Updating libraries (automatically)

otacke's picture

I noticed that you can upload h5p-files to moodle that may contain libraries with a newer version than the moodle system. It seems that the moodle plugin then automatically updates the corresponding libraries on the moodle system. Did I observe this correctly?

If yes, isn't that a security issue? Wouldn't that allow me to screw up other systems if someone uploads a rigged h5p file to his/her system ingenuously? I think it's a great idea that the h5p files contain everything that's necessary for using them, and maybe I just misconfigured something, but wouldn't it be wise to at least offer some options to choose from (beforehand) for handling that situation, e. g.

  • update libraries automatically,
  • ask if the libraries should be updated,
  • temporarily use the newer library version from the h5p file for using this file only,
  • or rigorously ignore libraries that are not installed on the system.
thomasmars's picture

Yes, Moodle will automatically upload new libraries that comes with a h5p-file.

Before updating the libraries the plugin checks if you have the hvp:updatelibraries capability, which is the same one as is necessary in order to upload a library through the library admin page. The libraries will only be updated if you have this capability. The check is done inside savePackage. If you do not have this capability it will only update/insert content.

There is probably some merit to giving a prompt when a package will update your libraries though. You could add your suggestion as a feature request in the forum or an issue in the github repo, so it can be discussed further, maybe someone will pick it up :)

otacke's picture

Thanks for your reply! My own coding capabilities are pretty limited, but I'll forward your answer to our IT crew. I'm sure they will come up with a solution that's worth a pull request.

thomasmars's picture

We would love to hear about what you figure out :)

otacke's picture

I was just told that we're already able to handle that "risk" via moodle roles. Dummy me.