Moodle

Port security upgrades from 1.9.7 to HEAD

Details

  • Type: Bug Bug
  • Status: Closed Closed
  • Priority: Blocker Blocker
  • Resolution: Fixed
  • Affects Version/s: 2.0
  • Fix Version/s: 2.0
  • Component/s: Authentication
  • Labels:
    None
  • Affected Branches:
    MOODLE_20_STABLE
  • Fixed Branches:
    MOODLE_20_STABLE

Description

All of MDL-18807, and the upgrade.php parts of MDL-18006 and MDL-20853 need to be ported to HEAD, for people who upgrade to 2.0 from versions < 1.9.7

Issue Links

This issue has a non-specific relationship to:
MDL-20978 Administration: Upgrade to 1.9.7 - consider adding the site's URL to the email message sent to site administrator regarding upgrade197salt Minor Closed

Activity

Ascending order - Click to sort in descending order
Hide
Permalink
Martin Dougiamas added a comment -

Petr, can you confirm this still needs doing? Did you leave out the upgrades on purpose?

Show
Martin Dougiamas added a comment - Petr, can you confirm this still needs doing? Did you leave out the upgrades on purpose?
Hide
Permalink
Petr Škoda (skodak) added a comment -

latest upgrades in HEAD are not needed IMO, it supports upgrades only from 1.9.x and everybody responsible should go through 1.9.7, there is a potential problem that the upgrade code with things like password reset would be executed twice

hmmm, the only important upgrade seems to be the 'not cached' password change for all auth plugins, going to add it now

Show
Petr Škoda (skodak) added a comment - latest upgrades in HEAD are not needed IMO, it supports upgrades only from 1.9.x and everybody responsible should go through 1.9.7, there is a potential problem that the upgrade code with things like password reset would be executed twice hmmm, the only important upgrade seems to be the 'not cached' password change for all auth plugins, going to add it now
Hide
Permalink
Martin Dougiamas added a comment -

I don't think double upgrades are a problem if the dates are set properly... Do we really want to take the risk that someone upgrading from 1.9.6 will miss out on some of these important settings? I don't feel so.

Show
Martin Dougiamas added a comment - I don't think double upgrades are a problem if the dates are set properly... Do we really want to take the risk that someone upgrading from 1.9.6 will miss out on some of these important settings? I don't feel so.
Hide
Permalink
Petr Škoda (skodak) added a comment -

done:
1/ password hashes are no automatically replaced with 'not set' in plugins that do not need the hashes
2/ admin notified again if main salt not set

later:
a/ force admin password change if salt not set, noted in upgrade.php - depends on planned admin role changes

Show
Petr Škoda (skodak) added a comment - done: 1/ password hashes are no automatically replaced with 'not set' in plugins that do not need the hashes 2/ admin notified again if main salt not set later: a/ force admin password change if salt not set, noted in upgrade.php - depends on planned admin role changes
Hide
Permalink
Petr Škoda (skodak) added a comment -

should be done, please reopen if needed

Show
Petr Škoda (skodak) added a comment - should be done, please reopen if needed
Hide
Permalink
Anthony Borrow added a comment -

Petr - Not sure if the emails (or messages) should be part of the upgrade if a site goes from 1.9.6 to 2.0 but figured I would link this issue with MDL-20978 so that you can see what was done. Peace - Anthony

Show
Anthony Borrow added a comment - Petr - Not sure if the emails (or messages) should be part of the upgrade if a site goes from 1.9.6 to 2.0 but figured I would link this issue with MDL-20978 so that you can see what was done. Peace - Anthony

People

Vote (0)
Watch (2)

Dates

  • Created:
    Updated:
    Resolved:
Atlassian JIRA (v4.4.3#663-r165197) | Report a problem
Powered by a free Atlassian JIRA open source license for Moodle. Try JIRA - bug tracking software for your team.