** Changed in: mahara/21.04
Status: In Progress => Fix Committed
--
You received this bug notification because you are a member of Mahara
Contributors, which is subscribed to Mahara.
Matching subscriptions: mahara-contributors
https://bugs.launchpad.net/bugs/1930469
Title:
Need to kill web service authentication session at end of process
Status in Mahara:
Fix Released
Status in Mahara 20.04 series:
Fix Committed
Status in Mahara 20.10 series:
In Progress
Status in Mahara 21.04 series:
Fix Committed
Bug description:
Currently when a token based websesrvice is called it authenticates
the owner of the token on the Mahara end so that any functions called
by the service can only be executed if the authenticated token owner
can run those functions.
One of the problems with the current setup is we don't then kill the
session of this token owner when the webservice call is completed.
This means if one hits a site with a crafted URL containing a valid
token but no webservice function they will get an error message page,
but if they then go to the home page of the site they will find they
are logged in as the token owner.
In the webservice_base_server class there is the run() method that
goes through the steps to do a webservice call and the last part is
calling $this->session_cleanup();
And in that method is nothing to actually handle the logging out of
that session
To manage notifications about this bug go to:
https://bugs.launchpad.net/mahara/+bug/1930469/+subscriptions
_______________________________________________
Mailing list: https://launchpad.net/~mahara-contributors
Post to : mahara-contributors@lists.launchpad.net
Unsubscribe : https://launchpad.net/~mahara-contributors
More help : https://help.launchpad.net/ListHelp
