MDL-65075 tool_mobile: Check UserAgent only in WS requests

nilo72 · Apr 8, 2019 · cc62967 · cc62967
1 parent 102e082
commit cc62967
Show file tree

Hide file tree

Showing 2 changed files with 7 additions and 5 deletions.
diff --git a/admin/tool/mobile/classes/api.php b/admin/tool/mobile/classes/api.php
@@ -297,11 +297,6 @@ public static function check_autologin_prerequisites($userid) {
             throw new moodle_exception('enablewsdescription', 'webservice');
         }
 
-        // Only requests from the Moodle mobile or desktop app. This enhances security to avoid any type of XSS attack.
-        if (!\core_useragent::is_moodle_app()) {
-            throw new moodle_exception('apprequired', 'tool_mobile');
-        }
-
         if (!is_https()) {
             throw new moodle_exception('httpsrequired', 'tool_mobile');
         }

diff --git a/admin/tool/mobile/classes/external.php b/admin/tool/mobile/classes/external.php
@@ -286,6 +286,13 @@ public static function get_autologin_key($privatetoken) {
             }
         }
 
+
+        // Only requests from the Moodle mobile or desktop app. This enhances security to avoid any type of XSS attack.
+        // This code goes intentionally here and not inside the check_autologin_prerequisites() function because it
+        // is used by other PHP scripts that can be opened in any browser.
+        if (!\core_useragent::is_moodle_app()) {
+            throw new moodle_exception('apprequired', 'tool_mobile');
+        }
         api::check_autologin_prerequisites($USER->id);
 
         if (isset($_GET['privatetoken']) or empty($privatetoken)) {