Commit Graph

9 Commits

Author SHA1 Message Date
Russell Smith
1fcf0ca8a5 MDL-35628 performance: Remove dirname() where possible.
dirname() is a slow function compared with __DIR__ and using
'/../'.  Moodle has a large number of legacy files that are included
each time a page loads and is not able to use an autoloader as it is
functional code.  This allows those required includes to perform as
best as possible in this situation.
2016-06-10 08:06:49 +10:00
Frederic Massart
1d0140757a MDL-54034 ajax: Apply filters in ajax requests
This also clarified that developers can decide to force filters
to be ignored when using external_format_text, though they cannot
force filters to be turned on as the clients should be able to
opt-out from filtering should they want to.
2016-05-06 17:59:41 +08:00
Damyon Wiese
56fa860ead MDL-53772 externallib: Fix busted webservices context handling
Fix:
$PAGE->context must be reset when calling validate_context

Improve:
Provide wrapper for calling an external function

The wrapper correctly checks the function parameters and return type against
the description of the external function, and stores the PAGE and COURSE global
state variables, restoring them before the function returns.

Fix: buggy unit tests.

These tests are expecting debugging from a bug that was fixed, and calling web
service functions with no user or session.
2016-04-14 13:58:23 +08:00
Frederic Massart
4879477632 MDL-51700 ajax: Clean the external function return values 2015-12-02 10:30:01 +08:00
Damyon Wiese
ad348cbdf9 MDL-50783 ajax: Add specific check for NO_MOODLE_COOKIES
If loginrequired is set for a webservice - NO_MOODLE_COOKIES cannot
be true - or it is a coding error.
2015-09-14 15:10:39 +08:00
Damyon Wiese
ba224fb42c MDL-50783 Ajax: Configure how to call a webservice through db/service.php
Now the db/service.php array can contain these extra keys to provide information
on how a webservice may be called:

    'ajax' => true (Default is false)

Replaces the xx_is_allowed_from_ajax callback.

    'loginrequired' => false (Default is true)

Means that this webservice can be called through lib/ajax/service-nosession.php
which sets NO_MOODLE_COOKIES to true (faster). This is only safe for webservices returning
static public data (e.g. get_string).
2015-09-14 15:10:21 +08:00
Damyon Wiese
5d8c198711 MDL-50782 Ajax: No require_login for all ajax webservice calls
Some webservice functions need to be available without a login, e.g.
fetching strings and templates.

External functions must call validate_context if they require a valid login etc.

Added a new parameter to services.php: "loginrequired". Default is true.
2015-09-08 09:16:58 +08:00
Damyon Wiese
b0a583932a MDL-50784 ajax: Require a sesskey for all ajax requests.
This needs to be done before we can expose any webservices that
change state, or return private info to ajax (to prevent CSRF).

Currently there are no webservices exposed to ajax that meet these
criteria - so this issue is to prevent future security issues.
2015-07-13 16:49:06 +02:00
Damyon Wiese
72f8324ec5 MDL-49163 Webservices, AJAX: Add support for a new ajax webservice handler.
This is a new script that can call any function in the built-in AJAX webservice. This is
a new system service that is added at install time (like the mobile webservice). It has no
protocols added to it, but it accessible by a new ajax script /lib/ajax/service.php.

Requests and responses to the script are required to be in json format, and multiple functions can
be called in a single request.
2015-03-12 15:07:08 +08:00