MDL-29409 repository_alfresco: Drop support for URL/link

The current solution has two major issues. Firstly, it is using the session key in the file URL, allowing anyone with the link to steal the identify of the poster. Secondly, the links are not presistent and become broken as soon as the server is restarted. Let's not support this any more until a proper solution is found in MDL-26454.
2025-01-17 21:49:15 +01:00 · 2014-01-30 12:02:09 +08:00 · 2014-01-30 12:02:09 +08:00 · f4f0aa27d4
commit f4f0aa27d4
parent d129de3761
5 changed files with 115 additions and 14 deletions
--- a/repository/alfresco/db/upgrade.php
+++ b/repository/alfresco/db/upgrade.php
@ -0,0 +1,57 @@
+<?php
+// This file is part of Moodle - http://moodle.org/
+//
+// Moodle is free software: you can redistribute it and/or modify
+// it under the terms of the GNU General Public License as published by
+// the Free Software Foundation, either version 3 of the License, or
+// (at your option) any later version.
+//
+// Moodle is distributed in the hope that it will be useful,
+// but WITHOUT ANY WARRANTY; without even the implied warranty of
+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+// GNU General Public License for more details.
+//
+// You should have received a copy of the GNU General Public License
+// along with Moodle.  If not, see <http://www.gnu.org/licenses/>.
+
+/**
+ * Upgrade.
+ *
+ * @package    repository_alfresco
+ * @copyright  2014 Frédéric Massart
+ * @license    http://www.gnu.org/copyleft/gpl.html GNU GPL v3 or later
+ */
+
+defined('MOODLE_INTERNAL') || die();
+
+/**
+ * Upgrade function.
+ *
+ * @param int $oldversion the version we are upgrading from.
+ * @return bool result
+ */
+function xmldb_repository_alfresco_upgrade($oldversion) {
+    global $CFG, $DB;
+
+    $dbman = $DB->get_manager();
+
+    if ($oldversion < 2014020301) {
+        require_once($CFG->dirroot . '/repository/lib.php');
+        require_once($CFG->dirroot . '/repository/alfresco/db/upgradelib.php');
+
+        $params = array();
+        $params['context'] = array();
+        $params['onlyvisible'] = false;
+        $params['type'] = 'alfresco';
+        $instances = repository::get_instances($params);
+
+        // Notify the admin about the migration process if they are using the repo.
+        if (!empty($instances)) {
+            repository_alfresco_admin_security_key_notice();
+        }
+
+        upgrade_plugin_savepoint(true, 2014020301, 'repository', 'alfresco');
+    }
+
+    return true;
+}
--- a/repository/alfresco/db/upgradelib.php
+++ b/repository/alfresco/db/upgradelib.php
@ -0,0 +1,53 @@
+<?php
+// This file is part of Moodle - http://moodle.org/
+//
+// Moodle is free software: you can redistribute it and/or modify
+// it under the terms of the GNU General Public License as published by
+// the Free Software Foundation, either version 3 of the License, or
+// (at your option) any later version.
+//
+// Moodle is distributed in the hope that it will be useful,
+// but WITHOUT ANY WARRANTY; without even the implied warranty of
+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+// GNU General Public License for more details.
+//
+// You should have received a copy of the GNU General Public License
+// along with Moodle.  If not, see <http://www.gnu.org/licenses/>.
+
+/**
+ * Locallib.
+ *
+ * @package    repository_alfresco
+ * @copyright  2014 Frédéric Massart
+ * @license    http://www.gnu.org/copyleft/gpl.html GNU GPL v3 or later
+ */
+
+defined('MOODLE_INTERNAL') || die();
+
+/**
+ * Send a message to the admin in regard with the APIv1 migration.
+ *
+ * @return void
+ */
+function repository_alfresco_admin_security_key_notice() {
+    $admins = get_admins();
+
+    if (empty($admins)) {
+        return;
+    }
+
+    foreach ($admins as $admin) {
+        $message = new stdClass();
+        $message->component         = 'moodle';
+        $message->name              = 'notices';
+        $message->userfrom          = get_admin();
+        $message->userto            = $admin;
+        $message->smallmessage      = get_string('security_key_notice_message_small', 'repository_alfresco');
+        $message->subject           = get_string('security_key_notice_message_subject', 'repository_alfresco');
+        $message->fullmessage       = get_string('security_key_notice_message_content', 'repository_alfresco');
+        $message->fullmessagehtml   = get_string('security_key_notice_message_content', 'repository_alfresco');
+        $message->fullmessageformat = FORMAT_PLAIN;
+        $message->notification      = 1;
+        message_send($message);
+    }
+}
--- a/repository/alfresco/lang/en/repository_alfresco.php
+++ b/repository/alfresco/lang/en/repository_alfresco.php
@ -31,6 +31,9 @@ $string['notitle'] = 'notitle';
 $string['password'] = 'Password';
 $string['pluginname_help'] = 'A plug-in for Alfresco CMS';
 $string['pluginname'] = 'Alfresco repository';
+$string['security_key_notice_message_small'] = 'Due to a recent security issue found in the Alfresco repository, we advice you to restart your Alfresco server.';
+$string['security_key_notice_message_subject'] = 'Alfresco repository security notice';
+$string['security_key_notice_message_content'] = 'A recent security issue was discovered when using external links to the Alfresco Moodle repository. Users were able to gain access to the accounts of other users on the Alfresco server through the use of information contained in these links (tokens). This feature has now been disabled, but it is possible that the tokens contained within these links still allow access to another user\'s account. For your own protection, it is important that you restart your Alfresco server in order to expire the tokens.';
 $string['soapmustbeenabled'] = 'SOAP extension must be enabled for alfresco plugin';
 $string['space'] = 'Space';
 $string['username'] = 'User name';
--- a/repository/alfresco/lib.php
+++ b/repository/alfresco/lib.php
@ -205,18 +205,6 @@ class repository_alfresco extends repository {
        return parent::get_file($url, $file);
    }

-    /**
-     * Return file URL
-     *
-     * @param string $url the url of file
-     * @return string
-     */
-    public function get_link($uuid) {
-        $node = $this->user_session->getNode($this->store, $uuid);
-        $url = $this->get_url($node);
-        return $url;
-    }
-
    public function print_search() {
        $str = parent::print_search();
        $str .= html_writer::label(get_string('space', 'repository_alfresco'), 'space', false, array('class' => 'accesshide'));
@ -294,6 +282,6 @@ class repository_alfresco extends repository {
        }
    }
    public function supported_returntypes() {
-        return (FILE_INTERNAL | FILE_EXTERNAL);
+        return FILE_INTERNAL;
    }
 }
--- a/repository/alfresco/version.php
+++ b/repository/alfresco/version.php
@ -26,6 +26,6 @@

 defined('MOODLE_INTERNAL') || die();

-$plugin->version   = 2013110500;        // The current plugin version (Date: YYYYMMDDXX)
+$plugin->version   = 2014020301;        // The current plugin version (Date: YYYYMMDDXX)
 $plugin->requires  = 2013110500;        // Requires this Moodle version
 $plugin->component = 'repository_alfresco'; // Full name of the plugin (used for diagnostics)