[#CONTRIB-1095] A new block "Password checker" gives an user a notice about the security of the aktually used password in case of LDAP capture authentification - Moodle Tracker

Details

Type: New Feature
Status: Resolved
Priority: Minor
Resolution: Fixed
Affects Version/s: 1.9.4
Fix Version/s: None
Component/s: Block: Check password
Labels:
None

Affected Branches:
MOODLE_19_STABLE

Description

This block can give you a benefit in the following scenario:

Moodle is configured to use the LDAP Capture authentification method.
In this case the password is saved within the LDAP server and the moodle administrator have no control on it.

But this block informs the users in detail about the security lacks concerning their passwords without forcing them to change it, but you can add an additional link to a selfmade page, which describes your security requirements and probably the methods to change the password in more detail.

All password requirements and all warnings and messages are configurable in Modules->Blocks.

More Options
- Sort By Name
- Sort By Date
- Ascending
- Descending
- Download All

Attachments

block_checkpwd.php

09/Mar/09 5:20 AM

3 kB

Anthony Borrow
$i18n.getText("admin.common.words.hide")
checkpwd.zip

08/Mar/09 9:23 PM

5 kB

Karsten Jonas
checkpwd/block_checkpwd.php 8 kB

checkpwd/config_global.html 14 kB

checkpwd/lang/de_utf8/block_checkpwd.php 3 kB

checkpwd/lang/en_utf8/block_checkpwd.php 2 kB

Download Zip
$i18n.getText("admin.common.words.show")

checkpwd.zip

08/Mar/09 9:23 PM

5 kB

Karsten Jonas

password_policies.png

119 kB

09/Mar/09 5:42 AM

Activity

Ascending order - Click to sort in descending order

Hide

Permalink

Anthony Borrow added a comment - 08/Mar/09 11:53 PM

Karsten - Thank you for creating this issue and for sharing your password checking block with the Moodle community. I will be reviewing it later today. I have installed it but am getting ready to leave the house but I did find the following PHP notice:

Missing argument 1 for p(), called in /home/arborrow/Moodle/code/19stable/blocks/checkpwd/config_global.html on line 61 and defined in /home/arborrow/Moodle/code/19stable/lib/weblib.php on line 144

I'll look into it later and make sure to give the language file a quick look to make sure the English makes sense. I'm happy to suggest improvements.

Peace - Anthony

Show

Anthony Borrow added a comment - 08/Mar/09 11:53 PM Karsten - Thank you for creating this issue and for sharing your password checking block with the Moodle community. I will be reviewing it later today. I have installed it but am getting ready to leave the house but I did find the following PHP notice: Missing argument 1 for p(), called in /home/arborrow/Moodle/code/19stable/blocks/checkpwd/config_global.html on line 61 and defined in /home/arborrow/Moodle/code/19stable/lib/weblib.php on line 144 I'll look into it later and make sure to give the language file a quick look to make sure the English makes sense. I'm happy to suggest improvements. Peace - Anthony

Hide

Permalink

Anthony Borrow added a comment - 09/Mar/09 4:52 AM - edited

Notice: Undefined variable: dpassword in /home/arborrow/Moodle/code/19stable/blocks/checkpwd/block_checkpwd.php on line 92

found after adding block to a course page.

Show

Anthony Borrow added a comment - 09/Mar/09 4:52 AM - edited Notice: Undefined variable: dpassword in /home/arborrow/Moodle/code/19stable/blocks/checkpwd/block_checkpwd.php on line 92 found after adding block to a course page.

Hide

Permalink

Anthony Borrow added a comment - 09/Mar/09 4:58 AM

Karsten - It is preferred that we use mdl_config_plugins instead of mdl_config. That keeps $CFG from creating an unnecessarily large footprint all over the place. I noticed that you had the line:

$key=md5($USER->sesskey.$cfg->mcryptkey);

should that be $CFG->mcryptkey?

In some code I have used the lowercase $cfg to implement using a local cfg variable for the block so something like:

$cfg_chkpassword=get_config('block/chkpassword');

Of course you would need to change your settings file to provide the plugin variable 'block/chkpassword' when using set_config.

Let me know if I need to explain further or if you run into trouble.

Peace - Anthony

Show

Anthony Borrow added a comment - 09/Mar/09 4:58 AM Karsten - It is preferred that we use mdl_config_plugins instead of mdl_config. That keeps $CFG from creating an unnecessarily large footprint all over the place. I noticed that you had the line: $key=md5($USER->sesskey.$cfg->mcryptkey); should that be $CFG->mcryptkey? In some code I have used the lowercase $cfg to implement using a local cfg variable for the block so something like: $cfg_chkpassword=get_config('block/chkpassword'); Of course you would need to change your settings file to provide the plugin variable 'block/chkpassword' when using set_config. Let me know if I need to explain further or if you run into trouble. Peace - Anthony

Hide

Permalink

Anthony Borrow added a comment - 09/Mar/09 5:16 AM

Make sure to test the code with debugging set to show All reasonable PHP notices and errors (not developer mode). The error on line 92 is caused by the variable dpassword not being defined. I see the checks for $USER->epassword; however, I am not sure where or when that gets defined. Also, I noticed that you have the line:

similar_text($username,$password,$percent);

however I did not see where $percent gets defined. Perhaps that would be $cfg_chkpasswd->simtxtperc

Also, in config_global.html, I noticed:

p('Username and password have to much common letters.');

which should really use the language string rather than being hardcoded.

I do not see anything that prevents me from committing this to CVS but I would like you to work on fixing up the things that I have found before making it available to the public via the Modules and Plugins database. Once you get the code cleaned up, please review http://docs.moodle.org/en/Development:Guidelines_for_contributed_code one more time to ensure that you follow the steps for the M&P entry and also creating a documentation page. If you need help with English let me know. Give it a shot and then let me know and I'll come in and try to make any improvements I can.

Peace - Anthony

Show

Anthony Borrow added a comment - 09/Mar/09 5:16 AM Make sure to test the code with debugging set to show All reasonable PHP notices and errors (not developer mode). The error on line 92 is caused by the variable dpassword not being defined. I see the checks for $USER->epassword; however, I am not sure where or when that gets defined. Also, I noticed that you have the line: similar_text($username,$password,$percent); however I did not see where $percent gets defined. Perhaps that would be $cfg_chkpasswd->simtxtperc Also, in config_global.html, I noticed: p('Username and password have to much common letters.'); which should really use the language string rather than being hardcoded. I do not see anything that prevents me from committing this to CVS but I would like you to work on fixing up the things that I have found before making it available to the public via the Modules and Plugins database. Once you get the code cleaned up, please review http://docs.moodle.org/en/Development:Guidelines_for_contributed_code one more time to ensure that you follow the steps for the M&P entry and also creating a documentation page. If you need help with English let me know. Give it a shot and then let me know and I'll come in and try to make any improvements I can. Peace - Anthony

Hide

Permalink

Anthony Borrow added a comment - 09/Mar/09 5:20 AM

I am attaching a slightly modified English language file for your consideration. I think it keeps things consistent and makes it clearer. I will let you determine whether you want to implement these changes in CVS or not. I'm going to add the code to CVS, create a component in the tracker for Block: Check password and bump your privileges in the tracker so that you can manage issues related to the check password block. Then I will approve your CVS write request at http://moodle.org/cvs/ and resolve this issue as fixed. Please feel free to comment on this issue if you have questions about the items I have made. Peace - Anthony

Show

Anthony Borrow added a comment - 09/Mar/09 5:20 AM I am attaching a slightly modified English language file for your consideration. I think it keeps things consistent and makes it clearer. I will let you determine whether you want to implement these changes in CVS or not. I'm going to add the code to CVS, create a component in the tracker for Block: Check password and bump your privileges in the tracker so that you can manage issues related to the check password block. Then I will approve your CVS write request at http://moodle.org/cvs/ and resolve this issue as fixed. Please feel free to comment on this issue if you have questions about the items I have made. Peace - Anthony

Hide

Permalink

Anthony Borrow added a comment - 09/Mar/09 5:28 AM

Karstan - Another thing that you want to be careful of is to ensure that you are using and not duplicating data set in Site Administration -> Security -> Site policies (see attached password_policies screenshot). For example, the password length is one such setting. It is OK to have it in your block but changing it in the block should also change it for the site and you should probably ensure that the user has administrative privileges before doing so. Peace - Anthony

Show

Anthony Borrow added a comment - 09/Mar/09 5:28 AM Karstan - Another thing that you want to be careful of is to ensure that you are using and not duplicating data set in Site Administration -> Security -> Site policies (see attached password_policies screenshot). For example, the password length is one such setting. It is OK to have it in your block but changing it in the block should also change it for the site and you should probably ensure that the user has administrative privileges before doing so. Peace - Anthony

Hide

Permalink

Anthony Borrow added a comment - 09/Mar/09 5:32 AM

moving to Block: Check password component

Show

Anthony Borrow added a comment - 09/Mar/09 5:32 AM moving to Block: Check password component

Hide

Permalink

Anthony Borrow added a comment - 09/Mar/09 5:33 AM

code added to CVS, tracker component created and privileges bumped, CVS write access granted to contrib/plugins/blocks/checkpwd - resolving as fixed

Show

Anthony Borrow added a comment - 09/Mar/09 5:33 AM code added to CVS, tracker component created and privileges bumped, CVS write access granted to contrib/plugins/blocks/checkpwd - resolving as fixed

Hide

Permalink

Anthony Borrow added a comment - 09/Mar/09 5:42 AM

here is the password_policies screenshot I mentioned - I almost forgot to attach it

Show

Anthony Borrow added a comment - 09/Mar/09 5:42 AM here is the password_policies screenshot I mentioned - I almost forgot to attach it

Hide

Permalink

Anthony Borrow added a comment - 09/Mar/09 5:44 AM

One last question, is there a reason why the Check password block is not available on the front page? I cannot think of one but perhaps you have your reasons. I could only add it inside a course but not the frontpage. Peace - Anthony

Show

Anthony Borrow added a comment - 09/Mar/09 5:44 AM One last question, is there a reason why the Check password block is not available on the front page? I cannot think of one but perhaps you have your reasons. I could only add it inside a course but not the frontpage. Peace - Anthony

People

Assignee:

Karsten Jonas

Reporter:

Karsten Jonas

Participants:

Anthony Borrow, Karsten Jonas

Vote (0)

Watch (1)

Dates

Created:

08/Mar/09 9:23 PM

Updated:

19/Mar/09 11:26 PM

Resolved:

09/Mar/09 5:33 AM

Non-core contributed modules

A new block "Password checker" gives an user a notice about the security of the aktually used password in case of LDAP capture authentification

Details

Description

Attachments

Activity

People

Dates