Details
-
Type:
Bug
-
Status:
Closed
-
Priority:
Major
-
Resolution: Won't Fix
-
Affects Version/s: 1.9.5
-
Fix Version/s: None
-
Component/s: Authentication, Enrolments
-
Labels:None
-
Affected Branches:MOODLE_19_STABLE
Description
When uploading users in a CSV file, you can select an authentication plugin for newly-created accounts. The list of plugins includes all enabled auth plugins on the site. However, even if you select an auth type other than "manual" or "email", a password is sent to the user, and 'auth_forcepasswordchange' is set to 1 in mdl_user_preferences. This means the user cannot log in, because the password is incorrect, and they cannot change it.
Steps to reproduce:
1. Create a CSV file containing the username, firstname, lastname and email of a user who should be authenticated against an external system
2. Browse to /admin/uploaduser.php and upload the file
3. Select "Add new only, skip existing users" from "Upload type"
4. From "Choose an authentication method", choose an external plugin, e.g. "LDAP"
5. Attempt to upload the users.
You will receive an error: "Password is a required field". To work around this, you might (quite reasonably) choose "Create password if needed" from "New user password", thinking that it will not be used as you have chosen an external authentication plugin.
Expected behaviour:
The user account should be created, the "auth" field should be set as expected, and no email should be sent
Actual behaviour:
The user account is created, the "auth" field is set as expected, but a randomly-generated password is sent by email, and 'auth_forcepasswordchange' is set to 1 in mdl_user_preferences. The user cannot log in.
FIX:
function uu_allowed_auths() in /admin/uploaduser.php should return a list of supported authentication plugins that are enabled on the server. However, the array of plugins returned by get_enabled_auth_plugins() is not compared against $whitelist:
function uu_allowed_auths() {
global $CFG;
// only following plugins are guaranteed to work properly
// TODO: add support for more plguins in 2.0
$whitelist = array('manual', 'nologin', 'none', 'email');
$plugins = get_enabled_auth_plugins();
$choices = array();
foreach ($plugins as $plugin) { // No comparison is made between $whitelist and $plugins, so all plugins are returned.
$choices[$plugin] = auth_get_plugin_title ($plugin);
}
return $choices;
}
So, either this function needs fixing to prevent external plugins from being selected, or the rest of the script needs fixing to prevent passwords from being generated when an external plugin is selected.
I think it should be possible to upload users and choose an external auth plugin. Consider a teacher who does not want students to enrol themselves on a course. The teacher has a list of the students she wants to enrol, but not all of the students have logged in to Moodle, so she cannot use "Assign roles" to enrol them all. The solution would be to upload a CSV containing user profile and enrolment information.
I attach a patch that prevents passwords from being required or generated when the auth plugin is not "manual" or "email".
Thanks for reporting this issue.
We have detected that this issue has been inactive for over a year has been recorded as affecting versions that are no longer supported.
If you believe that this issue is still relevant to current versions (2.1 and beyond), please comment on the issue. Issues left inactive for a further month will be closed.
Michael d;
lqjjLKA0p6