Note: You are currently viewing documentation for Moodle 3.4. Up-to-date documentation for the latest stable version of Moodle is likely available here: Community hub - technical specification.

Development:Community hub - technical specification

From MoodleDocs

Operations

Following the different communication operations expected between Moodle.org, hub servers and Moodle site.

Moodle site and Hub server

Moodlesite2hubserver.png

Moodle.org Hub directory and (Moodle.org) Hub server

Hubdirectory moodleorg2hubserver moodle.org.png

Moodle site and Moodle.org Hub directory

Moodlesite2moodleorg.png

Method

We are going to use web service. However we create a new /hub/webservice.php entry point, that will by pass $CFG->enablewebservice and consider a protocol as activated.

Site/Hub Registration operations

  1. The site/hub enables the web service, enable a protocol, create a specific ws user, a specific ws role, and a specific token.
  2. The site/hub sends by POST the web service token to the hub server/hub directory.
  3. The hub server/hub directory enables the web service, enable a protocol, create a specific ws user, a specific ws role, and a specific token.
  4. The hub server/hub directory calls the web service function: confirm_registration($thisisyourtokentocallme).
  5. Finally the hub server/hub directory calls the web service call get_info function for its first time

Course search (hub or global search) + hub list operations

the hub/webservice.php entry point should by pass token authentication for this specific listed function

Other operations

The site/hub server/directory should all have specific token to talk to each other.

Security

Disable generated service and token

the security problems: somebody uses the hub access to execute other functions (either bug in moodle or admin misconfiguration); somebody uses normal services to execute hub function (site misconfiguration)
Solution: generated service and token should not be usable through normal /webservice/ entry points. Administration should not list the generated service and token. Cannot create a service with hub function.

Hacking testing

1/ hack client sites and updated the hub info with spam 2/ hack the hub and then tried to attack all client sites - probably some exploit of older version, or at least get as much emails and personal data from all sites

Note

  • the administrator delete token, user, service, roles: we need an option to rebuild the token (delete previous user,service,token.. , then rebuild it, then resend to the hub server/hub directory). The site would just call a ws function confirm_registration($thisisyourtokentocallme) on the hub server/hub directory.
  • if there is a security issue with web service (this solution implies that about every registered Moodle site enable web services)?
  • which protocol to use? Very important question !!
  • other methods could be to not use web service, and only a simple entry script reserved to community hub (probably using json + the secret key explained into the community hub doc). But it is a bit a web service with authentication per secret....
Retrieved from "https://docs.moodle.org/34/en/index.php?title=Development:Community_hub_-_technical_specification&oldid=70007"
Powered by MediaWiki