Skip to content

Commit

Permalink
MDL-73295 webservice: only pass around sesskey for tokens as needed.
Browse files Browse the repository at this point in the history
  • Loading branch information
@paulholden
paulholden committed Dec 29, 2021
1 parent f04d0dd commit af9f840
Show file tree
Hide file tree
Showing 8 changed files with 23 additions and 28 deletions.
1 change: 1 addition & 0 deletions lang/en/webservice.php
View file
Expand Up @@ -164,6 +164,7 @@
$string['requiredcapability'] = 'Required capability';
$string['requiredcapability_help'] = 'If set, only users with the required capability can access the service.';
$string['requiredcaps'] = 'Required capabilities';
$string['resettokencomplete'] = 'The selected token was reset';
$string['resettokenconfirm'] = 'Do you really want to reset this web service key for <strong>{$a->user}</strong> on the service <strong>{$a->service}</strong>?';
$string['resettokenconfirmsimple'] = 'Do you really want to reset this key? Any saved links containing the old key will not work anymore.';
$string['response'] = 'Response';
Expand Down
2 changes: 1 addition & 1 deletion lib/adminlib.php
View file
Expand Up @@ -10143,7 +10143,7 @@ public function output_html($data, $query='') {

/// 8. Create token for the specific user
$row = array();
$url = new moodle_url("/admin/webservice/tokens.php?sesskey=" . sesskey() . "&action=create");
$url = new moodle_url('/admin/webservice/tokens.php', ['action' => 'create']);
$row[0] = "8. " . html_writer::tag('a', get_string('createtokenforuser', 'webservice'),
array('href' => $url));
$row[1] = "";
Expand Down
2 changes: 1 addition & 1 deletion lib/navigationlib.php
View file
Expand Up @@ -5174,7 +5174,7 @@ protected function generate_user_settings($courseid, $userid, $gstitle='usercurr
}
// Security keys.
if ($currentuser && $enablemanagetokens) {
$url = new moodle_url('/user/managetoken.php', array('sesskey'=>sesskey()));
$url = new moodle_url('/user/managetoken.php');
$useraccount->add(get_string('securitykeys', 'webservice'), $url, self::TYPE_SETTING);
}

Expand Down
13 changes: 6 additions & 7 deletions rss/renderer.php
View file
Expand Up @@ -35,12 +35,10 @@ class core_rss_renderer extends plugin_renderer_base {
* @return string html
*/
public function user_reset_rss_token_confirmation() {
global $CFG;
$managetokenurl = $CFG->wwwroot."/user/managetoken.php?sesskey=" . sesskey();
$optionsyes = array('action' => 'resetrsstoken', 'confirm' => 1, 'sesskey' => sesskey());
$optionsno = array('section' => 'webservicetokens', 'sesskey' => sesskey());
$managetokenurl = '/user/managetoken.php';
$optionsyes = ['action' => 'resetrsstoken', 'confirm' => 1];
$formcontinue = new single_button(new moodle_url($managetokenurl, $optionsyes), get_string('reset'));
$formcancel = new single_button(new moodle_url($managetokenurl, $optionsno), get_string('cancel'), 'get');
$formcancel = new single_button(new moodle_url($managetokenurl), get_string('cancel'), 'get');
$html = $this->output->confirm(get_string('resettokenconfirmsimple', 'webservice'), $formcontinue, $formcancel);
return $html;
}
Expand Down Expand Up @@ -69,8 +67,9 @@ public function user_rss_token_box($token) {
$table->data = array();

if (!empty($token)) {
$reset = "<a href=\"".$CFG->wwwroot."/user/managetoken.php?sesskey=".sesskey().
"&amp;action=resetrsstoken\">".get_string('reset')."</a>";
$reset = html_writer::link(new moodle_url('/user/managetoken.php', [
'action' => 'resetrsstoken',
]), get_string('reset'));

$table->data[] = array($token, $reset);

Expand Down
5 changes: 4 additions & 1 deletion user/managetoken.php
View file
Expand Up @@ -26,7 +26,6 @@
require('../config.php');

require_login();
require_sesskey();

$usercontext = context_user::instance($USER->id);

Expand Down Expand Up @@ -57,7 +56,9 @@
$resetconfirmation = $wsrenderer->user_reset_token_confirmation($token);
} else {
// Delete the token that need to be regenerated.
require_sesskey();
$webservice->delete_user_ws_token($tokenid);
redirect($PAGE->url, get_string('resettokencomplete', 'core_webservice'));
}
}

Expand Down Expand Up @@ -92,7 +93,9 @@
if (!$confirm) {
$resetconfirmation = $rssrenderer->user_reset_rss_token_confirmation();
} else {
require_sesskey();
rss_delete_token($USER->id);
redirect($PAGE->url, get_string('resettokencomplete', 'core_webservice'));
}
}
if (empty($resetconfirmation)) {
Expand Down
1 change: 0 additions & 1 deletion webservice/classes/token_table.php
View file
Expand Up @@ -117,7 +117,6 @@ public function col_operation($data) {
$tokenpageurl = new \moodle_url(
"/admin/webservice/tokens.php",
[
"sesskey" => sesskey(),
"action" => "delete",
"tokenid" => $data->id
]
Expand Down
22 changes: 9 additions & 13 deletions webservice/renderer.php
View file
Expand Up @@ -263,15 +263,10 @@ public function admin_service_function_list($functions, $service) {
* @return string html
*/
public function user_reset_token_confirmation($token) {
global $CFG;
$managetokenurl = $CFG->wwwroot . "/user/managetoken.php?sesskey=" . sesskey();
$optionsyes = array('tokenid' => $token->id, 'action' => 'resetwstoken', 'confirm' => 1,
'sesskey' => sesskey());
$optionsno = array('section' => 'webservicetokens', 'sesskey' => sesskey());
$formcontinue = new single_button(new moodle_url($managetokenurl, $optionsyes),
get_string('reset'));
$formcancel = new single_button(new moodle_url($managetokenurl, $optionsno),
get_string('cancel'), 'get');
$managetokenurl = '/user/managetoken.php';
$optionsyes = ['tokenid' => $token->id, 'action' => 'resetwstoken', 'confirm' => 1];
$formcontinue = new single_button(new moodle_url($managetokenurl, $optionsyes), get_string('reset'));
$formcancel = new single_button(new moodle_url($managetokenurl), get_string('cancel'), 'get');
$html = $this->output->confirm(get_string('resettokenconfirm', 'webservice',
(object) array('user' => $token->firstname . " " .
$token->lastname, 'service' => $token->name)),
Expand Down Expand Up @@ -318,9 +313,10 @@ public function user_webservice_tokens_box($tokens, $userid, $documentation = fa
foreach ($tokens as $token) {

if ($token->creatorid == $userid) {
$reset = "<a href=\"" . $CFG->wwwroot . "/user/managetoken.php?sesskey="
. sesskey() . "&amp;action=resetwstoken&amp;tokenid=" . $token->id . "\">";
$reset .= get_string('reset') . "</a>";
$reset = html_writer::link(new moodle_url('/user/managetoken.php', [
'action' => 'resetwstoken',
'tokenid' => $token->id,
]), get_string('reset'));
$creator = $token->firstname . " " . $token->lastname;
} else {
//retrieve administrator name
Expand All @@ -347,7 +343,7 @@ public function user_webservice_tokens_box($tokens, $userid, $documentation = fa

if ($documentation) {
$doclink = new moodle_url('/webservice/wsdoc.php',
array('id' => $token->id, 'sesskey' => sesskey()));
array('id' => $token->id));
$row[] = html_writer::tag('a', get_string('doc', 'webservice'),
array('href' => $doclink));
}
Expand Down
5 changes: 1 addition & 4 deletions webservice/wsdoc.php
View file
Expand Up @@ -27,7 +27,6 @@
require($CFG->dirroot . '/webservice/lib.php');

require_login();
require_sesskey();

$usercontext = context_user::instance($USER->id);
$tokenid = required_param('id', PARAM_INT);
Expand All @@ -43,9 +42,7 @@
$PAGE->navbar->ignore_active(true);
$PAGE->navbar->add(get_string('preferences'), new moodle_url('/user/preferences.php'));
$PAGE->navbar->add(get_string('useraccount'));
$PAGE->navbar->add(get_string('securitykeys', 'webservice'),
new moodle_url('/user/managetoken.php',
array('id' => $tokenid, 'sesskey' => sesskey())));
$PAGE->navbar->add(get_string('securitykeys', 'webservice'), new moodle_url('/user/managetoken.php'));
$PAGE->navbar->add(get_string('wsdocumentation', 'webservice'));

// check web service are enabled
Expand Down

0 comments on commit af9f840

Please sign in to comment.