Web services

+1 for making it as RESTful as possible.

You might be able to get around the problem you mention with judicious use of mod_rewrite, although that would pose problems for those using IIS and those who can't easily use .htaccess for whatever reason.

I'm looking forward to seeing this!

I've been doing a lot of thinking/reading and I'm coming around to the conclusion that I didn't think I would - SOAP.

Why?
* REST cannot really be implemented properly in PHP without getting involved in mod-rewrite which is not an option.
* XML-RPC is simple but perhaps too simple.
* SOAP understands character encoding properly - I'm not sure if this is a big issue, but it might be.
* SOAP understands WSDL
* The php libraries (eg, NuSOAP) are not really any harder to use for SOAP or XML-RPC for a client writer. I think *either* are probably easier to use/document than REST.

My other investigation is that of effective security for web services. The choice seems to be to use HTTP authentication or to pass the username/password with the request. Neither are amazingly elegant, the latter is probably easier to code and support and both would allow the use of SSL if required. However, any thoughts or better ways to do this most appreciated. We probably need to look at 'trusted' connections with key pairs too as an addition or alternative to username/password authentication.

Sorry for not engaging here earlier, I missed the discussion being started.

This is an important issue, one I want to see implemented really well from the outset.

Shouldn't it be possible to abstract the protocol entirely and support everything?

I am imagining a core script that simply accepts and publishes data via a set of class-based plugins that implement each protocol (SOAP, XML-RPC etc). The core script also handles authentication and security.

One bit of data accepted would be a variable called "module" (eg "mod/forum" or "moodle" for core services) that directs where this core script can find a web service function (in lib.php for example) to accept the entire dataset and deal with it according the data present, returning a response to the core script and thus to the calling party.

1. Request comes to core scripts from caller
   
2. Core script analyses input, detects protocol
   
3. Core script passes input to appropriate protocol plugin to extract data
   
4. Core script performs appropriate authentications/security
   
5. Core script passes data to appropriate Moodle module to process
   
6. Moodle module passes back output
   
7. Core script uses protocol plugin to format data and then sends it back to the caller.
   

I think this model would eventually allow WSRP and things like that should people want them, without too much reimplementation.

Okay. We're joining the fray.

We are adding some web services interfaces to Moodle so that an external SIS can access Moodle data.

Specifically,
1) Manage user data - send and retrieve the information,
2) Manage course enrolments - add/remove teachers and students,
3) Course management - create new courses based on templates,
4) Gradebook info - extract grades information from Moodle.

I haven't made a firm decision as to SOAP or XML-RPC. It seems to me that the consensus has been to use XML-RPC rather than SOAP. I don't think XML-RPC is needed for its real purpose (to run remote applications - we won't be), but if it makes sense to use from a complexity standpoint, then maybe we should. What do you think?

mike

IMHO opinion REST is the way to go. It's simple and works with existing Web infrastructure.

Based on your email to me privately you've seen my post last year: http://moodle.org/mod/forum/discuss.php?d=33521

It is nice to have a pretty URL but it's certainly not a requirement of a REST based service. It's just important that every resource have a unique URL and to use the proper HTTP verbs.

I'd be happy to start working on the REST-based services again if anyone is interested. I'm certainly willing to work within any common services infrastructure that is developed based on Martin's comments in this thread. Other clients are easy enough to develop as well to make integration/mashup work go quicker.

Regards,
Mark

Hi guys,

I'm working with Mike on the project he mentioned already.  I've been working out an authentication scheme for starting up a web services session and soliciting some feedback on the matter seems like a good idea now.

I'm basing my code around using the NuSOAP library included with 1.5.3+ but it should be easily extended to the new web services interfaces in the latest versions.

So I have a DB table that stores a client's IP address, session key, session times (start and end) and a flag for client validation purposes.

All communication back-and-forth between the client and server is based around a communications object that stores an action code, the client's session key, time, and a data parameter that holds the payload (which can be anything).  The only method exposed to the client is a dispatch function which calls other functions based on what the action code of the comm object is.  The dispatch also verifies authentication before calling another function.

For a client to connect, and be authenticated the protocol as follows:

1. Client creates a new comm object, with an INIT action, time, and empty key and data params.

2. Server verifies that the client's IP does not exist as a validated, current session in the database.  If this is a new session, it will generate a session key (it's an md5sum) for the client, store that with the client IP and current time in the DB, and flag the client as unvalidated.  An INIT comm object is sent back to the client with their session key as the data payload.

3. The client sends a comm object with a LOGIN action, their session key, and an array containing their Moodle username and password to the server.  The server verifies their session key against the database and passes the username and password to the standard Moodle authenticate_user_login() function.  If it's good a response object is sent back to the client, otherwise an object is sent back with a ERROR action code specifying that the username and/or password was wrong.  If the login succeeds, the database is updated so the client is flagged as authenticated and their Moodle user ID is attached to the DB record.

4.  Sessions have a timeout value (defined to something like 30 minutes).  If a client is in the middle of a session and sends a request past the timeout value, they will have to re-enter their username / password to continue their session.  This prevents old sessions from hanging around.

5. Data goes back and forth.

6. The client sends a LOGOUT comm object which sets their DB object back to a non-verified state and a further CLOSE comm object ends the session altogether.

Issues:
 - I don't really like the idea of sending the username / password in the clear like that but I guess if a site wasn't forcing the usage of SSL then that's how it would be through the HTML form on the login page anyway.

 - Associating the client IP with a particular session means that anyone behind any kind of NAT router could potentially hijack another user's session.  I think I've got that problem solved because the initial client connect and INIT won't start a new session if there is a current session attached to the IP, it will just return an error message to the client attempting to connect.  And to 'hijack' someone's session you'd have to be eavesdropping on the traffic from the other system to get their session key and hope they haven't logged out yet.

So that's what I've got so far.  Any comments?  Criticisms?

Again, I'm doing this in a generalised way so it could work on multiple protocols and providing access to areas of Moodle would mean just adding a new action code and providing the proper methods to the dispatch caller.

i'd like to share with you our experience in developing a webservice interface for moodle. our code concentrates on functionality for the quiz module, but it's of course not limited to that.

we're using xml-rpc, because it's simpler, and because we knew it better than soap when we started to develop this interface. we're using pear xml-rpc for the server. on the client side, currently, flash is used to create a cross-browser comaptible user interface for the published functionality.

you can take a look at the (slightly outdated) documentation for our interface.

behind the scenes, in the code that really interacts with moodle, there's quite a bit of custom code. this is because

• the standard moodle code often outputs html when an error is encountered, which interferes with the xml-rpc response
• we are doing some custom things for which there was no existing moodle code

ideally, the standard moodle code could be refactored to prevent it spitting out html at non-opportune locations.

as far as character encoding goes, it works well with out setup. everything is transmitted in utf8. the data is re-encoded as necessary at the entry/exit points.


my experiences with soap vs. xml-rpc in php:
they are both easy to create clients for. hooking up the server code to underlying functions is also easy enough in both of them. what's difficult in soap is the wsdl, which is used to let the client know what methods are available, what parameters of what type the methods accept, and what the methods return. it's not easy to generate wsdl from php code, because php code is not strongly typed. it's also not easy to write a wsdl document by hand. there are some tools that help in generating wsdl from php, such as this one, which work more often than not - but i haven't found anything yet that works without a hitch. in fact, wsdl is not required - but when it exists, it makes the client side code much easier (see here for example code with/without wsdl). i've found xml-rpc easier to use and to debug, and would personally only choose to use soap if there was a real need for it.

Hi!

Just wanted to state I really appreciate the idea of moodle webservices to be exposed to other systems! That would rather be the solution to my actual problems
Making as much of moodles functionality reachable via a webservice as possible, will significantly increase the overall value! I just think of the benefits of an automated user management and course enrolment via WS out of SAP!

Keep up the work and let us know of your efforts!

greetz, Andreas

Ok ... here is some more concrete stuff.

The idea is to have a single (sort of) dispatcher, so all calls to the web service would go to a single URL, for example:

http://moodle.org/ws/xmlrpc.php

My thinking here is that if we wanted to implement SOAP, only the basic dispatcher needs to change and thus the URL would become (say):

http://moodle.org/ws/soap.php

Of course, for economy, the dispatchers will descend from a common class that will provide all the common functionality.

The single point dispatcher will, I feel, make ongoing changes much easier. For example if we decide to add some sort of key-pair trust relationships it would be localised to the dispatcher(s)

The dispatcher will take a number of parameters for authentication, identification of the operation to perform and the actual data. Viz...

• Username
• Password
• Path to resource - e.g., blocks/online_users
• Operation - e.g., 'list'
• data required by function

The path to resource would be the actual path to the place that will deal with the data (general admin functions could be 'admin' or 'moodle' perhaps). This would expect to find a suitable method within the lib.php file. If this does not exist, an error is returned.The Operation describes the particular function for that moodle block/module. So the above example returns a list of online users (it wouldn't need any data).

Some more random thoughts:

• Could have a 'help' operation that returns the instructions for the specified service
• It would be nice to have some simple/elegant way to 'register' web service functions so that a complete list can be returned. Can't quite see how to do this at the moment though...
• I would have an administration setting to (as a default) force all web services to be read-only unless the admin decides otherwise.

Thoughts?

Hi All,

Does anyone have any detail on the current status of the ws development?
I notice there is now a wiki page with an outline of the intended functionality.

I need access to moodle from .NET (to create MS SharePoint Portal Server WebParts for moodle administration)

So far i have used either the .NET MySql DataAdapter, for simple read-only db queries; or copying chunks of existing moodle code into custom PHP scripts which accept relevant GET/POST data from the calling .NET WebPart.

Main features I need so far are:
    Get user's courses
    Get user's assignments
    Create course with enroled students

Is there any CVS/preview/alpha code that would be suitable for these tasks yet, or would i be better off waiting and carrying on using my hacked scripts in the mean time?

Any advice gratefully accepted