mahara-contributors team mailing list archive

Thread
Date

[Bug 1930469] A patch has been submitted for review

To: mahara-contributors@xxxxxxxxxxxxxxxxxxx
From: Mahara Bot <1930469@xxxxxxxxxxxxxxxxxx>
Date: Thu, 28 Oct 2021 02:36:37 -0000
Reply-to: Bug 1930469 <1930469@xxxxxxxxxxxxxxxxxx>
Sender: noreply@xxxxxxxxxxxxx

Patch for "20.10_STABLE" branch: https://reviews.mahara.org/12188

-- 
You received this bug notification because you are a member of Mahara
Contributors, which is subscribed to Mahara.
Matching subscriptions: mahara-contributors
https://bugs.launchpad.net/bugs/1930469

Title:
  Need to kill web service authentication session at end of process

Status in Mahara:
  Fix Released
Status in Mahara 20.04 series:
  Fix Released
Status in Mahara 20.10 series:
  Fix Released
Status in Mahara 21.04 series:
  Fix Released

Bug description:
  Currently when a token based websesrvice is called it authenticates
  the owner of the token on the Mahara end so that any functions called
  by the service can only be executed if the authenticated token owner
  can run those functions.

  One of the problems with the current setup is we don't then kill the
  session of this token owner when the webservice call is completed.

  This means if one hits a site with a crafted URL containing a valid
  token but no webservice function they will get an error message page,
  but if they then go to the home page of the site they will find they
  are logged in as the token owner.

  In the webservice_base_server class there is the run() method that
  goes through the steps to do a webservice call and the last part is
  calling $this->session_cleanup();

  And in that method is nothing to actually handle the logging out of
  that session

To manage notifications about this bug go to:
https://bugs.launchpad.net/mahara/+bug/1930469/+subscriptions