Uploaded image for project: 'Sakai'
  1. Sakai
  2. SAK-25843

Sites entity provider doesn't distinguish between authenticated and unauthenticated users

    XMLWordPrintable

Details

    • Resolved
    • Hide

      Test plan, this should be applicable on most direct end points.

      If you append the parameter ?_validateSession=true to the end it should give you an error if you're not logged in.

      Before logging in try this URL
      http://nightly2.sakaiproject.org:8082/direct/site.html?_validateSession=true

      (You should get a 401 error)

      Login (http://nightly2.sakaiproject.org:8082/portal) and try the URL again (in a separate tab). You should get a result.

      Without the parameter or with the value = false should return an empty collection but no error.

      Additionally you want to test non cookie based sessions. The way to do this is to get a session id with curl.

      (At the bottom will be the session id)

      • Use the session id as the value at the end of the URL for the sakai.session parameter.

      http://nightly2.sakaiproject.org:8082/direct/site.html?_validateSession=true&sakai.session=fd09b3ea-c9f2-47af-b05b-d28ba2aa5674

      Show
      Test plan, this should be applicable on most direct end points. If you append the parameter ?_validateSession=true to the end it should give you an error if you're not logged in. Before logging in try this URL http://nightly2.sakaiproject.org:8082/direct/site.html?_validateSession=true (You should get a 401 error) Login ( http://nightly2.sakaiproject.org:8082/portal ) and try the URL again (in a separate tab). You should get a result. Without the parameter or with the value = false should return an empty collection but no error. Additionally you want to test non cookie based sessions. The way to do this is to get a session id with curl. curl -v -X POST --data "_username=instructor&_password=sakai" http://nightly2.sakaiproject.org:8082/direct/session (At the bottom will be the session id) Use the session id as the value at the end of the URL for the sakai.session parameter. http://nightly2.sakaiproject.org:8082/direct/site.html?_validateSession=true&sakai.session=fd09b3ea-c9f2-47af-b05b-d28ba2aa5674

    Description

      The sites provider does not distinguish between authenticated and unauthenticated users.

      The issue we see with sessions is that when the user session times out.
      When the session key is no longer valid, we receive a valid response but the JSON returned contains an empty array for the "site_collection" key. There is no way to distinguish between:
      1) the user has a valid session and is not enrolled in any sites
      2) the user has an invalid session.

      Suggest adding an optional parameter validateSession=true/false which will trigger an exception if the user is not logged in, instead of returning an empty collection.

      This is consistent with the other providers which throw an appropriate exception if the user is not logged in, which translates to a HTTP response code.

      Gliffy Diagrams

        Zeplin

          Attachments

            Activity

              People

                steve.swinsburg Steve Swinsburg
                steve.swinsburg Steve Swinsburg
                Votes:
                0 Vote for this issue
                Watchers:
                3 Start watching this issue

                Dates

                  Created:
                  Updated:
                  Resolved:

                  Git Integration