mahara-contributors team mailing list archive

Thread
Date

[Bug 1947528] A change has been merged

To: mahara-contributors@xxxxxxxxxxxxxxxxxxx
From: Mahara Bot <1947528@xxxxxxxxxxxxxxxxxx>
Date: Wed, 27 Jul 2022 21:10:07 -0000
Reply-to: Bug 1947528 <1947528@xxxxxxxxxxxxxxxxxx>
Sender: noreply@xxxxxxxxxxxxx

Reviewed:  https://reviews.mahara.org/c/mahara/+/12366
Committed: https://git.mahara.org/mahara/mahara/commit/cd5f7451e8fc38f482ac0a1f8e979294ec21f3f7
Submitter: "Robert Lyon <robertl@xxxxxxxxxxxxxxx>"
Branch:    main

commit cd5f7451e8fc38f482ac0a1f8e979294ec21f3f7
Author: Dianne Tennent <dianne.tennent@xxxxxxxxxxxxxxx>
Date:   Thu Jan 20 17:46:05 2022 +1300

Bug 1947528: Prevent deleting external apps when in use

Enter unique value in instancename field in auth_instance table that
matches the application_title in oauth_server_registry table so
that institutions can differentiate between different external
webservice apps that are being used for authentication.
This allows us to prevent deleting an external webservices app if
it is still being used by someone as their authentication method.

Update Behat test steps for adding auth method to institution
settings.

Change-Id: Id91fd8e0b5c97bd1abc28b3e425fcf5dadb7032a

-- 
You received this bug notification because you are a member of Mahara
Contributors, which is subscribed to Mahara.
Matching subscriptions: mahara-contributors
https://bugs.launchpad.net/bugs/1947528

Title:
  You can delete external apps even when some people are using it as
  auth method

Status in Mahara:
  Fix Committed

Bug description:
  When you set up an external app, e.g. LTI or LTI Advantage, you can
  delete it from Admin menu -> Web services -> External apps even when
  some people are still associated with it as authentication method,
  essentially rendering their accounts unusable. Normally, when an
  authentication method is still in use, you cannot remove it for an
  institution.

  There are a few things that would require clean-up and improvement:

  1. Bug #1947533 should be fixed first.

  2. If a person still uses that authentication method then the external
  app should not display a 'Delete' button for that external app so that
  it can't be deleted accidentally.

  3. Actually tie an external app to a particular 'webservice'
  authentication. Right now, when you select 'webservice' as
  authentication method in an institution, you can't configure it, and
  it checks whether web services are available in the institution and
  then allow those in. It does not check though if, for example, it
  should be LTI or LTI Advantage with which an account is set up.

  Therefore, what should happen is the following:

  a) Site admin sets up an LTI external app for institution A and calls it 'LMS' and sets up a second one for LTI advantage called 'University'.
  b) Site admin selects 'webservices' (rename to 'External app) as auth method in the institution settings for institution A and sees a drop-down menu with all available external apps, in this case 'LMS' and 'University' and selects one of them. The display in the settings page reads 'External app: LMS' (or 'External app: University').
  c) When a student logs in via the LMS external app, their account is associated with that external authentication method.
  d) On the 'External apps' page, 'LMS' doesn't have a 'Delete' icon because an account is associated with it and uses that app to log in.

  We will need to think about how to deal with that in an upgrade
  because at the moment, an institution could have two LTI external apps
  configured and in the auth instance table there would be only one
  'webservices' option, not differentiating between the different apps.

To manage notifications about this bug go to:
https://bugs.launchpad.net/mahara/+bug/1947528/+subscriptions

References

[Bug 1947528] [NEW] You can delete external apps even when some people are using it as auth method
From: Kristina Hoeppner, 2021-10-17