MDL-81718 core: Improve localstorage validation

lib/amd/build/localstorage.min.js

@@ -7,6 +7,6 @@
  * @license    http://www.gnu.org/copyleft/gpl.html GNU GPL v3 or later
  * @since      2.9
  */
-define("core/localstorage",["core/config","core/storagewrapper"],(function(config,StorageWrapper){var storage=new StorageWrapper(window.localStorage);return{get:function(key){return storage.get(key)},set:function(key,value){return storage.set(key,value)}}}));
+define("core/localstorage",["core/config","core/storagewrapper"],(function(config,StorageWrapper){var storage=new StorageWrapper(window.localStorage);return{get:function(key){return storage.get(key)},set:function(key,value){return storage.set(key,value)},clean:function(){return storage.clean()}}}));
 
 //# sourceMappingURL=localstorage.min.js.map

lib/amd/build/localstorage.min.js.map

@@ -1 +1 @@
-{"version":3,"file":"localstorage.min.js","sources":["../src/localstorage.js"],"sourcesContent":["// This file is part of Moodle - http://moodle.org/\n//\n// Moodle is free software: you can redistribute it and/or modify\n// it under the terms of the GNU General Public License as published by\n// the Free Software Foundation, either version 3 of the License, or\n// (at your option) any later version.\n//\n// Moodle is distributed in the hope that it will be useful,\n// but WITHOUT ANY WARRANTY; without even the implied warranty of\n// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the\n// GNU General Public License for more details.\n//\n// You should have received a copy of the GNU General Public License\n// along with Moodle.  If not, see <http://www.gnu.org/licenses/>.\n\n/**\n * Simple API for set/get to localstorage, with cacherev expiration.\n *\n * @module     core/localstorage\n * @class      localstorage\n * @copyright  2015 Damyon Wiese <damyon@moodle.com>\n * @license    http://www.gnu.org/copyleft/gpl.html GNU GPL v3 or later\n * @since      2.9\n */\ndefine(['core/config', 'core/storagewrapper'], function(config, StorageWrapper) {\n\n    // Private functions and variables.\n    /** @var {Object} StorageWrapper - Wraps browsers localStorage object */\n    var storage = new StorageWrapper(window.localStorage);\n\n    return /** @alias module:core/localstorage */ {\n        /**\n         * Get a value from local storage. Remember - all values must be strings.\n         *\n         * @method get\n         * @param {string} key The cache key to check.\n         * @return {boolean|string} False if the value is not in the cache, or some other error - a string otherwise.\n         */\n        get: function(key) {\n            return storage.get(key);\n        },\n\n        /**\n         * Set a value to local storage. Remember - all values must be strings.\n         *\n         * @method set\n         * @param {string} key The cache key to set.\n         * @param {string} value The value to set.\n         * @return {boolean} False if the value can't be saved in the cache, or some other error - true otherwise.\n         */\n        set: function(key, value) {\n            return storage.set(key, value);\n        }\n\n    };\n});\n"],"names":["define","config","StorageWrapper","storage","window","localStorage","get","key","set","value"],"mappings":";;;;;;;;;AAwBAA,2BAAO,CAAC,cAAe,wBAAwB,SAASC,OAAQC,oBAIxDC,QAAU,IAAID,eAAeE,OAAOC,oBAEM,CAQ1CC,IAAK,SAASC,YACHJ,QAAQG,IAAIC,MAWvBC,IAAK,SAASD,IAAKE,cACRN,QAAQK,IAAID,IAAKE"}
+{"version":3,"file":"localstorage.min.js","sources":["../src/localstorage.js"],"sourcesContent":["// This file is part of Moodle - http://moodle.org/\n//\n// Moodle is free software: you can redistribute it and/or modify\n// it under the terms of the GNU General Public License as published by\n// the Free Software Foundation, either version 3 of the License, or\n// (at your option) any later version.\n//\n// Moodle is distributed in the hope that it will be useful,\n// but WITHOUT ANY WARRANTY; without even the implied warranty of\n// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the\n// GNU General Public License for more details.\n//\n// You should have received a copy of the GNU General Public License\n// along with Moodle.  If not, see <http://www.gnu.org/licenses/>.\n\n/**\n * Simple API for set/get to localstorage, with cacherev expiration.\n *\n * @module     core/localstorage\n * @class      localstorage\n * @copyright  2015 Damyon Wiese <damyon@moodle.com>\n * @license    http://www.gnu.org/copyleft/gpl.html GNU GPL v3 or later\n * @since      2.9\n */\ndefine(['core/config', 'core/storagewrapper'], function(config, StorageWrapper) {\n\n    // Private functions and variables.\n    /** @var {Object} StorageWrapper - Wraps browsers localStorage object */\n    var storage = new StorageWrapper(window.localStorage);\n\n    return /** @alias module:core/localstorage */ {\n        /**\n         * Get a value from local storage. Remember - all values must be strings.\n         *\n         * @method get\n         * @param {string} key The cache key to check.\n         * @return {boolean|string} False if the value is not in the cache, or some other error - a string otherwise.\n         */\n        get: function(key) {\n            return storage.get(key);\n        },\n\n        /**\n         * Set a value to local storage. Remember - all values must be strings.\n         *\n         * @method set\n         * @param {string} key The cache key to set.\n         * @param {string} value The value to set.\n         * @return {boolean} False if the value can't be saved in the cache, or some other error - true otherwise.\n         */\n        set: function(key, value) {\n            return storage.set(key, value);\n        },\n\n        /**\n         * Clean local storage\n         *\n         * @method clean\n         */\n        clean: function() {\n            return storage.clean();\n        }\n\n    };\n});\n"],"names":["define","config","StorageWrapper","storage","window","localStorage","get","key","set","value","clean"],"mappings":";;;;;;;;;AAwBAA,2BAAO,CAAC,cAAe,wBAAwB,SAASC,OAAQC,oBAIxDC,QAAU,IAAID,eAAeE,OAAOC,oBAEM,CAQ1CC,IAAK,SAASC,YACHJ,QAAQG,IAAIC,MAWvBC,IAAK,SAASD,IAAKE,cACRN,QAAQK,IAAID,IAAKE,QAQ5BC,MAAO,kBACIP,QAAQO"}

lib/amd/build/storage_validation.min.js

@@ -0,0 +1,9 @@
+define("core/storage_validation",["exports","core/localstorage"],(function(_exports,_localstorage){var obj;
+/**
+   * Clean caches after user login in order to prevent cache poisoning.
+   * @module      core/storage_validation
+   * @copyright   2024 Raquel Ortega <raquel.ortega@moodle.com>
+   * @license     http://www.gnu.org/copyleft/gpl.html GNU GPL v3 or later
+   */Object.defineProperty(_exports,"__esModule",{value:!0}),_exports.init=void 0,_localstorage=(obj=_localstorage)&&obj.__esModule?obj:{default:obj};_exports.init=userCurrentLogin=>{userCurrentLogin!==Number(_localstorage.default.get("sUserLogintime"))&&(_localstorage.default.clean(),_localstorage.default.set("sUserLogintime",Number(userCurrentLogin).toString()))}}));
+
+//# sourceMappingURL=storage_validation.min.js.map

lib/amd/build/storage_validation.min.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"storage_validation.min.js","sources":["../src/storage_validation.js"],"sourcesContent":["// This file is part of Moodle - http://moodle.org/\n//\n// Moodle is free software: you can redistribute it and/or modify\n// it under the terms of the GNU General Public License as published by\n// the Free Software Foundation, either version 3 of the License, or\n// (at your option) any later version.\n//\n// Moodle is distributed in the hope that it will be useful,\n// but WITHOUT ANY WARRANTY; without even the implied warranty of\n// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the\n// GNU General Public License for more details.\n//\n// You should have received a copy of the GNU General Public License\n// along with Moodle.  If not, see <http://www.gnu.org/licenses/>.\n\n/**\n * Clean caches after user login in order to prevent cache poisoning.\n * @module      core/storage_validation\n * @copyright   2024 Raquel Ortega <raquel.ortega@moodle.com>\n * @license     http://www.gnu.org/copyleft/gpl.html GNU GPL v3 or later\n */\n\nimport LocalStorage from 'core/localstorage';\n\n/**\n * Initialise storage validation.\n *\n * @param {Number|null} userCurrentLogin - Current login information. Can be null.\n */\nexport const init = (userCurrentLogin) => {\n    const sUserLoginTime = Number(LocalStorage.get('sUserLogintime'));\n\n    if (userCurrentLogin !==  sUserLoginTime) {\n        LocalStorage.clean();\n        LocalStorage.set('sUserLogintime', Number(userCurrentLogin).toString());\n    }\n};\n"],"names":["userCurrentLogin","Number","LocalStorage","get","clean","set","toString"],"mappings":";;;;;;oKA6BqBA,mBAGbA,mBAFmBC,OAAOC,sBAAaC,IAAI,2CAG9BC,8BACAC,IAAI,iBAAkBJ,OAAOD,kBAAkBM"}

lib/amd/build/storagewrapper.min.js

@@ -6,6 +6,6 @@
  * @copyright  2017 Ryan Wyllie <ryan@moodle.com>
  * @license    http://www.gnu.org/copyleft/gpl.html GNU GPL v3 or later
  */
-define("core/storagewrapper",["core/config"],(function(config){var Wrapper=function(storage){this.storage=storage,this.supported=this.detectSupport(),this.hashSource=config.wwwroot+"/"+config.jsrev,this.hash=this.hashString(this.hashSource),this.prefix=this.hash+"/",this.jsrevPrefix=this.hashString(config.wwwroot)+"/jsrev",this.validateCache()};return Wrapper.prototype.detectSupport=function(){if(-1==config.jsrev)return!1;if(void 0===this.storage)return!1;try{return null!==this.storage&&(this.storage.setItem("test","1"),this.storage.removeItem("test"),!0)}catch(ex){return!1}},Wrapper.prototype.prefixKey=function(key){return this.prefix+key},Wrapper.prototype.validateCache=function(){if(this.supported){var cacheVersion=this.storage.getItem(this.jsrevPrefix);if(null!==cacheVersion)config.jsrev!=cacheVersion&&(this.storage.clear(),this.storage.setItem(this.jsrevPrefix,config.jsrev));else this.storage.setItem(this.jsrevPrefix,config.jsrev)}},Wrapper.prototype.hashString=function(source){var i,len,hash=0;if(0===source.length)return hash;for(i=0,len=source.length;i<len;i++)hash=(hash<<5)-hash+source.charCodeAt(i),hash|=0;return hash},Wrapper.prototype.get=function(key){return!!this.supported&&(key=this.prefixKey(key),this.storage.getItem(key))},Wrapper.prototype.set=function(key,value){if(!this.supported)return!1;key=this.prefixKey(key);try{this.storage.setItem(key,value)}catch(e){return!1}return!0},Wrapper}));
+define("core/storagewrapper",["core/config"],(function(config){var Wrapper=function(storage){this.storage=storage,this.supported=this.detectSupport(),this.hashSource=config.wwwroot+"/"+config.jsrev,this.hash=this.hashString(this.hashSource),this.prefix=this.hash+"/",this.jsrevPrefix=this.hashString(config.wwwroot)+"/jsrev",this.validateCache()};return Wrapper.prototype.detectSupport=function(){if(-1==config.jsrev)return!1;if(void 0===this.storage)return!1;try{return null!==this.storage&&(this.storage.setItem("test","1"),this.storage.removeItem("test"),!0)}catch(ex){return!1}},Wrapper.prototype.prefixKey=function(key){return this.prefix+key},Wrapper.prototype.validateCache=function(){if(this.supported){var cacheVersion=this.storage.getItem(this.jsrevPrefix);if(null!==cacheVersion)config.jsrev!=cacheVersion&&(this.storage.clear(),this.storage.setItem(this.jsrevPrefix,config.jsrev));else this.storage.setItem(this.jsrevPrefix,config.jsrev)}},Wrapper.prototype.hashString=function(source){var i,len,hash=0;if(0===source.length)return hash;for(i=0,len=source.length;i<len;i++)hash=(hash<<5)-hash+source.charCodeAt(i),hash|=0;return hash},Wrapper.prototype.get=function(key){return!!this.supported&&(key=this.prefixKey(key),this.storage.getItem(key))},Wrapper.prototype.set=function(key,value){if(!this.supported)return!1;key=this.prefixKey(key);try{this.storage.setItem(key,value)}catch(e){return!1}return!0},Wrapper.prototype.clean=function(){this.storage.clear()},Wrapper}));
 
 //# sourceMappingURL=storagewrapper.min.js.map

lib/amd/src/localstorage.js

@@ -50,6 +50,15 @@ define(['core/config', 'core/storagewrapper'], function(config, StorageWrapper)
          */
         set: function(key, value) {
             return storage.set(key, value);
+        },
+
+        /**
+         * Clean local storage
+         *
+         * @method clean
+         */
+        clean: function() {
+            return storage.clean();
         }
 
     };

lib/amd/src/storage_validation.js

@@ -0,0 +1,37 @@
+// This file is part of Moodle - http://moodle.org/
+//
+// Moodle is free software: you can redistribute it and/or modify
+// it under the terms of the GNU General Public License as published by
+// the Free Software Foundation, either version 3 of the License, or
+// (at your option) any later version.
+//
+// Moodle is distributed in the hope that it will be useful,
+// but WITHOUT ANY WARRANTY; without even the implied warranty of
+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+// GNU General Public License for more details.
+//
+// You should have received a copy of the GNU General Public License
+// along with Moodle.  If not, see <http://www.gnu.org/licenses/>.
+
+/**
+ * Clean caches after user login in order to prevent cache poisoning.
+ * @module      core/storage_validation
+ * @copyright   2024 Raquel Ortega <raquel.ortega@moodle.com>
+ * @license     http://www.gnu.org/copyleft/gpl.html GNU GPL v3 or later
+ */
+
+import LocalStorage from 'core/localstorage';
+
+/**
+ * Initialise storage validation.
+ *
+ * @param {Number|null} userCurrentLogin - Current login information. Can be null.
+ */
+export const init = (userCurrentLogin) => {
+    const sUserLoginTime = Number(LocalStorage.get('sUserLogintime'));
+
+    if (userCurrentLogin !==  sUserLoginTime) {
+        LocalStorage.clean();
+        LocalStorage.set('sUserLogintime', Number(userCurrentLogin).toString());
+    }
+};

lib/amd/src/storagewrapper.js

@@ -162,5 +162,14 @@ define(['core/config'], function(config) {
         return true;
     };
 
+    /**
+     * Clean local storage.
+     *
+     * @method clean
+     */
+    Wrapper.prototype.clean = function() {
+        this.storage.clear();
+    };
+
     return Wrapper;
 });

lib/outputrequirementslib.php

@@ -1657,7 +1657,7 @@ EOF;
      * @return string the HTML code to to at the end of the page.
      */
     public function get_end_code() {
-        global $CFG;
+        global $CFG, $USER;
         $output = '';
 
         // Set the log level for the JS logging.
@@ -1670,6 +1670,9 @@ EOF;
         // Add any global JS that needs to run on all pages.
         $this->js_call_amd('core/page_global', 'init');
         $this->js_call_amd('core/utility');
+        $this->js_call_amd('core/storage_validation', 'init', [
+            !empty($USER->currentlogin) ? (int) $USER->currentlogin : null
+        ]);
 
         // Call amd init functions.
         $output .= $this->get_amd_footercode();