Commit d4bd398a authored by Paul Holden's avatar Paul Holden
Browse files

MDL-73295 webservice: only pass around sesskey for tokens as needed.

parent f8eb3637
...@@ -164,6 +164,7 @@ $string['required'] = 'Required'; ...@@ -164,6 +164,7 @@ $string['required'] = 'Required';
$string['requiredcapability'] = 'Required capability'; $string['requiredcapability'] = 'Required capability';
$string['requiredcapability_help'] = 'If set, only users with the required capability can access the service.'; $string['requiredcapability_help'] = 'If set, only users with the required capability can access the service.';
$string['requiredcaps'] = 'Required capabilities'; $string['requiredcaps'] = 'Required capabilities';
$string['resettokencomplete'] = 'The selected token was reset';
$string['resettokenconfirm'] = 'Do you really want to reset this web service key for <strong>{$a->user}</strong> on the service <strong>{$a->service}</strong>?'; $string['resettokenconfirm'] = 'Do you really want to reset this web service key for <strong>{$a->user}</strong> on the service <strong>{$a->service}</strong>?';
$string['resettokenconfirmsimple'] = 'Do you really want to reset this key? Any saved links containing the old key will not work anymore.'; $string['resettokenconfirmsimple'] = 'Do you really want to reset this key? Any saved links containing the old key will not work anymore.';
$string['response'] = 'Response'; $string['response'] = 'Response';
......
...@@ -10198,7 +10198,7 @@ class admin_setting_webservicesoverview extends admin_setting { ...@@ -10198,7 +10198,7 @@ class admin_setting_webservicesoverview extends admin_setting {
/// 8. Create token for the specific user /// 8. Create token for the specific user
$row = array(); $row = array();
$url = new moodle_url("/admin/webservice/tokens.php?sesskey=" . sesskey() . "&action=create"); $url = new moodle_url('/admin/webservice/tokens.php', ['action' => 'create']);
$row[0] = "8. " . html_writer::tag('a', get_string('createtokenforuser', 'webservice'), $row[0] = "8. " . html_writer::tag('a', get_string('createtokenforuser', 'webservice'),
array('href' => $url)); array('href' => $url));
$row[1] = ""; $row[1] = "";
......
...@@ -5204,7 +5204,7 @@ class settings_navigation extends navigation_node { ...@@ -5204,7 +5204,7 @@ class settings_navigation extends navigation_node {
} }
// Security keys. // Security keys.
if ($currentuser && $enablemanagetokens) { if ($currentuser && $enablemanagetokens) {
$url = new moodle_url('/user/managetoken.php', array('sesskey'=>sesskey())); $url = new moodle_url('/user/managetoken.php');
$useraccount->add(get_string('securitykeys', 'webservice'), $url, self::TYPE_SETTING); $useraccount->add(get_string('securitykeys', 'webservice'), $url, self::TYPE_SETTING);
} }
......
...@@ -35,12 +35,10 @@ class core_rss_renderer extends plugin_renderer_base { ...@@ -35,12 +35,10 @@ class core_rss_renderer extends plugin_renderer_base {
* @return string html * @return string html
*/ */
public function user_reset_rss_token_confirmation() { public function user_reset_rss_token_confirmation() {
global $CFG; $managetokenurl = '/user/managetoken.php';
$managetokenurl = $CFG->wwwroot."/user/managetoken.php?sesskey=" . sesskey(); $optionsyes = ['action' => 'resetrsstoken', 'confirm' => 1];
$optionsyes = array('action' => 'resetrsstoken', 'confirm' => 1, 'sesskey' => sesskey());
$optionsno = array('section' => 'webservicetokens', 'sesskey' => sesskey());
$formcontinue = new single_button(new moodle_url($managetokenurl, $optionsyes), get_string('reset')); $formcontinue = new single_button(new moodle_url($managetokenurl, $optionsyes), get_string('reset'));
$formcancel = new single_button(new moodle_url($managetokenurl, $optionsno), get_string('cancel'), 'get'); $formcancel = new single_button(new moodle_url($managetokenurl), get_string('cancel'), 'get');
$html = $this->output->confirm(get_string('resettokenconfirmsimple', 'webservice'), $formcontinue, $formcancel); $html = $this->output->confirm(get_string('resettokenconfirmsimple', 'webservice'), $formcontinue, $formcancel);
return $html; return $html;
} }
...@@ -69,8 +67,9 @@ class core_rss_renderer extends plugin_renderer_base { ...@@ -69,8 +67,9 @@ class core_rss_renderer extends plugin_renderer_base {
$table->data = array(); $table->data = array();
if (!empty($token)) { if (!empty($token)) {
$reset = "<a href=\"".$CFG->wwwroot."/user/managetoken.php?sesskey=".sesskey(). $reset = html_writer::link(new moodle_url('/user/managetoken.php', [
"&amp;action=resetrsstoken\">".get_string('reset')."</a>"; 'action' => 'resetrsstoken',
]), get_string('reset'));
$table->data[] = array($token, $reset); $table->data[] = array($token, $reset);
......
...@@ -26,7 +26,6 @@ ...@@ -26,7 +26,6 @@
require('../config.php'); require('../config.php');
require_login(); require_login();
require_sesskey();
$usercontext = context_user::instance($USER->id); $usercontext = context_user::instance($USER->id);
...@@ -57,7 +56,9 @@ if ( !is_siteadmin($USER->id) ...@@ -57,7 +56,9 @@ if ( !is_siteadmin($USER->id)
$resetconfirmation = $wsrenderer->user_reset_token_confirmation($token); $resetconfirmation = $wsrenderer->user_reset_token_confirmation($token);
} else { } else {
// Delete the token that need to be regenerated. // Delete the token that need to be regenerated.
require_sesskey();
$webservice->delete_user_ws_token($tokenid); $webservice->delete_user_ws_token($tokenid);
redirect($PAGE->url, get_string('resettokencomplete', 'core_webservice'));
} }
} }
...@@ -92,7 +93,9 @@ if (!empty($CFG->enablerssfeeds)) { ...@@ -92,7 +93,9 @@ if (!empty($CFG->enablerssfeeds)) {
if (!$confirm) { if (!$confirm) {
$resetconfirmation = $rssrenderer->user_reset_rss_token_confirmation(); $resetconfirmation = $rssrenderer->user_reset_rss_token_confirmation();
} else { } else {
require_sesskey();
rss_delete_token($USER->id); rss_delete_token($USER->id);
redirect($PAGE->url, get_string('resettokencomplete', 'core_webservice'));
} }
} }
if (empty($resetconfirmation)) { if (empty($resetconfirmation)) {
......
...@@ -117,7 +117,6 @@ class token_table extends \table_sql { ...@@ -117,7 +117,6 @@ class token_table extends \table_sql {
$tokenpageurl = new \moodle_url( $tokenpageurl = new \moodle_url(
"/admin/webservice/tokens.php", "/admin/webservice/tokens.php",
[ [
"sesskey" => sesskey(),
"action" => "delete", "action" => "delete",
"tokenid" => $data->id "tokenid" => $data->id
] ]
......
...@@ -263,15 +263,10 @@ class core_webservice_renderer extends plugin_renderer_base { ...@@ -263,15 +263,10 @@ class core_webservice_renderer extends plugin_renderer_base {
* @return string html * @return string html
*/ */
public function user_reset_token_confirmation($token) { public function user_reset_token_confirmation($token) {
global $CFG; $managetokenurl = '/user/managetoken.php';
$managetokenurl = $CFG->wwwroot . "/user/managetoken.php?sesskey=" . sesskey(); $optionsyes = ['tokenid' => $token->id, 'action' => 'resetwstoken', 'confirm' => 1];
$optionsyes = array('tokenid' => $token->id, 'action' => 'resetwstoken', 'confirm' => 1, $formcontinue = new single_button(new moodle_url($managetokenurl, $optionsyes), get_string('reset'));
'sesskey' => sesskey()); $formcancel = new single_button(new moodle_url($managetokenurl), get_string('cancel'), 'get');
$optionsno = array('section' => 'webservicetokens', 'sesskey' => sesskey());
$formcontinue = new single_button(new moodle_url($managetokenurl, $optionsyes),
get_string('reset'));
$formcancel = new single_button(new moodle_url($managetokenurl, $optionsno),
get_string('cancel'), 'get');
$html = $this->output->confirm(get_string('resettokenconfirm', 'webservice', $html = $this->output->confirm(get_string('resettokenconfirm', 'webservice',
(object) array('user' => $token->firstname . " " . (object) array('user' => $token->firstname . " " .
$token->lastname, 'service' => $token->name)), $token->lastname, 'service' => $token->name)),
...@@ -318,9 +313,10 @@ class core_webservice_renderer extends plugin_renderer_base { ...@@ -318,9 +313,10 @@ class core_webservice_renderer extends plugin_renderer_base {
foreach ($tokens as $token) { foreach ($tokens as $token) {
if ($token->creatorid == $userid) { if ($token->creatorid == $userid) {
$reset = "<a href=\"" . $CFG->wwwroot . "/user/managetoken.php?sesskey=" $reset = html_writer::link(new moodle_url('/user/managetoken.php', [
. sesskey() . "&amp;action=resetwstoken&amp;tokenid=" . $token->id . "\">"; 'action' => 'resetwstoken',
$reset .= get_string('reset') . "</a>"; 'tokenid' => $token->id,
]), get_string('reset'));
$creator = $token->firstname . " " . $token->lastname; $creator = $token->firstname . " " . $token->lastname;
} else { } else {
//retrieve administrator name //retrieve administrator name
...@@ -347,7 +343,7 @@ class core_webservice_renderer extends plugin_renderer_base { ...@@ -347,7 +343,7 @@ class core_webservice_renderer extends plugin_renderer_base {
if ($documentation) { if ($documentation) {
$doclink = new moodle_url('/webservice/wsdoc.php', $doclink = new moodle_url('/webservice/wsdoc.php',
array('id' => $token->id, 'sesskey' => sesskey())); array('id' => $token->id));
$row[] = html_writer::tag('a', get_string('doc', 'webservice'), $row[] = html_writer::tag('a', get_string('doc', 'webservice'),
array('href' => $doclink)); array('href' => $doclink));
} }
......
...@@ -27,7 +27,6 @@ require_once('../config.php'); ...@@ -27,7 +27,6 @@ require_once('../config.php');
require($CFG->dirroot . '/webservice/lib.php'); require($CFG->dirroot . '/webservice/lib.php');
require_login(); require_login();
require_sesskey();
$usercontext = context_user::instance($USER->id); $usercontext = context_user::instance($USER->id);
$tokenid = required_param('id', PARAM_INT); $tokenid = required_param('id', PARAM_INT);
...@@ -43,9 +42,7 @@ $PAGE->set_pagelayout('standard'); ...@@ -43,9 +42,7 @@ $PAGE->set_pagelayout('standard');
$PAGE->navbar->ignore_active(true); $PAGE->navbar->ignore_active(true);
$PAGE->navbar->add(get_string('preferences'), new moodle_url('/user/preferences.php')); $PAGE->navbar->add(get_string('preferences'), new moodle_url('/user/preferences.php'));
$PAGE->navbar->add(get_string('useraccount')); $PAGE->navbar->add(get_string('useraccount'));
$PAGE->navbar->add(get_string('securitykeys', 'webservice'), $PAGE->navbar->add(get_string('securitykeys', 'webservice'), new moodle_url('/user/managetoken.php'));
new moodle_url('/user/managetoken.php',
array('id' => $tokenid, 'sesskey' => sesskey())));
$PAGE->navbar->add(get_string('wsdocumentation', 'webservice')); $PAGE->navbar->add(get_string('wsdocumentation', 'webservice'));
// check web service are enabled // check web service are enabled
......
Supports Markdown
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment