[Sakai Jira] (SAKIII-5440) Executing 'basiclti' operation on existing basiclti widget (e.g., edit settings) persists all request parameters onto the node

Branden Visser (JIRA) sakai-ui-dev-tracking at collab.sakaiproject.org
Fri Apr 13 07:05:26 PDT 2012 

    [ https://jira.sakaiproject.org/browse/SAKIII-5440?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=156655#comment-156655 ] 

Branden Visser commented on SAKIII-5440:
----------------------------------------

The delete option is not acceptable, because for the same reason, the delete operation is not picked up by the sparse post servlet either. I think a better solution for now is to unbind the LiteBasicLTIConsumerServlet from the POST operation so that the sparse post servlet may handle it.

                
> Executing 'basiclti' operation on existing basiclti widget (e.g., edit settings) persists all request parameters onto the node
> ------------------------------------------------------------------------------------------------------------------------------
>
>                 Key: SAKIII-5440
>                 URL: https://jira.sakaiproject.org/browse/SAKIII-5440
>             Project: Sakai OAE UI Dev
>          Issue Type: Bug
>          Components: basiclti
>    Affects Versions: 1.2.0
>            Reporter: Branden Visser
>            Assignee: Bert Pareyn
>            Priority: Blocker
>             Fix For: 1.2.0
>
>         Attachments: lti-secret-exposed.txt
>
>
> When you edit the settings of a basiclti widget, the basiclti POST operation seems to be putting all request parameters (including the ltisecret!) directly onto the node. I'll attach a sample of what the output is after editing settings.
> To reproduce:
> 1. Edit an empty page
> 2. Add a basic-lti widget: http://www.google.ca; key; secret
> 3. Save the page
> 4. Edit the page
> 5. Configure the basic LTI widget
> 6. Save settings without changing anything
> 7. Look at the JSON feed of the temp page (e.g., http://localhost:8080/p/lsFoKDmnie/tmp_id2052700.tidy.infinity.json)
> Expected result: the basic lti settings are updated, and the ltisecret is hidden
> Actual result: The request parameters of the POST operation are stored onto the basiclti widget node, and the ltisecret is visible to users

--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://jira.sakaiproject.org/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira

More information about the sakai-ui-dev-tracking mailing list