Both classes using cURL features now access it via the core curl wrapper
class. Credit goes to Dan Poltawski for spotting the previous discrepancy
during the integration review.
Previously, the testable validator's get_plugintype_location() used to
return path to a directory that itself did not need to be writable. This
was causing false failures. This patch reimplements the testable
validator's get_plugintype_location() method so that it returns a path
inside $CFG->tempdir which is always writable.
Also, to make all test methods consistent, all of them now use the
testable_tool_installaddon_validator class. Before this patch, some test
methods used the testable class and some used the parent class.
There is a new hook in the index.php file. If valid HTTP parameter
installaddonrequest is detected, the installer asks the administrator to
confirm the request.
If confirmed, the installer calls download.moodle.org/api/1.2/pluginfo.php
service to get information about the given plugin version. The essential
data are the URL of the ZIP to download and the MD5 hash of the ZIP.
These data must be fetched via HTTPS to protect against MiM attack.
If the ZIP is downloaded and the MD5 content hash is correct, the user
is redirected to the previously implemented ZIP validation page, as if
the ZIP was uploaded manually.
The valid format of the installaddonrequest is documented via the
test_decode_remote_request() unit test method.
The script validate.php expects a ZIP file stored in a temporary
location. It extracts the ZIP (optionally renaming the root directory)
and executes the validator. Then it renders the validator log messages
and continue buttons.
The validator code contains (modified) fragments of the
local_plugins_archive_validator class copyrighted by Marina Glancy that
is part of the local_plugins plugin. It operates over an extracted
copy of the ZIP file.