From 3e17cf68a4c6e9954fe159568bd276b4d094293b Mon Sep 17 00:00:00 2001
From: Jake Dallimore <jake@moodle.com>
Date: Thu, 3 Nov 2022 11:42:14 +0800
Subject: [PATCH] MDL-76170 enrol_lti: fix missing secret in enrol_lti_users

If member sync runs before the user launches the tool, a partial record
is created, without consumer secret. Subsequent launches of the tool by
that member don't resolve this and this results in grade sync failing
for any affected users. This patch:
- data fixes the existing affected rows
- fixes the launch code, ensuring secret is recorded on launch,
irrespective of whether the user info record has been created already
or not.
---
 enrol/lti/classes/tool_provider.php |  3 +++
 enrol/lti/db/upgrade.php            | 21 +++++++++++++++++++++
 enrol/lti/version.php               |  2 +-
 3 files changed, 25 insertions(+), 1 deletion(-)

diff --git a/enrol/lti/classes/tool_provider.php b/enrol/lti/classes/tool_provider.php
index 5437f6837ad..d81ef4baeae 100644
--- a/enrol/lti/classes/tool_provider.php
+++ b/enrol/lti/classes/tool_provider.php
@@ -344,6 +344,9 @@ class tool_provider extends ToolProvider {
             if ($userlog->serviceurl != $serviceurl) {
                 $userlog->serviceurl = $serviceurl;
             }
+            if (empty($userlog->consumersecret)) {
+                $userlog->consumersecret = $this->consumer->secret;
+            }
             $userlog->lastaccess = time();
             $DB->update_record('enrol_lti_users', $userlog);
         } else {
diff --git a/enrol/lti/db/upgrade.php b/enrol/lti/db/upgrade.php
index 1bbe7c127c8..c6915b3fef5 100644
--- a/enrol/lti/db/upgrade.php
+++ b/enrol/lti/db/upgrade.php
@@ -483,5 +483,26 @@ function xmldb_enrol_lti_upgrade($oldversion) {
         upgrade_plugin_savepoint(true, 2022103100, 'enrol', 'lti');
     }
 
+    if ($oldversion < 2022110300) {
+        // Update lti user information for any users missing a consumer secret.
+        // This applies to any user who has launched the tool (i.e. has lastaccess) but who doesn't have a secret recorded.
+        // This fixes a bug where enrol_lti_users records are created first during a member sync, and are missing the secret,
+        // even despite having launched the tool subsequently.
+        $sql = "SELECT lu.id, lc.secret
+                  FROM {enrol_lti_users} lu
+                  JOIN {enrol_lti_lti2_consumer} lc
+                    ON (lu.consumerkey = lc.consumerkey256)
+                 WHERE lu.consumersecret IS NULL
+                   AND lu.lastaccess IS NOT NULL";
+        $affectedltiusersrs = $DB->get_recordset_sql($sql);
+        foreach ($affectedltiusersrs as $ltiuser) {
+            $DB->set_field('enrol_lti_users', 'consumersecret', $ltiuser->secret, ['id' => $ltiuser->id]);
+        }
+        $affectedltiusersrs->close();
+
+        // Lti savepoint reached.
+        upgrade_plugin_savepoint(true, 2022110300, 'enrol', 'lti');
+    }
+
     return true;
 }
diff --git a/enrol/lti/version.php b/enrol/lti/version.php
index 4174f783d1e..1b60548cf39 100644
--- a/enrol/lti/version.php
+++ b/enrol/lti/version.php
@@ -24,7 +24,7 @@
 
 defined('MOODLE_INTERNAL') || die();
 
-$plugin->version = 2022103100; // The current plugin version (Date: YYYYMMDDXX).
+$plugin->version = 2022110300; // The current plugin version (Date: YYYYMMDDXX).
 $plugin->requires = 2022041200; // Requires this Moodle version.
 $plugin->component = 'enrol_lti'; // Full name of the plugin (used for diagnostics).
 $plugin->dependencies = [