ‘Assign 2’ and the file resource.
      14. Now, go back to the platform site and again, click "Select content".
      15. Verify:
        • You are not asked to log in this time (you should still be signed in from the last time).
        • You can see ‘Assign 1’, ‘Assign 2’ and the file resource listed under its parent course.
        • You can see both "Add to course" and "Add to gradebook" checkboxes next to "Assign 1" and “Assign 2”.
        • You can see only see “Add to course” checkbox for the file resource.
        • You DO NOT see any checkboxes for the course row itself.
      16. Make sure no checkboxes are selected and click "Add content".
      17. Verify that the modal closes and no errors are shown.
      18. Click "Select content" again.
      19. Make sure both checkboxes for "Assign 1" are checked this time
      20. Click “Add content”.
      21. Verify you see (you may need to click "Show more" to see this option):
        • That the mod edit form has been updated, with name set to "Assign 1" now
        • That 'Custom parameters' contains a value like 'id=some-uuid-value-here'
        • That the grade has been set to "Point" with "Maxgrade" set to 80, as per the resource's settings in the tool
        • That ‘Allow {tool} to add grades in the gradebook' is checked.
      22. Click "Save and return to course"
      23. Verify that the “Assign 1” activity has been successfully added In the “Platform course” course
      24. Open the “Assign 1” activity.
      25. Verify you can see the assignment from the tool site, as an embedded iframe in your platform site.
      26. Go to the settings page of “Assign 1” activity
      27. Verify that there is an indicator that content is already selected.
      28. Click “Select content”
      29. Make sure both checkboxes only for "Assign 2" are checked this time
      30. Click “Add content”
      31. Verify you see (you may need to click "Show more" to see this option):
        • That the mod edit form has been updated, with name set to "Assign 2" now.
        • That 'Custom parameters' contains a value like 'id=some-uuid-value-here'
        • That the grade has been set to "Point" with "Maxgrade" set to 100, as per the resource's settings in the tool
        • That ‘Allow {tool} to add grades in the gradebook is checked.
      32. Click "Save and return to course".
      33. Verify that the “Assign 2” activity has been successfully added to the “Platform course” course
      34. Open the “Assign 2” activity.
      35. Verify you can see the assignment in the tool site, as an embedded iframe in your platform site.
      36. Now go back to the “Platform course” course and add a new Tool activity.
      37. Click “Select content”.
      38. Make sure both checkboxes only for "Assign 1" are checked and the “Add to course” checkbox for the file resource
      39. Click “Add content”.
      40. Verify you see a page that shows a list of items (“Assign 1” and the file resource) that will be added to the course.
      41. Click “Save and return to course”.
      42. Verify:
        • Both “Assign 1” and the file resources have been added to the course.
        • Both are displayed as an embedded iframe in your platform site.
        • The relevant settings have been preserved (e.g Grade settings for the assignment)
      Show
      Setup Create two Moodle sites running on localhost - one designated 'platform', one 'tool'. In both sites, go to admin settings and clear all values from the 'curlsecurityblockedhosts' admin setting and save. In the platform site, create a course called "Platform course" and enrol a teacher. In the tool site, create a course called "Tool course", with: An assignment called "Assign 1" with a max grade of 80. An assignment called "Assign 2" with default settings. A file resource (representing a non-graded activity). A teacher enrolled. In the tool site admin settings: Enable enrol_lti and auth_lti plugins. Enable "Allow frame embedding". On the tool site, go to Admin > Plugins > Enrolments > Publish as LTI tool > Tool registration. Click ‘Register a platform’, enter a name for the platform and click "Continue". Once the platform is registered, keep this page with the registration details open, we'll need it shortly. On the platform site, go to 'Admin > General > LTI > Manage tools'. In the ‘Add tool’ section, paste the dynamic registration URL from the registration details on the tool site and click ‘Add LTI Advantage’. Once the tool is created click on ‘Activate’. Now, go to the ‘Platform course’ course and select ‘LTI external tools’ from the secondary navigation. Enable ‘Show in activity chooser’ for the tool. Deep link launch Log out of both the platform and tool sites completely. In the platform site, login at the teacher. Go to the "Platform course" course. Click to add a new activity, selecting the Tool. When the edit page loads, click the "Select content" button. Verify you're asked to link your tool account. Proceed to link your account by clicking the "Link this account" button. Verify you see "No resources or activities are published yet" in the resulting modal pane. (We'll need to publish some resources first) Go to the tool site's course 'Tool course'. From the menu, select "Published as LTI Tools" In the "LTI Advantage" tab, click "Add". Enter the following values: Set "Tool to be published" to "Assign 1". Save. Repeat steps 9-10 and publish ‘Assign 2’ and the file resource. Now, go back to the platform site and again, click "Select content". Verify : You are not asked to log in this time (you should still be signed in from the last time). You can see ‘Assign 1’, ‘Assign 2’ and the file resource listed under its parent course. You can see both "Add to course" and "Add to gradebook" checkboxes next to "Assign 1" and “Assign 2”. You can see only see “Add to course” checkbox for the file resource. You DO NOT see any checkboxes for the course row itself. Make sure no checkboxes are selected and click "Add content". Verify that the modal closes and no errors are shown. Click "Select content" again. Make sure both checkboxes for "Assign 1" are checked this time Click “Add content”. Verify you see (you may need to click "Show more" to see this option): That the mod edit form has been updated, with name set to "Assign 1" now That 'Custom parameters' contains a value like 'id=some-uuid-value-here' That the grade has been set to "Point" with "Maxgrade" set to 80, as per the resource's settings in the tool That ‘Allow {tool} to add grades in the gradebook' is checked. Click "Save and return to course" Verify that the “Assign 1” activity has been successfully added In the “Platform course” course Open the “Assign 1” activity. Verify you can see the assignment from the tool site, as an embedded iframe in your platform site. Go to the settings page of “Assign 1” activity Verify that there is an indicator that content is already selected. Click “Select content” Make sure both checkboxes only for "Assign 2" are checked this time Click “Add content” Verify you see (you may need to click "Show more" to see this option): That the mod edit form has been updated, with name set to "Assign 2" now. That 'Custom parameters' contains a value like 'id=some-uuid-value-here' That the grade has been set to "Point" with "Maxgrade" set to 100, as per the resource's settings in the tool That ‘Allow {tool} to add grades in the gradebook is checked. Click "Save and return to course". Verify that the “Assign 2” activity has been successfully added to the “Platform course” course Open the “Assign 2” activity. Verify you can see the assignment in the tool site, as an embedded iframe in your platform site. Now go back to the “Platform course” course and add a new Tool activity. Click “Select content”. Make sure both checkboxes only for "Assign 1" are checked and the “Add to course” checkbox for the file resource Click “Add content”. Verify you see a page that shows a list of items (“Assign 1” and the file resource) that will be added to the course. Click “Save and return to course”. Verify: Both “Assign 1” and the file resources have been added to the course. Both are displayed as an embedded iframe in your platform site. The relevant settings have been preserved (e.g Grade settings for the assignment)
    • Hide

      Fails against automated checks.

      Checked MDL-83954 using repository: https://github.com/Chocolate-lightning/moodle.git

      Should these errors be fixed?

      Built on: Tue Mar 11 03:15:39 UTC 2025

      Show
      Fails against automated checks. Checked MDL-83954 using repository: https://github.com/Chocolate-lightning/moodle.git main [branch: MDL-83954-rebased | CI Job ] Warn: The MDL-83954 -rebased branch at https://github.com/Chocolate-lightning/moodle.git has not been rebased recently (>20 days ago). Error: The MDL-83954 -rebased branch at https://github.com/Chocolate-lightning/moodle.git does not apply clean to origin/main Error: Merge conflict(s) in file(s): Error: course/lib.php Error: course/tests/externallib_test.php Error: lib/classes/navigation/views/secondary.php Error: lib/db/upgrade.php Error: lib/navigationlib.php Error: theme/boost/style/moodle.css Error: theme/classic/style/moodle.css Error: version.php Should these errors be fixed? Built on: Tue Mar 11 03:15:39 UTC 2025
    • 5
    • Team Alpha - Sprint 3 I4-2024, Team Alpha - Planning I1-2025, Team Alpha - Sprint 2 I1-2025

      MDL-82919  introduces a new deep linking API within the core, enhancing functionality for integrating external tools. However, the current implementation lacks robust access control. The prior capability checks performed during the content item selection process were omitted as they were tailored to the mod_lti module and not generalized to be incorporated into the new core API.

      This issue aims to evaluate and implement comprehensive access control mechanisms for the deep linking API to ensure secure and appropriate usage. This includes determining where the access control logic should reside - whether at the core API level, at the API caller level, or as a combination of both.

      Scope:

      • Assessment of the current access control
        • Review the existing deep linking API implementation to identify gaps in access control.
      • Core-level access control
        • Implement generalized access control logic in the core API that applies universally to all tools leveraging the API.
      • API Caller-Level Access Control:
        • Identify any specific use cases where additional access control checks are required at the caller level.
        • Allow API callers (e.g., mod_lti or other) to specify additional, tool-specific capability checks to enforce contextual restrictions.

            mathewmay Glyn (Mathew) May
            Geshoski Mihail Geshoski
            Jake Dallimore Jake Dallimore
            Votes:
            0 Vote for this issue
            Watchers:
            4 Start watching this issue

              Created:
              Updated:
              Resolved:

                Estimated:
                Original Estimate - 0 minutes
                0m
                Remaining:
                Remaining Estimate - 0 minutes
                0m
                Logged:
                Time Spent - 1 week, 5 hours, 29 minutes
                1w 5h 29m

                  Error rendering 'clockify-timesheets-time-tracking-reports:timer-sidebar'. Please contact your Jira administrators.