I successfully set up a web service and use functions like "mod_forum_get_forum_discussions". But now I wonder if (and how) the Moodle roles and rights fit into this. But let me explain:
- I setup a demo course, with two (separate) groups (A and B) with two members each (A1, A2, B1, B2).
- The course contains a forum, which is in separate group mode. That means group A cannot see what group B discusses and vice versa. When I login to the frontend as user A1, this works pretty much as intended.
- To retrieve the forum via the web service, I do the following:
- Get the user token for user A1: token.php?username=A1&password=abcd&service=testservice
- Then I call mod_forum_get_forum_discussions:
- I then get a list that contains infos on all discussions, also those of group B.
Is this a security flaw, did I misconfigured anything or is it a misunderstanding? I would expect the webservice to send only the discussions the user has access to, e.g. excluding the discussions of group B. Any hints?