From 660ea3df568ee9c03d6e4afa5a009de8f5c5fd8a Mon Sep 17 00:00:00 2001 From: Jake Dallimore Date: Fri, 5 May 2023 14:24:15 +0800 Subject: [PATCH] MDL-76821 enrol_lti: prevent legacy launches via upgraded enrolment If the enrolment instance (the 'published resource') has been upgraded from LTI 1.1/2.0 to LTI 1.3 (i.e. a new instance was not created), prevent legacy launches which may occur from old resource links. Only LTI Advantage launches should be permitted through the method. --- enrol/lti/lang/en/enrol_lti.php | 1 + enrol/lti/tool.php | 6 ++++++ 2 files changed, 7 insertions(+) diff --git a/enrol/lti/lang/en/enrol_lti.php b/enrol/lti/lang/en/enrol_lti.php index 5808a0334d5ee..dce5d50a21a07 100644 --- a/enrol/lti/lang/en/enrol_lti.php +++ b/enrol/lti/lang/en/enrol_lti.php @@ -54,6 +54,7 @@ $string['enrolenddate_help'] = 'If enabled, users can access until this date only.'; $string['enrolenddateerror'] = 'Enrolment end date cannot be earlier than start date'; $string['enrolisdisabled'] = 'The \'Publish as LTI tool\' plugin is disabled.'; +$string['enrolltiversionincorrect'] = 'The resource is not set up for use over legacy LTI (versions 1.1/2.0). Please contact the administrator of this tool.'; $string['enrolperiod'] = 'Enrolment duration'; $string['enrolperiod_help'] = 'Length of time that the enrolment is valid, starting with the moment the user enrols themselves from the remote system. If disabled, the enrolment duration will be unlimited.'; $string['enrolmentfinished'] = 'Enrolment finished.'; diff --git a/enrol/lti/tool.php b/enrol/lti/tool.php index f3436cfaac4e2..a0250c452558b 100644 --- a/enrol/lti/tool.php +++ b/enrol/lti/tool.php @@ -53,6 +53,12 @@ exit(); } +// Check if the enrolment instance has been upgraded to a newer LTI version. +if ($tool->ltiversion != 'LTI-1p0/LTI-2p0') { + throw new \moodle_exception('enrolltiversionincorrect', 'enrol_lti'); + exit(); +} + $consumerkey = required_param('oauth_consumer_key', PARAM_TEXT); $ltiversion = optional_param('lti_version', null, PARAM_TEXT); $messagetype = required_param('lti_message_type', PARAM_TEXT);