Skip to content

Configure rpc endpoints to disable cookies for specific courses/users. #2861

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
somiaj wants to merge 1 commit into
base: develop
Choose a base branch
from
Open

Configure rpc endpoints to disable cookies for specific courses/users. #2861

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
21 changes: 17 additions & 4 deletions conf/webwork2.mojolicious.dist.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -241,8 +241,21 @@ hardcopy:
preserve_temp_files: 0

# Set this to 1 to allow the html2xml and render_rpc endpoints to disable
# cookies and thus skip two factor authentication. This should never be enabled
# for a typical webwork server. This should only be enabled if you want to
# allow serving content via these endpoints to links in external websites with
# usernames and passwords embedded in them such as for PreTeXt textbooks.
# cookies and thus skip two factor authentication for all courses. To disable
# cookies for a single course, set this to a hash whose keys are the course
# IDs with a value of 1. Further to only disable cookies for specific users
# in a course, set the course ID to a hash whose keys are user IDs with a
# value of 1. For example:
# allow_unsecured_rpc:
# # Disable cookies for full PreTeXt course.
# PreTeXt: 1
# # Disable cookies for specific users in a course.
# courseID:
# user1ID: 1
# user2ID: 1
#
# This should never be enabled for a typical webwork server. This should only be
# enabled if you want to allow serving content via these endpoints to links in
# external websites with usernames and passwords embedded in them such as for
# PreTeXt textbooks.
allow_unsecured_rpc: 0
24 changes: 22 additions & 2 deletions lib/WeBWorK/ContentGenerator/RenderViaRPC.pm
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -21,14 +21,34 @@ use WebworkWebservice;

sub initializeRoute ($c, $routeCaptures) {
$c->{rpc} = 1;
my $allow_unsecured_rpc = $c->config('allow_unsecured_rpc');
my $disable_cookies = 0;

if ($allow_unsecured_rpc) {
if (ref($allow_unsecured_rpc) eq 'HASH') {
my $courseID = $c->param('courseID');
if ($courseID && $allow_unsecured_rpc->{$courseID}) {
if (ref($allow_unsecured_rpc->{$courseID}) eq 'HASH') {
my $userID = $c->param('user');
if ($userID && $allow_unsecured_rpc->{$courseID}{$userID}) {
$disable_cookies = 1;
}
} else {
$disable_cookies = 1;
}
}
} else {
$disable_cookies = 1;
}
}

$c->stash(disable_cookies => 1)
if $c->current_route eq 'render_rpc' && $c->param('disableCookies') && $c->config('allow_unsecured_rpc');
if $c->current_route eq 'render_rpc' && $c->param('disableCookies') && $disable_cookies;

# This provides compatibility for legacy html2xml parameters.
# This should be deleted when the html2xml endpoint is removed.
if ($c->current_route eq 'html2xml') {
$c->stash(disable_cookies => 1) if $c->config('allow_unsecured_rpc');
$c->stash(disable_cookies => 1) if $disable_cookies;
for ([ 'userID', 'user' ], [ 'course_password', 'passwd' ], [ 'session_key', 'key' ]) {
$c->param($_->[1], $c->param($_->[0])) if defined $c->param($_->[0]) && !defined $c->param($_->[1]);
}
Expand Down