It looks like there is security issue in the plugin. The thumbnails of uploaded films are available without token.
Steps to reproduce:
Go to Medial dialog. For example as student go to assignment with video submission and click Add media.
Upload the video and then go to Search
Click right mouse button on the thumbnail and choose Inspect element
There is the link in img tag. Copy this link, remove the token value and paste in another browser where you are not logged in to Moodle site. You can see the preview of the uploaded film
We used trial account for the tests and there are examples of such links:
This has been fixed by changing MEDIAL code to not allow a refresh or copy of URL of the play page in LTI. Only one impression of the play page is allowed.
PermissionToPlay flag
60052
60052IB8
Hello,
It looks like there is security issue in the plugin. The thumbnails of uploaded films are available without token. Steps to reproduce:
We used trial account for the tests and there are examples of such links:
Could you please have a look on this and fix it?