Web services, user tokens and user rights

Web services, user tokens and user rights

by Björn Fisseler -
Number of replies: 2

Hi,

I successfully set up a web service and use functions like "mod_forum_get_forum_discussions". But now I wonder if (and how) the Moodle roles and rights fit into this. But let me explain:

  • I setup a demo course, with two (separate) groups (A and B) with two members each (A1, A2, B1, B2).
  • The course contains a forum, which is in separate group mode. That means group A cannot see what group B discusses and vice versa. When I login to the frontend as user A1, this works pretty much as intended.
  • To retrieve the forum via the web service, I do the following:
    • Get the user token for user A1: token.php?username=A1&password=abcd&service=testservice
    • Then I call mod_forum_get_forum_discussions:
      mymoodleserver.com/webservice/rest/server.php?wstoken=tokenA1&wsfunction==mod_forum_get_forum_discussions&forumids[0]=65
  • I then get a list that contains infos on all discussions, also those of group B.

Is this a security flaw, did I misconfigured anything or is it a misunderstanding? I would expect the webservice to send only the discussions the user has access to, e.g. excluding the discussions of group B. Any hints?

Regards

Average of ratings: -
In reply to Björn Fisseler

Re: Web services, user tokens and user rights

by Vijay N -

Hi Bjorn,

 

I was wondering if you can explain how you setup the web service and how the code looks. This will give us an idea of how it is functioning.

 

Thanks

Vijay

Average of ratings: -
In reply to Vijay N

Re: Web services, user tokens and user rights

by Björn Fisseler -

Hi Vijay,

actually I'm in the testing phase and use "Postman" (a Chrome app) for testing the webservice via REST. So there isn't much code.

For the webservice, I setup a new user, a new role, a new webservice, and I added several functions, and yes, all the rights are set appropriatly.

The I do the following (via Postman):

  • retrieve the user token for user A1
  • mod_forum_get_forum_discussions:
    mymoodleserver.com/webservice/rest/server.php?wstoken=tokenA1&wsfunction=mod_forum_get_forum_discussions&forumids[0]=65

The problem is, as I tried to explain in my first post, that this call of the webservice sends back a list with all discussions in the forum with id=65. When user A1 logs in via the regular web front-end, he only sees the postings of his group.

The webservice function "mod_forum_get_forum_discussions" seems to ignore the group settings when called with a user token. Or do you have any other ideas?

Average of ratings: -