danmarsden
commented
9 months ago in fact - what also concerns me is that the md5() values seem to be pretty easy to guess and don't force any form of unique identification making it easy for someone to work out the md5 value for a particular report type and that same md5 hash will work on "any" site that has this report..
so if a 3rd party plugin uses this and generates a hash of: md5("tab1_name") or even: md5("tab1_name". $CM->id);
anyone can work that out and then just ask your webservice for the cached data without needing to authenticate to the LMS.
the webservices implemented within the plugin appear to have no login or capability checks when loading content from the cache - This isn't really ideal, but if it's an intenional design decision it should be documented clearly within the readme. If someone knows the md5 (or can guess the md5) - they can access the cache without authenticating to the site.
I also find it strange that the "Exectute action" webservice can be performed anonymously - by any user that has a valid md5 - surely this could be tidied up a bit more to require a login and then very the user has a capability that allows the action to be performed?