From a947ecd634b4da165c695cc2f8f94b3cd32a17d0 Mon Sep 17 00:00:00 2001 From: Juan Leyva Date: Thu, 3 Nov 2016 19:13:47 +0000 Subject: [PATCH] MDL-56737 tool_mobile: Support private tokens in launch.php --- admin/tool/mobile/launch.php | 23 ++++++++++++++--------- lib/externallib.php | 24 ++++++++++++++++++++++++ login/token.php | 14 ++------------ 3 files changed, 40 insertions(+), 21 deletions(-) diff --git a/admin/tool/mobile/launch.php b/admin/tool/mobile/launch.php index 714bf427f3f..030daba392f 100644 --- a/admin/tool/mobile/launch.php +++ b/admin/tool/mobile/launch.php @@ -56,22 +56,27 @@ require_login(0, false); core_user::require_active_user($USER); // Get an existing token or create a new one. +$timenow = time(); $token = external_generate_token_for_current_user($service); +$privatetoken = $token->privatetoken; +external_log_token_request($token); -// Log token access. -$DB->set_field('external_tokens', 'lastaccess', time(), array('id' => $token->id)); +// Invalidate the private token if external_generate_token_for_current_user did not create a new token. +if ($token->timecreated < $timenow) { + $privatetoken = null; +} -$params = array( - 'objectid' => $token->id, -); -$event = \core\event\webservice_token_sent::create($params); -$event->add_record_snapshot('external_tokens', $token); -$event->trigger(); +$siteadmin = has_capability('moodle/site:config', context_system::instance(), $USER->id); // Passport is generated in the mobile app, so the app opening can be validated using that variable. // Passports are valid only one time, it's deleted in the app once used. $siteid = md5($CFG->wwwroot . $passport); -$apptoken = base64_encode($siteid . ':::' . $token->token); +$apptoken = $siteid . ':::' . $token->token; +if ($privatetoken and is_https() and !$siteadmin) { + $apptoken .= ':::' . $privatetoken; +} + +$apptoken = base64_encode($apptoken); // Redirect using the custom URL scheme checking first if a URL scheme is forced in the site settings. $forcedurlscheme = get_config('tool_mobile', 'forcedurlscheme'); diff --git a/lib/externallib.php b/lib/externallib.php index a0c98959117..981c8b2e6ed 100644 --- a/lib/externallib.php +++ b/lib/externallib.php @@ -1075,6 +1075,30 @@ function external_generate_token_for_current_user($service) { return $token; } +/** + * Set the last time a token was sent and trigger the \core\event\webservice_token_sent event. + * + * This function is used when a token is generated by the user via login/token.php or admin/tool/mobile/launch.php. + * In order to protect the privatetoken, we remove it from the event params. + * + * @param stdClass $token token object + * @since Moodle 3.2 + */ +function external_log_token_request($token) { + global $DB; + + $token->privatetoken = null; + + // Log token access. + $DB->set_field('external_tokens', 'lastaccess', time(), array('id' => $token->id)); + + $params = array( + 'objectid' => $token->id, + ); + $event = \core\event\webservice_token_sent::create($params); + $event->add_record_snapshot('external_tokens', $token); + $event->trigger(); +} /** * Singleton to handle the external settings. diff --git a/login/token.php b/login/token.php index d106ec03203..a67b4b1c3cf 100644 --- a/login/token.php +++ b/login/token.php @@ -87,19 +87,9 @@ if (!empty($user)) { // Get an existing token or create a new one. $token = external_generate_token_for_current_user($service); $privatetoken = $token->privatetoken; - $token->privatetoken = null; + external_log_token_request($token); - // log token access - $DB->set_field('external_tokens', 'lastaccess', time(), array('id'=>$token->id)); - - $params = array( - 'objectid' => $token->id, - ); - $event = \core\event\webservice_token_sent::create($params); - $event->add_record_snapshot('external_tokens', $token); - $event->trigger(); - - $siteadmin = has_capability('moodle/site:config', $systemcontext, $USER->id) || is_siteadmin($USER->id); + $siteadmin = has_capability('moodle/site:config', $systemcontext, $USER->id); $usertoken = new stdClass; $usertoken->token = $token->token;