mirror_php/moodle
1
0
Fork 0
mirror of https://github.com/moodle/moodle.git synced 2025-04-20 07:56:06 +02:00
Code Issues Projects Releases Wiki Activity

security keysMDL-12886 cleanup a bit the security keys page (move html into renderer and DB query into library)

Browse Source
This commit is contained in:
jerome mouneyrac 2010-05-12 07:53:07 +00:00
parent 43cc3cbd6f
commit 229a70996a
4 changed files with 247 additions and 153 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
lib/navigationlib.php
View File

@ -2816,7 +2816,7 @@ class settings_navigation extends navigation_node {
}
// Security keys
if ($currentuser && !is_siteadmin($USER->id) && !empty($CFG->enablewebservices) && has_capability('moodle/webservice:createtoken', $systemcontext)) {
if ($currentuser) {
$url = new moodle_url('/user/managetoken.php', array('sesskey'=>sesskey()));
$usersetting->add(get_string('securitykeys', 'webservice'), $url, self::TYPE_SETTING);
}

197
user/managetoken.php
View File

@ -20,173 +20,66 @@
*
* @package webservice
* @copyright 2009 Moodle Pty Ltd (http://moodle.com)
* @author Petr Skoda (skodak)
* @author Jerome Mouneyrac
* @license http://www.gnu.org/copyleft/gpl.html GNU GPL v3 or later
*/
require('../config.php');
require($CFG->dirroot.'/webservice/lib.php');
$PAGE->set_url('/user/managetoken.php');
$PAGE->set_title(get_string('securitykeys', 'webservice'));
$PAGE->set_heading(get_string('securitykeys', 'webservice'));
$action = optional_param('action', '', PARAM_ACTION);
$tokenid = optional_param('tokenid', '', PARAM_SAFEDIR);
$confirm = optional_param('confirm', 0, PARAM_BOOL);
require_login();
require_sesskey();
$returnurl = "$CFG->wwwroot/user/managetoken.php?sesskey=" . sesskey();
//TODO: include tabs.php => tabs.php is a bit ugly require variable $course, $user to be defined here
//look to a better solution, do we really need it? (see /user/portfolio.php and other profil pages)
$webservicetokenboxhtml = '';
/// Manage user web service tokens
if ( !is_siteadmin($USER->id) && !empty($CFG->enablewebservices) &&
has_capability('moodle/webservice:createtoken', get_system_context())) {
switch ($action) {
$action = optional_param('action', '', PARAM_ACTION);
$tokenid = optional_param('tokenid', '', PARAM_SAFEDIR);
$confirm = optional_param('confirm', 0, PARAM_BOOL);
case 'reset':
$sql = "SELECT
t.id, t.token, u.firstname, u.lastname, s.name
FROM
{external_tokens} t, {user} u, {external_services} s
WHERE
t.creatorid=? AND t.id=? AND t.tokentype = ".EXTERNAL_TOKEN_PERMANENT." AND s.id = t.externalserviceid AND t.userid = u.id";
$token = $DB->get_record_sql($sql, array($USER->id, $tokenid), MUST_EXIST); //must be the token creator
if (!$confirm) {
echo $OUTPUT->header();
echo $OUTPUT->heading(get_string('managetokens', 'webservice'));
$optionsyes = array('tokenid'=>$tokenid, 'action'=>'reset', 'confirm'=>1, 'sesskey'=>sesskey());
$optionsno = array('section'=>'webservicetokens', 'sesskey'=>sesskey());
$formcontinue = new single_button(new moodle_url($returnurl, $optionsyes), get_string('reset'));
$formcancel = new single_button(new moodle_url($returnurl, $optionsno), get_string('cancel'), 'get');
echo $OUTPUT->confirm(get_string('resettokenconfirm', 'webservice', (object)array('user'=>$token->firstname." ".$token->lastname, 'service'=>$token->name)), $formcontinue, $formcancel);
echo $OUTPUT->footer();
die;
}
$DB->delete_records('external_tokens', array('id'=>$token->id));
redirect($returnurl);
break;
$webservice = new webservice(); //load the webservice library
$wsrenderer = $PAGE->get_renderer('core', 'webservice');
default: //display the list of token
if ($action == 'resetwstoken') {
$token = $webservice->get_created_by_user_ws_token($USER->id, $tokenid);
/// Display confirmation page to Reset the token
if (!$confirm) {
$resetconfirmation = $wsrenderer->user_reset_token_confirmation($token);
} else {
/// Delete the token that need to be regenerated
$webservice->delete_user_ws_token($tokenid);
}
}
/// generate a token for non admin if web service are enable and the user has the capability to create a token
if (!is_siteadmin() && has_capability('moodle/webservice:createtoken', get_context_instance(CONTEXT_SYSTEM)) && !empty($CFG->enablewebservices)) {
/// for every service than the user is authorised on, create a token (if it doesn't already exist)
///get all services which are set to all user (no restricted to specific users)
$norestrictedservices = $DB->get_records('external_services', array('restrictedusers' => 0));
$serviceidlist = array();
foreach ($norestrictedservices as $service) {
$serviceidlist[] = $service->id;
}
//get all services which are set to the current user (the current user is specified in the restricted user list)
$servicesusers = $DB->get_records('external_services_users', array('userid' => $USER->id));
foreach ($servicesusers as $serviceuser) {
if (!in_array($serviceuser->externalserviceid,$serviceidlist)) {
$serviceidlist[] = $serviceuser->externalserviceid;
}
}
//get all services which already have a token set for the current user
$usertokens = $DB->get_records('external_tokens', array('userid' => $USER->id, 'tokentype' => EXTERNAL_TOKEN_PERMANENT));
$tokenizedservice = array();
foreach ($usertokens as $token) {
$tokenizedservice[] = $token->externalserviceid;
}
//create a token for the service which have no token already
foreach ($serviceidlist as $serviceid) {
if (!in_array($serviceid, $tokenizedservice)) {
//create the token for this service
$newtoken = new object();
$newtoken->token = md5(uniqid(rand(),1));
//check that the user has capability on this service
$newtoken->tokentype = EXTERNAL_TOKEN_PERMANENT;
$newtoken->userid = $USER->id;
$newtoken->externalserviceid = $serviceid;
//TODO: find a way to get the context - UPDATE FOLLOWING LINE
$newtoken->contextid = get_context_instance(CONTEXT_SYSTEM)->id;
$newtoken->creatorid = $USER->id;
$newtoken->timecreated = time();
$DB->insert_record('external_tokens', $newtoken);
}
}
}
// display strings
$stroperation = get_string('operation', 'webservice');
$strtoken = get_string('key', 'webservice');
$strservice = get_string('service', 'webservice');
$strcreator = get_string('tokencreator', 'webservice');
$strcontext = get_string('context', 'webservice');
$strvaliduntil = get_string('validuntil', 'webservice');
$return = $OUTPUT->heading(get_string('securitykeys', 'webservice'), 3, 'main', true);
$return .= $OUTPUT->box_start('generalbox webservicestokenui');
$return .= get_string('keyshelp', 'webservice');
$table = new html_table();
$table->head = array($strtoken, $strservice, $strvaliduntil, $strcreator, $stroperation);
$table->align = array('left', 'left', 'left', 'center', 'left', 'center');
$table->width = '100%';
$table->data = array();
//TODO: automatically delete obsolete token (service don't exist anymore), use LEFT JOIN for detection
//here retrieve token list (including linked users firstname/lastname and linked services name)
$sql = "SELECT
t.id, t.creatorid, t.token, u.firstname, u.lastname, s.name, t.validuntil
FROM
{external_tokens} t, {user} u, {external_services} s
WHERE
t.userid=? AND t.tokentype = ".EXTERNAL_TOKEN_PERMANENT." AND s.id = t.externalserviceid AND t.userid = u.id";
$tokens = $DB->get_records_sql($sql, array( $USER->id));
if (!empty($tokens)) {
foreach ($tokens as $token) {
//TODO: retrieve context
if ($token->creatorid == $USER->id) {
$reset = "<a href=\"".$returnurl."&amp;action=reset&amp;tokenid=".$token->id."\">";
$reset .= get_string('reset')."</a>";
$creator = $token->firstname." ".$token->lastname;
} else {
//retrive administrator name
require_once($CFG->dirroot.'/user/lib.php');
$creators = user_get_users_by_id(array($token->creatorid));
$admincreator = $creators[$token->creatorid];
$creator = $admincreator->firstname." ".$admincreator->lastname;
$reset = '';
}
$userprofilurl = new moodle_url('/user/view.php?id='.$token->creatorid);
$creatoratag = html_writer::start_tag('a', array('href' => $userprofilurl));
$creatoratag .= $creator;
$creatoratag .= html_writer::end_tag('a');
$validuntil = '';
if (!empty($token->validuntil)) {
$validuntil = date("F j, Y"); //TODO: language support (look for moodle function)
}
$table->data[] = array($token->token, $token->name, $validuntil, $creatoratag, $reset);
}
$return .= html_writer::table($table);
} else {
$return .= get_string('notoken', 'webservice');
}
$return .= $OUTPUT->box_end();
echo $OUTPUT->header();
echo $return;
echo $OUTPUT->footer();
die();
break;
$webservice->generate_user_ws_tokens($USER->id); //generate all token that need to be generated
$tokens = $webservice->get_user_ws_tokens($USER->id);
$webservicetokenboxhtml = $wsrenderer->user_webservice_tokens_box($tokens, $USER->id); //display the box for web service token
}
redirect($returnurl);
//TODO Manage RSS keys
//1- the reset confirmation page content should go into $resetconfirmation
//2- create a table/box for the RSS key
//PS: in 2 if you prefer to add a special row to the ws table in this case move
//the renderer somewhere else, add a new column to make difference between web service and RSS, change the name of the
//renderer function.
// PAGE OUTPUT
echo $OUTPUT->header();
if (!empty($resetconfirmation)) {
echo $resetconfirmation; //TODO the RSS regenerate confirmation content code should
//be containt into $resetconfirmation too
} else {
echo $webservicetokenboxhtml;
//TODO: echo RSS table html here
}
echo $OUTPUT->footer();

110
webservice/lib.php
View File

@ -29,6 +29,116 @@ define('WEBSERVICE_AUTHMETHOD_USERNAME', 0);
define('WEBSERVICE_AUTHMETHOD_PERMANENT_TOKEN', 1);
define('WEBSERVICE_AUTHMETHOD_SESSION_TOKEN', 2);
/**
* General web service library
*/
class webservice {
/**
* Generate all ws token needed by a user
* @param int $userid
*/
public function generate_user_ws_tokens($userid) {
global $CFG, $DB;
/// generate a token for non admin if web service are enable and the user has the capability to create a token
if (!is_siteadmin() && has_capability('moodle/webservice:createtoken', get_context_instance(CONTEXT_SYSTEM), $userid) && !empty($CFG->enablewebservices)) {
/// for every service than the user is authorised on, create a token (if it doesn't already exist)
///get all services which are set to all user (no restricted to specific users)
$norestrictedservices = $DB->get_records('external_services', array('restrictedusers' => 0));
$serviceidlist = array();
foreach ($norestrictedservices as $service) {
$serviceidlist[] = $service->id;
}
//get all services which are set to the current user (the current user is specified in the restricted user list)
$servicesusers = $DB->get_records('external_services_users', array('userid' => $userid));
foreach ($servicesusers as $serviceuser) {
if (!in_array($serviceuser->externalserviceid,$serviceidlist)) {
$serviceidlist[] = $serviceuser->externalserviceid;
}
}
//get all services which already have a token set for the current user
$usertokens = $DB->get_records('external_tokens', array('userid' => $userid, 'tokentype' => EXTERNAL_TOKEN_PERMANENT));
$tokenizedservice = array();
foreach ($usertokens as $token) {
$tokenizedservice[] = $token->externalserviceid;
}
//create a token for the service which have no token already
foreach ($serviceidlist as $serviceid) {
if (!in_array($serviceid, $tokenizedservice)) {
//create the token for this service
$newtoken = new object();
$newtoken->token = md5(uniqid(rand(),1));
//check that the user has capability on this service
$newtoken->tokentype = EXTERNAL_TOKEN_PERMANENT;
$newtoken->userid = $userid;
$newtoken->externalserviceid = $serviceid;
//TODO: find a way to get the context - UPDATE FOLLOWING LINE
$newtoken->contextid = get_context_instance(CONTEXT_SYSTEM)->id;
$newtoken->creatorid = $userid;
$newtoken->timecreated = time();
$DB->insert_record('external_tokens', $newtoken);
}
}
}
}
/**
* Return all ws user token
* @param integer $userid
* @return array of token
*/
public function get_user_ws_tokens($userid) {
global $DB;
//here retrieve token list (including linked users firstname/lastname and linked services name)
$sql = "SELECT
t.id, t.creatorid, t.token, u.firstname, u.lastname, s.name, t.validuntil
FROM
{external_tokens} t, {user} u, {external_services} s
WHERE
t.userid=? AND t.tokentype = ".EXTERNAL_TOKEN_PERMANENT." AND s.id = t.externalserviceid AND t.userid = u.id";
$tokens = $DB->get_records_sql($sql, array( $userid));
return $tokens;
}
/**
* Return a user token that has been created by the user
* If doesn't exist a exception is thrown
* @param integer $userid
* @param integer $tokenid
* @return object
*/
public function get_created_by_user_ws_token($userid, $tokenid) {
global $DB;
$sql = "SELECT
t.id, t.token, u.firstname, u.lastname, s.name
FROM
{external_tokens} t, {user} u, {external_services} s
WHERE
t.creatorid=? AND t.id=? AND t.tokentype = ".EXTERNAL_TOKEN_PERMANENT." AND s.id = t.externalserviceid AND t.userid = u.id";
$token = $DB->get_record_sql($sql, array($userid, $tokenid), MUST_EXIST); //must be the token creator
return $token;
}
/**
* Delete a user token
* @param int $tokenid
*/
public function delete_user_ws_token($tokenid) {
global $DB;
$DB->delete_records('external_tokens', array('id'=>$tokenid));
}
}
/**
* Exception indicating access control problem in web service call
* @author Petr Skoda (skodak)

91
webservice/renderer.php
View File

@ -28,6 +28,97 @@
*/
class core_webservice_renderer extends plugin_renderer_base {
/**
* Display Reset token confirmation box
* @param object $token to reset
* @return string html
*/
public function user_reset_token_confirmation($token) {
global $OUTPUT, $CFG;
$managetokenurl = $CFG->wwwroot."/user/managetoken.php?sesskey=" . sesskey();
$optionsyes = array('tokenid'=>$token->id, 'action'=>'resetwstoken', 'confirm'=>1, 'sesskey'=>sesskey());
$optionsno = array('section'=>'webservicetokens', 'sesskey'=>sesskey());
$formcontinue = new single_button(new moodle_url($managetokenurl, $optionsyes), get_string('reset'));
$formcancel = new single_button(new moodle_url($managetokenurl, $optionsno), get_string('cancel'), 'get');
$html = $OUTPUT->confirm(get_string('resettokenconfirm', 'webservice',
(object)array('user'=>$token->firstname." ".$token->lastname, 'service'=>$token->name)),
$formcontinue, $formcancel);
return $html;
}
/**
* Display user tokens with buttons to reset them
* @param object $tokens
* @param int $userid
* @return string html code
*/
public function user_webservice_tokens_box($tokens, $userid) {
global $OUTPUT, $CFG;
// display strings
$stroperation = get_string('operation', 'webservice');
$strtoken = get_string('key', 'webservice');
$strservice = get_string('service', 'webservice');
$strcreator = get_string('tokencreator', 'webservice');
$strcontext = get_string('context', 'webservice');
$strvaliduntil = get_string('validuntil', 'webservice');
$return = $OUTPUT->heading(get_string('securitykeys', 'webservice'), 3, 'main', true);
$return .= $OUTPUT->box_start('generalbox webservicestokenui');
$return .= get_string('keyshelp', 'webservice');
$table = new html_table();
$table->head = array($strtoken, $strservice, $strvaliduntil, $strcreator, $stroperation);
$table->align = array('left', 'left', 'left', 'center', 'left', 'center');
$table->width = '100%';
$table->data = array();
if (!empty($tokens)) {
foreach ($tokens as $token) {
//TODO: retrieve context
if ($token->creatorid == $userid) {
$reset = "<a href=\"".$CFG->wwwroot."/user/managetoken.php?sesskey=".sesskey().
"&amp;action=resetwstoken&amp;tokenid=".$token->id."\">";
$reset .= get_string('reset')."</a>";
$creator = $token->firstname." ".$token->lastname;
} else {
//retrive administrator name
require_once($CFG->dirroot.'/user/lib.php');
$creators = user_get_users_by_id(array($token->creatorid));
$admincreator = $creators[$token->creatorid];
$creator = $admincreator->firstname." ".$admincreator->lastname;
$reset = '';
}
$userprofilurl = new moodle_url('/user/view.php?id='.$token->creatorid);
$creatoratag = html_writer::start_tag('a', array('href' => $userprofilurl));
$creatoratag .= $creator;
$creatoratag .= html_writer::end_tag('a');
$validuntil = '';
if (!empty($token->validuntil)) {
$validuntil = date("F j, Y"); //TODO: language support (look for moodle function)
}
$table->data[] = array($token->token, $token->name, $validuntil, $creatoratag, $reset);
}
$return .= html_writer::table($table);
} else {
$return .= get_string('notoken', 'webservice');
}
$return .= $OUTPUT->box_end();
return $return;
}
/**
* Return documentation for a ws description object
* ws description object can be 'external_multiple_structure', 'external_single_structure' or 'external_value'