Remove logging capability from within JS

[AndrewPoppe]

• Instead initiate logs from JS but actual logging done from PHP
• Can we remove JS module completely?

[AndrewPoppe]

Seems that the log.php file used by the EM framework is open... need to find a workaround until they remove that

Idea 1:

• Create a token that is stored in module's system settings
• Whenever something is logged, include the token as a parameter
• When fetching logs for any reason, check that the token field matches the expected value
• Since this does NOT make logs from the JS module safe, will need to:
  • write a page that accepts post requests from ajax
  • verifies the user has permissions etc
  • calls module's log function, including the token

This hinges on the token being hard to guess and difficult to find.
Hard to guess is easy to do.
If the token is stored in module's system settings, then only REDCap admins would be able to access it, and even then only using another EM or by directly accessing MySQL.

[AndrewPoppe]

Idea 2:

• Adopt Gunther's method: https://github.com/grezniczek/redcap_survey_auth/blob/870bc98aeec06313e173404d49b4ca56236d1af8/SurveyAuthExternalModule.php#L742