The previews images of uploaded videos are available without token - looks like security issue.

[OlenaTatarintseva]

Hello,

It looks like there is security issue in the plugin. The thumbnails of uploaded films are available without token. Steps to reproduce:

• Go to Medial dialog. For example as student go to assignment with video submission and click Add media.
• Upload the video and then go to Search
• Click right mouse button on the thumbnail and choose Inspect element
• There is the link in img tag. Copy this link, remove the token value and paste in another browser where you are not logged in to Moodle site. You can see the preview of the uploaded film

We used trial account for the tests and there are examples of such links:

• In the page source code: https://na1.medialibrary.com/thumbnails/4D45Dfj4.jpg?token=3d5JEeJI&v=1 ** Available without token: https://na1.medialibrary.com/thumbnails/4D45Dfj4.jpg?token=&v=1
• In the page source code: https://na1.medialibrary.com/thumbnails/JDBAfE90.jpg?token=0EAj9J69&v=1 ** Available without token: https://na1.medialibrary.com/thumbnails/JDBAfE90.jpg?token=&v=1

Could you please have a look on this and fix it?

[leepylee]

This has been fixed by changing MEDIAL code to not allow a refresh or copy of URL of the play page in LTI. Only one impression of the play page is allowed. PermissionToPlay flag 60052 60052IB8