This document explains how we describe and where we store the web service functions in Moodle 2.0.

We store function descriptions in the component/db/services.php file. Web services functions will be located in externallib.php files - this file name is not mandatory, but is strongly recommended.

Descriptions will be parsed by a service discovery function that will fill the database (extend the current discovery functionalities looking parsing the DB folders).

Administration pages

Moodle administrators will be able to manage services. By default all services will be disabled.

List of administration functionalities:

  • enable a service (all the functions into this service will be available)
  • associate a web service user (the user has web service capability) to some services => a user can only call a service that he is associated with
  • create a custom service (add and remove functions from this service)
  • search easily function by component in order to create a custom service

Administrators will also be able to create a custom service, selecting any existing functions.

external_functions table

List of web service functions. This table maps the web service name to the actual implementation of that function.

Field Type Default Description
id int(10) auto-incrementing
name varchar(200) unique name of the external function used in web service protocols - a unique identifier for each function; ex.: core_get_users, mod_assignment_submit
classname varchar(100) name of the class that contains method implementation; ex.: core_user_external, mod_assignment_external
methodname varchar(100) static method; ex.: get_users, submit
classpath varchar(255) NULL optional path to file with class definition - recommended for core classes only, null means use component/externallib.php; this path is relative to dirroot; ex.: user/externallib.php
component varchar(100) Component where function defined, needed for automatic updates. Service description file is found in the db folder of this component.

Detailed function description is stored as a complex PHP array in db/services.php file.

external_services table

Service is defined as a group of web service functions. The main purpose of these services is to allow defining of granular access control for multiple external systems.

Field Type Default Description
id int(10) auto-incrementing
name varchar(150) Name of service (gradeexport_xml_export, mod_chat_export) - appears on the admin page
enabled int(1) 0 service enabled, for security reasons some services may be disabled- administrators may disable any service via the admin UI
requiredcapability varchar(255) NULL if capability name specified, user needs to have this permission in security context or in system context if context restriction not specified
restrictedusers int(1) 1 1 means on users explicitly listed in external_services_users may access this service, 0 means any user may use this service
component varchar(100) NULL Component where service defined - null means custom service defined in admin UI.

external_services_functions table

Lists all functions that are available in each service.

Field Type Default Description
id int(10) auto-incrementing
externalserviceid int(10) foreign key, reference
functionname varchar(200) name of external service, references; the string value here simplifies service discovery and maintenance

external_services_users table

Specifies services used by users.

Field Type Default Description
id int(10) auto-incrementing
externalserviceid int(10) foreign key, reference
userid int(10) foreign key, reference

PHP array description

We need to describe the services in detail, including input and output, so that we can:

  • help programmers quickly understand what they have to send and what to expect
  • validate all incoming data as automatically as possible for security/correctness
  • generate WSDL files for SOAP
  • generate documentation for other protocols

There are three main parts working together to do this:


In the db/services.php of each component, is a structure something like this to describe the web service functions, and optionally, any larger services built up of several functions.

$functions = array(

   'moodle_user_create_users' => array(
       'classname'   => 'moodle_user_external',
       'methodname'  => 'create_users',
       'classpath'   => 'user/externallib.php',


$services = array(

   'servicename' => array(
       'functions' => array ('functionname', 'secondfunctionname'),
       'requiredcapability' => 'some/capability:specified',
       'restrictedusers' = >1,
       'enabled'=>0, //used only when installing the services


The function name is arbitrary, but it must be globally unique so we highly recommend using the component name as prefix (and "moodle" for core functions).

The actual param description and description of returned values can be obtained from the same class by adding '_parameters' and '_returns' to the methodname value. We can not use object property default values for this because function and new instances of objects are not allowed there.

1. externallib.php

In the file referenced as the location for the web service function, there are also complete descriptions of the parameters required.

class moodle_user_external extends external_api {

   public static function create_users_parameters() {
       $userpreference = new object();
       $userpreference->name =  array(PARAM_ALPHANUMEXT, 'The name of the preference to set');
       $userpreference->value =  array(PARAM_RAW, 'The value of the preference');
       $usercustomfields = new object();
       $usercustomfields->name =  array(PARAM_ALPHANUMEXT, 'The name of the custom field (must exist)');
       $usercustomfields->value =  array(PARAM_RAW, 'The value of the custom field');
       $usertocreate = new object();
       $usertocreate->username    = array(PARAM_USERNAME, 'Username policy is defined in Moodle security config', REQUIRED);
       $usertocreate->password    = array(PARAM_RAW, 'Moodle passwords can consist of any character', REQUIRED);
       $usertocreate->firstname   = array(PARAM_NOTAGS, 'The first name(s) of the user', REQUIRED);
       $usertocreate->lastname    = array(PARAM_NOTAGS, 'The family name of the user', REQUIRED);
       $usertocreate->email       = array(PARAM_EMAIL, 'A valid and unique email address', REQUIRED);
       $usertocreate->auth        = array(PARAM_AUTH, 'Auth plugins include manual, ldap, imap, etc');
       $usertocreate->confirmed   = array(PARAM_NUMBER, 'Active user: 1 if confirmed, 0 otherwise');
       $usertocreate->idnumber    = array(PARAM_RAW, 'An arbitrary ID code number perhaps from the institution');
       $usertocreate->emailstop   = array(PARAM_NUMBER, 'Email is blocked: 1 is blocked and 0 otherwise');
       $usertocreate->lang        = array(PARAM_LANG, 'Language code such as "en_utf8", must exist on server');
       $usertocreate->theme       = array(PARAM_THEME, 'Theme name such as "standard", must exist on server');
       $usertocreate->timezone    = array(PARAM_ALPHANUMEXT, 'Timezone code such as Australia/Perth, or 99 for default');
       $usertocreate->mailformat  = array(PARAM_INTEGER, 'Mail format code is 0 for plain text, 1 for HTML etc');
       $usertocreate->description = array(PARAM_TEXT, 'User profile description, as HTML');
       $usertocreate->city        = array(PARAM_NOTAGS, 'Home city of the user');
       $usertocreate->country     = array(PARAM_ALPHA, 'Home country code of the user, such as AU or CZ');
       $usertocreate->preferences = array('multiple' => $userpreference);
       $usertocreate->custom      = array('multiple' -> $usercustomfields);
       $createusersparams = new object();
       $createusersparams->users  = array('multiple' => $usertocreate);
       return $createusersparams;
   public static function create_users_return() {
       $createusersreturn = new object();
       $createusersreturn->userids = array('multiple' => PARAM_NUMBER);
       return $createusersreturn;

   public static function create_users($params) {
       self::validate_params(self::create_users_parameters(), $params);
       foreach ($params->users as $user) {

Usage from PHP: // add one user to group $data = new object(); $data->userid = 1; $data->groupid = 2; moodle_group_external::add_member($data);

// add more group members $data = new object(); $data->membership = array(array('groupi'=>1,'userid'=>2), array('groupid'=>1,'userid'=>4), array('groupid'=>1,'userid'=>5)); moodle_group_external::add_members($data);

$data = new object(); $data->groupids = array(array('id'=>1), array('id'=>2), array('id'=>3)); $groups = moodle_group_external::get_groups($data);

$data = new object(); $oneuser = array('username'=>'test', 'firstname'=>'Test', 'lastname'=>'Tes', 'email'=>'', 'password'=>'lala'); $data->users = array($oneuser); $users = moodle_user_external::create_user($data);

Note the use of Moodle-oriented PARAM_XXXX constants to define the format of each field. These are used by the validation function to clean the data and throw an exception and abort the operation completely if the data changed during cleaning (ie it was unclean).

Potential problems: Petr Škoda (škoďák)

  • the structure of parameters submitted to PHP functions is a mixture of arrays and objects - I suppose this means arrays are used for bulk params only, objects and scalars for everything else, right?
  • parameter description relies on order (type, desc, required) - devs might switch the order accidentally, no potion can be skipped
  • 'multiple' marker may collide with value from PARAM_XXXX

2. externallib.php alternative

I was getting problems understanding the current function params description syntax, here is a different proposal. Petr Škoda (škoďák)

Expected use from PHP: moodle_group_external::add_member(1,2);

moodle_group_external::add_members(array(array('groupid'=>1,'userid'=>2), array('groupid'=>1,'userid'=>4), array('userid'=>5,'groupid'=>1)));

$groups = moodle_group_external::get_groups(array(10,20,30));

$oneuser = array('username'=>'test', 'firstname'=>'Test', 'lastname'=>'Tes', 'email'=>'', 'password'=>'lala', 'preferences'=>array(), 'custom'=>array()); $users = moodle_user_external::create_user(array($oneuser));

Description examples:

class moodle_group_external extends external_api {

   public static function add_member_parameters() {
       return array(
           'groupid' => (object)array('type'=>PARAM_INT, 'desc'=>'some group id'),
           'userid'  => (object)array('type'=>PARAM_INT, 'desc'=>'some user id'),
   public static function add_member($groupid, $userid) {
       $params = self::validate_prameters(self::add_member_parameters(), array('groupid'=>$groupid, 'userid'=>$userid));
       // actual implementation goes here
   public static function add_member_returns() {
       return null;

   public static function add_members_parameters() {
       return array(
           'membership' => array(array(
               'groupid' => (object)array('type'=>PARAM_INT, 'desc'=>'some group id'),
               'userid'  => (object)array('type'=>PARAM_INT, 'desc'=>'some user id'),
   public static function add_members(array $membership) {
       $params = self::validate_prameters(self::add_members_parameters(), array('membership'=>$membership));
       // actual implementation goes here
   public static function add_members_returns() {
       return null;

   public static function get_groups_parameters() {
       return array(
           'groupids' =>array((object)array('type'=>PARAM_INT, 'desc'=>'some group id')),
   public static function get_groups(array $groupids) {
       $params = self::validate_prameters(self::get_groups_parameters(), array('groupids'=>$groupids));
       // actual implementation goes here
   public static function get_groups_returns() {
       return array(
           'id'           => (object)array('type'=>PARAM_INT, 'desc'=>'some group id'),
           'name'         => (object)array('type'=>PARAM_TEXT, 'desc'=>'multilang compatible name, course unique'),
           'description'  => (object)array('type'=>PARAM_RAW, 'desc'=>'just some text'),
           'enrolmentkey' => (object)array('type'=>PARAM_RAW, 'desc'=>'group enrol secret phrase'),


class moodle_user_external extends external_api {

   public static function create_users_parameters() {
       // NOTE: I simplified these ones a bit to make them easier to read.  - Martin
       return array(
           'users' => array(array(
               'username'    => array(PARAM_USERNAME, 'Username policy is defined in Moodle security config', REQUIRED),
               'password'    => array(PARAM_RAW,'Moodle passwords can consist of any character', REQUIRED),
               'firstname'   => array(PARAM_NOTAGS, 'The first name(s) of the user', REQUIRED),
               'lastname'    => array(PARAM_NOTAGS, 'The family name of the user', REQUIRED),
               'email'       => array(PARAM_EMAIL, 'A valid and unique email address', REQUIRED),
               'auth'        => array(PARAM_AUTH, 'Auth plugins include manual, ldap, imap, etc', OPTIONAL, 'manual'),
               'confirmed'   => array(PARAM_NUMBER, 'Active user: 1 if confirmed, 0 otherwise', OPTIONAL, 1),
               'idnumber'    => array(PARAM_RAW, 'An arbitrary ID code number perhaps from the institution', OPTIONAL, ),
               'emailstop'   => array(PARAM_NUMBER, 'Email is blocked: 1 is blocked and 0 otherwise', OPTIONAL, 0),
               'lang'        => array(PARAM_LANG, 'Language code such as "en_utf8", must exist on server', OPTIONAL, 'en_utf8'),
               'theme'       => array(PARAM_THEME, 'Theme name such as "standard", must exist on server', OPTIONAL, 'standard'),
               'timezone'    => array(PARAM_ALPHANUMEXT, 'Timezone code such as Australia/Perth, or 99 for server setting', OPTIONAL, 99),
               'mailformat'  => array(PARAM_INTEGER, 'Mail format code is 0 for plain text, 1 for HTML etc', OPTIONAL, 1),
               'description' => array(PARAM_TEXT, 'User profile description, as HTML', OPTIONAL, ),
               'city'        => array(PARAM_NOTAGS, 'Home city of the user', OPTIONAL, ),
               'country'     => array(PARAM_ALPHA, 'Home country code of the user, such as AU or CZ', OPTIONAL, ),
               'preferences' => array(array('name'  => array(PARAM_ALPHANUMEXT, 'The name of the preference to set', REQUIRED),
                                            'value' => array(PARAM_RAW, 'The value of the preference', REQUIRED)),
                                     'User preference settings', OPTIONAL),
               'custom'      => array(array('name'  => array(PARAM_ALPHANUMEXT, 'The name of the custom field (must exist)', REQUIRED),
                                            'value' => array(PARAM_RAW, 'The value of the custom field', REQUIRED)),
                                     'If the server has custom fields, you can set them here', OPTIONAL),
   public static function create_users(array $users) {
       $params = self::validate_prameters(self::create_users_parameters(), array('user'=>$users));
       foreach ($params['users'] as $user) {
   public static function create_user_returns() {
       return array((object)array('type' => PARAM_INTEGER, 'desc' => 'id of the created user'));


WS description parsing:

  • top level array of params is a list of parameters of the PHP function - names are used in WS, order is used when sending params to PHP function
  • objects define scalar values
  • arrays with one element with 0 as key mean bulk parameters (array of elements of the same type - either scalar, associative array or bulk)

We would support only scalar values, bulk arrays, arrays with named keys - this means we would never return or accept objects - external systems might not be able to handle them anyway.

Potential problems:

  • the bulk array param can not be optional
  • this description may seem a bit weird

3. externallib.php yet another OOP alternative

Both descriptions above feel a bit weird, there must be a better way ;-) Petr Škoda (škoďák)

Parameter description classes: abstract class external_description {

   public $desc;
   public $requied;
   public function __contruct($desc, $required) {
       $this->desc = $desc;
       $this->required = $required;


class external_param extends external_description {

   public $type;
   public $default;
   public $allownull;
   public function __contruct($type, $desc=, $required=true, $default=null, $allownull=true) {
       parent::_construct($desc, $required);
       $this->type      = $type;
       $this->default   = $default;
       $this->allownull = $allownull;


class external_assoc_array extends external_description {

   public $keys;
   public function __construct(array $keys, $desc=, $required=true) {
       parent::_construct($desc, $required);
       $this->keys = $keys; // array(key=>external_description, ...)


class external_bulk_array extends external_description {

   public $content;
   public function __construct(external_description $content, $desc=, $required=true) {
       parent::_construct($desc, $required);
       $this->content = $content;


Description examples: class moodle_group_external extends external_api {

   public static function add_member_parameters() {
       return new external_assoc_array(
           array('groupid' => new exernal_param(PARAM_INT, 'some group id'),
                 'userid'  => new exernal_param(PARAM_INT, 'some user id'))
   public static function add_member($groupid, $userid) {
       $params = self::validate_prameters(self::add_member_parameters(), array('groupid'=>$groupid, 'userid'=>$userid));
       // actual implementation goes here
   public static function add_member_returns() {
       return null;
   public static function add_members_parameters() {
       return new external_assoc_array(
           array('membership' => new external_bulk_array(
               new external_assoc_array(
                   array('groupid' => new exernal_param(PARAM_INT, 'some group id'),
                         'userid'  => new exernal_param(PARAM_INT, 'some user id'))
   public static function add_members(array $membership) {
       $params = self::validate_prameters(self::add_members_parameters(), array('membership'=>$membership));
       // actual implementation goes here
   public static function add_members_returns() {
       return null;
   public static function get_groups_parameters() {
       return new external_assoc_array(
           array('groupids' => new external_bulk_array(new exernal_param(PARAM_INT, 'some group id')))
   public static function get_groups(array $groupids) {
       $params = self::validate_prameters(self::get_groups_parameters(), array('groupids'=>$groupids));
       // actual implementation goes here
   public static function get_groups_returns() {
       return new external_bulk_array(
           new external_assoc_array(
               array('id'           => new exernal_param(PARAM_INT, 'some group id'),
                     'name'         => new exernal_param(PARAM_TEXT, 'multilang compatible name, course unique'),
                     'description'  => new exernal_param(PARAM_RAW, 'just some text'),
                     'enrolmentkey' => new exernal_param(PARAM_RAW, 'group enrol secret phrase'))


class moodle_user_external extends external_api {

   public static function create_users_parameters() {
       return new external_assoc_array(
           array('users' => new external_bulk_array(
               new external_assoc_array(array(
                   'username'    => new exernal_param(PARAM_USERNAME, 'Username policy is defined in Moodle security config'),
                   'password'    => new exernal_param(PARAM_RAW, 'Moodle passwords can consist of any character'),
                   'firstname'   => new exernal_param(PARAM_NOTAGS, 'The first name(s) of the user'),
                   'lastname'    => new exernal_param(PARAM_NOTAGS, 'The family name of the user'),
                   'email'       => new exernal_param(PARAM_EMAIL, 'A valid and unique email address'),
                   'auth'        => new exernal_param(PARAM_AUTH, 'Auth plugins include manual, ldap, imap, etc', false),
                   'confirmed'   => new exernal_param(PARAM_NUMBER, 'Active user: 1 if confirmed, 0 otherwise', false),
                   'idnumber'    => new exernal_param(PARAM_RAW, 'An arbitrary ID code number perhaps from the institution', false),
                   'emailstop'   => new exernal_param(PARAM_NUMBER, 'Email is blocked: 1 is blocked and 0 otherwise', false),
                   'lang'        => new exernal_param(PARAM_LANG, 'Language code such as "en_utf8", must exist on server', false),
                   'theme'       => new exernal_param(PARAM_THEME, 'Theme name such as "standard", must exist on server', false),
                   'timezone'    => new exernal_param(PARAM_ALPHANUMEXT, 'Timezone code such as Australia/Perth, or 99 for default', false),
                   'mailformat'  => new exernal_param(PARAM_INTEGER, 'Mail format code is 0 for plain text, 1 for HTML etc', false),
                   'description' => new exernal_param(PARAM_TEXT, 'User profile description, as HTML', false),
                   'city'        => new exernal_param(PARAM_NOTAGS, 'Home city of the user', false),
                   'country'     => new exernal_param(PARAM_ALPHA, 'Home country code of the user, such as AU or CZ', false),
                   'preferences' => new external_bulk_array(new external_assoc_array(array(
                       'type'  => new exernal_param(PARAM_ALPHANUMEXT, 'The name of the preference'),
                       'value' => new exernal_param(PARAM_RAW, 'The value of the preference'))), 'User preferences', false),
                   'custom' => new external_bulk_array(new external_assoc_array(array(
                       'type'  => new exernal_param(PARAM_ALPHANUMEXT, 'The name of the custom field'),
                       'value' => new exernal_param(PARAM_RAW, 'The value of the custom field'))), 'User custom fields', false),
   public static function create_users(array $users) {
       $params = self::validate_prameters(self::create_users_parameters(), array('user'=>$users));
       foreach ($params['users'] as $user) {
   public static function create_users_returns() {
       return new external_bulk_array(new exernal_param(PARAM_INT, 'id of the created user'));


The PHP usage would be exactly the same as in previous design.


We use the clean_param function to check data. We have added some new checks for common Moodle data so that we get better cleaning. eg


       case PARAM_AUTH:
           $param = clean_param($param, PARAM_SAFEDIR);
           if (exists_auth_plugin($param)) {
               return $param;
           } else {
               return ;
       case PARAM_LANG:
           $param = clean_param($param, PARAM_SAFEDIR);
           $langs = get_list_of_languages(false, true);
           if (in_array($param, $langs)) {
               return $param;
           } else {
               return ;  // Specified language is not installed
       case PARAM_THEME:
           $param = clean_param($param, PARAM_SAFEDIR);
           if (file_exists($CFG->dirroot.'/theme/'.$param)) {
               return $param;
           } else {
               return ;  // Specified theme is not installed

Function implementation

The function are generally stored in externallib.php files, as methods in a class that extends 'external_api'. The actual file location is referenced by 'classpath' in the services.php description.

class moodle_user_external extends external_api {

   public static function create_users($params)
    /// ...


Way to fill the database tables

The Moodle upgrade will take care of the updates. We will need to add a function into lib/upgradelib.php/upgrade_plugins() that will check all web service description.

Return values are filtered by the servers

Web service function should be able to return whatever they want. Each server should be looking at the web services description and returns the expected values.

Petr's Proposal

