Skip to content

Commit

Permalink
Add a configuration option in webwork2.mojolicious.dist.yml for allow…
Browse files Browse the repository at this point in the history
…ing unsecured rpc usage.

The option allow_unsecured_rpc (which defaults to off) allows the
html2xml and render_rpc endpoints to be used without cookies, and thus
skipping two factor authentication.  This should never be enabled for a
typical webwork server.  This should only be enabled if you want to
allow serving content via these endpoints to links in external websites
with usernames and passwords embedded in them such as for PreTeXt
textbooks.
  • Loading branch information
drgrice1 committed Feb 24, 2024
1 parent 986e70c commit c7f2d42
Show file tree
Hide file tree
Showing 2 changed files with 10 additions and 2 deletions.
7 changes: 7 additions & 0 deletions conf/webwork2.mojolicious.dist.yml
Original file line number Diff line number Diff line change
Expand Up @@ -239,3 +239,10 @@ debug:
hardcopy:
# If 1, don't delete temporary files created when a hardcopy is generated.
preserve_temp_files: 0

# Set this to 1 to allow the html2xml and render_rpc endpoints to disable
# cookies and thus skip two factor authentication. This should never be enabled
# for a typical webwork server. This should only be enabled if you want to
# allow serving content via these endpoints to links in external websites with
# usernames and passwords embedded in them such as for PreTeXt textbooks.
allow_unsecured_rpc: 0
5 changes: 3 additions & 2 deletions lib/WeBWorK.pm
Original file line number Diff line number Diff line change
Expand Up @@ -91,12 +91,13 @@ async sub dispatch ($c) {
if ($c->current_route =~ /^(render_rpc|instructor_rpc|html2xml)$/) {
$c->{rpc} = 1;
$c->stash(disable_cookies => 1) if $c->current_route eq 'render_rpc' && $c->param('disableCookies');
$c->stash(disable_cookies => 1)
if $c->current_route eq 'render_rpc' && $c->param('disableCookies') && $c->config('allow_unsecured_rpc');
# This provides compatibility for legacy html2xml parameters.
# This should be deleted when the html2xml endpoint is removed.
if ($c->current_route eq 'html2xml') {
$c->stash(disable_cookies => 1);
$c->stash(disable_cookies => 1) if $c->config('allow_unsecured_rpc');
for ([ 'userID', 'user' ], [ 'course_password', 'passwd' ], [ 'session_key', 'key' ]) {
$c->param($_->[1], $c->param($_->[0])) if defined $c->param($_->[0]) && !defined $c->param($_->[1]);
}
Expand Down

0 comments on commit c7f2d42

Please sign in to comment.