We used to display capabilities like "Manage any calendar entries",
"Delete evidence", "Manage competency frameworks", "View hidden courses"
and others as "Missing capabilities" for the mobile app service tokens.
This gave dangerous impression that the app will not work for students
without these capabilities granted. There are known cases of admins who
started to grant all these caps to the Authenticated user role because
they were afraid the app would not work for them.
The problem here is that the official mobile app service includes some
functions that have these capabilities declared as required. But they
are not really required to use the app. Either the app makes its own
clever checks of capabilities before calling the functions, or sometimes
the capabilities are not even correctly declared.
It is safer for everybody to display this information for custom
services only where the risk of the falsely missing caps is lower and
the information is more accurate.
Also, the help text has been improved so it does not suggest that these
capabilities must be always added. We do not know why the service has
them declared. In some cases, a service has capabilities declared just
because it makes use of them in the if-then fashion.
Additionally, the patch also displays the service short name because it
is actually needed to know.
The patch adds ability to filter the list of token by the token value,
the user and the service. Also the button to create a new token is made
more prominent and easier to spot.
No need to have a dedicated admin_setting_managewebservicetokens admin
setting subclass, and yet do not use almost any of its features. So the
patch merges the list and the forms handling into a single external
page.
Similarly, it feels like overkill to have a renderer method for a
simple confirmation widget - especially given that the URLs were
hard-coded in it. So that one was dropped.
The patch improves the display of the missing capabilities on the Manage
tokens page and the Select authorised users page. The list of
capabilities is rendered in a collapsible area and does not occupy too
much space by default.
Additionally on the later page, the patch improves the display of the
list of existing authorised users so that it respects the configured
identity fields.
The previous implementation falsely reported all implicit capabilities
inherited from the authenticated user archetype. That caused a lot of
capabilities reported as missing, even if they were correctly granted.
This new implementation uses a different logic. Instead of seeking for
explicitly assigned capabilities, it searches for capabilities that are
not assigned to any of the user's role across the system.
Please refer to the inline documentation. This should be still used for
informative reports only, not for actual permissions evaluation. The
context has been ignored here, as well as all the overrides etc. This
patch just makes it a lesser evil.
I suppose the original reasoning was that the web services protocols are
pluggable and that plugins can provide external function. But those are
not good reasons to put the whole Web services section under plugins.
Web services are not a plugin type and they always felt very
counter-intuitive there.
From the server administrtaion perspective, web services are similar to
scheduled tasks and therefore, they should live in the same section.
I've gone over a few of the mofified files (those
which were showing warnings and errors to CiBoT. Some of them
have been fixed completely, while others only have fixed
for the lines belonging to this issue (lib/tests/moodlelib_test.php)
for example.
The current ->setMethods() has been silently (won't emit any
warning) in PHPUnit 9. And will stop working (current plans)
in PHPUnit 10.
Basically the now deprecated method has been split into:
- onlyMethods(): To point to existing methods in the mocked artifact.
- addMethods(): To point to non existing (yet) methods in the mocked
artifact.
In practice that means that all our current setMethods() calls can be
converted to onlyMethods() (existing) and done. The addMethods() is
mostly useful on development phases, not final testing.
Finally note that <null> isn't accepted anymore as parameter to
double all the methods. Instead empty array [] must be used.
Link: https://github.com/sebastianbergmann/phpunit/issues/3770
In all cases changes have been kept to a minimum while not making
the code completely horrible. For example, there are many instances
where it would probably be better to rewrite a query entirely, but
I have not done that (in order to reduce the risk of changes).
All the setup/teardown/pre/post/conditions template methods
now are required to return void. This was warned with phpunit 7
and now is enforced.
At the same time, fix a few wrong function names,
provider data and param types, return statements...
version = 2021052500 release version
requires= 2021052500 same than version
Why 20210525? (25th May 2021) ?
Because master is going to be Moodle 4.0, to be released
on November 2021. And, until then, we are going to have
a couple of "intermediate" releases:
- Moodle 3.10 to be released 9th November 2020. (2020110900)
This version will be using versions from today to 2020110900
(once it's released the YYYYMMDD part stops advancing).
- Moodle 3.11 to be released 10th May 2021. (2021051000)
This version will be using versions from 3.10 release to 2021051000
(once it's released the YYYYMMDD part stops advancing).
That means that all versions from today to 2021051000 are going
to be used by those 2 "intermediate" releases (3.10 and 3.11).
And we cannot use them in master, because it's forbidden to have
any overlapping of versions between branches (or different upgrade
paths will fail).
So, get that 2021051000, let's add it a couple of weeks to cover
the on-sync period (or a 2 weeks delay max!) and, the first version
that master can "own" in exclusive (without any overlap) is, exactly,
25th May 2021, hence our 20210525.
This allows for better caching capabilities on servers. If a
cache key is passed and the web service call does not require
the user to be logged in we will attempt to use GET for the
request. This allows for things like proxy caching on URLs.
The cache key must be changed if we do not want to retrieve
what has been cached and want to perform the request again.
Allow web service clients (like the Moodle App) to benefit from a
formatted (filtered) site name. Select the filtered (localized etc.)
string on server side, before it is sent to the web service client.
For example, this translates a site name which uses language tags in
curly braces when using the filter_multilang2 plugin.
Thanks-To: Juan Leyva <juan@moodle.com>
Thanks-To: Kathrin Osswald <kathrin.osswald@uni-ulm.de>
