I Can Haz Data?
Monday, June 23rd, 2008I am currently in the process of getting grade data to be shared between Moodle and Adobe Flex with Flare in a secure and elegent way.
Flare has some nice built in functions for loading data from a url that is either in a tab or json format, witch would normally work great except the data in question consists of students grades and statistics relating to them witch can not be publicly shown and is protected by Moodle’s capability system. This means that Flare can not simply load a page that outputs the data in tab or JSON format as it would not have the session or cookie that the browser does to let Moodle know that you have the capability to access the data so it just gets the HTML for an error page.
Passing a user name and password (or hash there of) between the Flash Player and the web server are out of the question for security reasons and embedding all the data needed to generate the visualizations in the Flash variables or JavaScript becomes ugly fast and could break down in the cases of very large sets of data (there is a limit to the length of a Flash variable passed from HTML). There also is no way i know of to share a browsers cookies with Flash and then the sites it calls on (and if there is it would mean recoding how the Flare DataSource class works).
The solution? Well the method i am country working on is passing the session name and id from Moodle to Adobe Flex/Flash (threw the Flash variables embedded in the HTML generated by PHP) and then using the Flare DataSource class to load the URI of the JSON formated data with the course id, session name, session id and graph/visualization type appended to it. Hopefully this method will work like how cookieless sessions do in Moodle where the session information is appended to the URI and Moodle will see the request as if it came from the user them self, with the correct capabilities.
My only concern with this method is if a teacher or student where to save the HTML of the page and send it to some one it would contain there session information. In theory this information could be used to access the account that is tied to the session and the attacker could then change the password for the account to take it over. However this would only be possible for the period of time when the session is valid and would be just as insure as Cookieless sessions all ready are in Moodle (in terms of a user copy and pasting there URI with the session id in it) and a user would have to willingly give a copy of the HTML to the attacker.
If all goes well i will have a simple demo of this before the end of the week that can show a simple graph of grades using Flare.