[Sakai Jira] (SAKIII-5440) Executing 'basiclti' operation on existing basiclti widget (e.g., edit settings) persists all request parameters onto the node

Bert Pareyn (JIRA) sakai-ui-dev-tracking at collab.sakaiproject.org
Fri Apr 13 03:43:26 PDT 2012 

    [ https://jira.sakaiproject.org/browse/SAKIII-5440?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=156651#comment-156651 ] 

Bert Pareyn commented on SAKIII-5440:
-------------------------------------

Per conversation on IRC I'll try the following:

[11:40am] mrvisser1: PhysX: I think so. If you batch a delete operation to the 'basiclti' node before you POST the basiclti operation onto it, it will be picked up by the SparsePostServlet — that seems the easiest to me.
[11:41am] mrvisser1: PhysX: The other (perhaps more "correct") solution, is to post the actual widget properties to the widget rather than assembling a new basiclti operation — the basiclti operation is only needed to create a *new* basiclti widget.
                
> Executing 'basiclti' operation on existing basiclti widget (e.g., edit settings) persists all request parameters onto the node
> ------------------------------------------------------------------------------------------------------------------------------
>
>                 Key: SAKIII-5440
>                 URL: https://jira.sakaiproject.org/browse/SAKIII-5440
>             Project: Sakai OAE UI Dev
>          Issue Type: Bug
>          Components: Widgets - Core/System
>    Affects Versions: 1.2.0
>            Reporter: Branden Visser
>            Priority: Blocker
>             Fix For: 1.2.0
>
>         Attachments: lti-secret-exposed.txt
>
>
> When you edit the settings of a basiclti widget, the basiclti POST operation seems to be putting all request parameters (including the ltisecret!) directly onto the node. I'll attach a sample of what the output is after editing settings.
> To reproduce:
> 1. Edit an empty page
> 2. Add a basic-lti widget: http://www.google.ca; key; secret
> 3. Save the page
> 4. Edit the page
> 5. Configure the basic LTI widget
> 6. Save settings without changing anything
> 7. Look at the JSON feed of the temp page (e.g., http://localhost:8080/p/lsFoKDmnie/tmp_id2052700.tidy.infinity.json)
> Expected result: the basic lti settings are updated, and the ltisecret is hidden
> Actual result: The request parameters of the POST operation are stored onto the basiclti widget node, and the ltisecret is visible to users

--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://jira.sakaiproject.org/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira

More information about the sakai-ui-dev-tracking mailing list