Oomaxpro / moodle-auth_cognito

OOMAX Pro Authentication for Moodle LMS
https://oomaxpro.com/
0 stars 0 forks source link

once a token is available, the end user can enrol in any course they want. #12

Closed danmarsden closed 1 month ago

danmarsden commented 3 months ago

https://github.com/Oomaxpro/moodle-auth_cognito/blob/oomaxpro/index.php#L40

it looks like when a user obtains a token - they can then pass a courses array to the script and triggeer a manual enrolment into any course they want - I haven't had a good look at the workflow here, but if this happens within the browser session it looks like it presents a security risk.

danmarsden commented 3 months ago

same thing with groups and cohorts.

SwayzeD commented 1 month ago

This has now been resolved