Managing tokens with multiple site administrators

Managing tokens with multiple site administrators

by Charles Fulton -
Number of replies: 1
Picture of Core developers Picture of Plugin developers Picture of Testers

We have an environment with multiple Moodle instances, each of which has multiple site administrators. We use web services to provide some limited data sharing between them. One use case is a block in Moodle instance A which displays a user's courses from Moodle instance B. This capability is provided via an external service with a dedicated user and token.

This is all working fine. What we've noticed however is that in Site Administration > Plugins > Web services > Manage tokens you only see the tokens you've created. Given an instance with two or more site administrators there's a possibility of overlapping tokens which you're not even aware of unless you dump the contents of {external_tokens}.

Is there some way to work around this, or perhaps this is an area for an enhancement? It seems to me that a site administrator ought to be able to see all the active tokens on the instance.

Average of ratings: Useful (1)
In reply to Charles Fulton

Re: Managing tokens with multiple site administrators

by Ray Hernandez -

I totally agree with this. I don't understand why an admin can only see the tokens they've created. In lib/adminlib.php there is a DB query to pull the tokens for this page:

$sql = "SELECT t.id, t.token, u.id AS userid, u.firstname, u.lastname, s.name, t.iprestriction, t.validuntil, s.id AS serviceid
FROM {external_tokens} t, {user} u, {external_services} s
WHERE t.creatorid=? AND t.tokentype = ? AND s.id = t.externalserviceid AND t.userid = u.id";
$tokens = $DB->get_records_sql($sql, array($USER->id, EXTERNAL_TOKEN_PERMANENT));

You can change it:

$sql = "SELECT t.id, t.token, u.id AS userid, u.firstname, u.lastname, s.name, t.iprestriction, t.validuntil, s.id AS serviceid
FROM {external_tokens} t, {user} u, {external_services} s
WHERE t.tokentype = ? AND s.id = t.externalserviceid AND t.userid = u.id";
$tokens = $DB->get_records_sql($sql, array(EXTERNAL_TOKEN_PERMANENT));

This will allow an admin to see all the web tokens. Not sure why it isn't like this by default.

Average of ratings: -