Merge branch 'MDL-56737-master' of git://github.com/jleyva/moodle

2025-01-19 06:18:28 +01:00 · 2016-11-07 13:25:41 +08:00 · 2016-11-07 13:25:41 +08:00 · a2c0528802
commit a2c0528802
parent b03a53576d a947ecd634
3 changed files with 40 additions and 21 deletions
--- a/admin/tool/mobile/launch.php
+++ b/admin/tool/mobile/launch.php
@ -56,22 +56,27 @@ require_login(0, false);
 core_user::require_active_user($USER);

 // Get an existing token or create a new one.
+$timenow = time();
 $token = external_generate_token_for_current_user($service);
+$privatetoken = $token->privatetoken;
+external_log_token_request($token);

-// Log token access.
-$DB->set_field('external_tokens', 'lastaccess', time(), array('id' => $token->id));
+// Invalidate the private token if external_generate_token_for_current_user did not create a new token.
+if ($token->timecreated < $timenow) {
+    $privatetoken = null;
+}

-$params = array(
-    'objectid' => $token->id,
-);
-$event = \core\event\webservice_token_sent::create($params);
-$event->add_record_snapshot('external_tokens', $token);
-$event->trigger();
+$siteadmin = has_capability('moodle/site:config', context_system::instance(), $USER->id);

 // Passport is generated in the mobile app, so the app opening can be validated using that variable.
 // Passports are valid only one time, it's deleted in the app once used.
 $siteid = md5($CFG->wwwroot . $passport);
-$apptoken = base64_encode($siteid . ':::' . $token->token);
+$apptoken = $siteid . ':::' . $token->token;
+if ($privatetoken and is_https() and !$siteadmin) {
+    $apptoken .= ':::' . $privatetoken;
+}
+
+$apptoken = base64_encode($apptoken);

 // Redirect using the custom URL scheme checking first if a URL scheme is forced in the site settings.
 $forcedurlscheme = get_config('tool_mobile', 'forcedurlscheme');
--- a/lib/externallib.php
+++ b/lib/externallib.php
@ -1075,6 +1075,30 @@ function external_generate_token_for_current_user($service) {
    return $token;
 }

+/**
+ * Set the last time a token was sent and trigger the \core\event\webservice_token_sent event.
+ *
+ * This function is used when a token is generated by the user via login/token.php or admin/tool/mobile/launch.php.
+ * In order to protect the privatetoken, we remove it from the event params.
+ *
+ * @param  stdClass $token token object
+ * @since  Moodle 3.2
+ */
+function external_log_token_request($token) {
+    global $DB;
+
+    $token->privatetoken = null;
+
+    // Log token access.
+    $DB->set_field('external_tokens', 'lastaccess', time(), array('id' => $token->id));
+
+    $params = array(
+        'objectid' => $token->id,
+    );
+    $event = \core\event\webservice_token_sent::create($params);
+    $event->add_record_snapshot('external_tokens', $token);
+    $event->trigger();
+}

 /**
 * Singleton to handle the external settings.
--- a/login/token.php
+++ b/login/token.php
@ -87,19 +87,9 @@ if (!empty($user)) {
    // Get an existing token or create a new one.
    $token = external_generate_token_for_current_user($service);
    $privatetoken = $token->privatetoken;
-    $token->privatetoken = null;
+    external_log_token_request($token);

-    // log token access
-    $DB->set_field('external_tokens', 'lastaccess', time(), array('id'=>$token->id));
-
-    $params = array(
-        'objectid' => $token->id,
-    );
-    $event = \core\event\webservice_token_sent::create($params);
-    $event->add_record_snapshot('external_tokens', $token);
-    $event->trigger();
-
-    $siteadmin = has_capability('moodle/site:config', $systemcontext, $USER->id) || is_siteadmin($USER->id);
+    $siteadmin = has_capability('moodle/site:config', $systemcontext, $USER->id);

    $usertoken = new stdClass;
    $usertoken->token = $token->token;