[#MDL-9429] Support for external forgot password url - Moodle Tracker

Details

Type: Bug
Status: Closed
Priority: Minor
Resolution: Won't Fix
Affects Version/s: 1.8
Fix Version/s: None
Component/s: Authentication
Labels:
None

Affected Branches:
MOODLE_18_STABLE

Description

I posted this in the authentication forum but didn't get an answer http://moodle.org/mod/forum/discuss.php?d=69353#p311274 . I think its a bug, so submitting here for confirmation.

My custom auth plugin has fields in it for a custom url to direct people to if they'd forgotten their password, and some help text to display at the same time. Up until recently, If the user called login/forgot_password.php they were redirected appropriately.

I think with the quickforms upgrade in 1.8 this might have been lost. It no longer appears to check my auth plug-in to see if there's anything different it should do, so instead my users get a "you can't change your password" email message.

I think, looking back in my cvs history, the relevant code might be something like this, it goes in the display section...

if (!empty($userauth->config->changepasswordhelp)) {
$strextmessage = $userauth->config->changepasswordhelp .'<br /><br />';
}
// if url defined then add that to the message (with a standard message)
if (method_exists($userauth, 'change_password_url') and $userauth->change_password_url($user)) {
$strextmessage .= '<br /><br /><a href="' . $userauth->change_password_url($user) . '">' . $userauth->change_password_url($user) . '</a>';
}

print_header($strforgotten, $strforgotten,
"<a href=\"{$CFG->wwwroot}/login/index.php\">{$strlogin}</a>->{$strforgotten}", 'id_email');
print_box($strextmessage, 'generalbox boxwidthnormal boxaligncenter');
print_footer();

To get this in the current form will need a bit of jigging about though, which I why I'm not offering a complete patch! Am I mad? Is there a different way I should be doing this redirect now?

Jenny

Activity

Ascending order - Click to sort in descending order

Hide

Permalink

Petr Škoda (skodak) added a comment - 19/Apr/07 9:17 PM

Forgot password and change password are different in that the first works for not-logged-in user, the other for logged-in users. External url for changing of password works as expected.

The problem is that we can not select the correct login before knowing the username or email if not logged in. Also we should not reveal the existence of user with given username or password.

Maybe we could add some hook into forgot password page and allow plugins to add custom instructions.
Workaround is to supply custom instructions into the right login pane.

Show

Petr Škoda (skodak) added a comment - 19/Apr/07 9:17 PM Forgot password and change password are different in that the first works for not-logged-in user, the other for logged-in users. External url for changing of password works as expected. The problem is that we can not select the correct login before knowing the username or email if not logged in. Also we should not reveal the existence of user with given username or password. Maybe we could add some hook into forgot password page and allow plugins to add custom instructions. Workaround is to supply custom instructions into the right login pane.

Hide

Permalink

Petr Škoda (skodak) added a comment - 19/Apr/07 9:19 PM

..correct plugin... sorry

Show

Petr Škoda (skodak) added a comment - 19/Apr/07 9:19 PM ..correct plugin... sorry

Hide

Permalink

Jenny Gray added a comment - 19/Apr/07 9:48 PM

If the user has forgotten their password then the change password functionality is triggered to give them a new one.

However, your suggestion is, I think, that's pretty much what it did before. If you look back in CVS around version 1.37, you can see where I made a fix to some changes that Martin Langhoff had put in. The area that my change is in is exactly the area that seems to have gone missing recently.

Show

Jenny Gray added a comment - 19/Apr/07 9:48 PM If the user has forgotten their password then the change password functionality is triggered to give them a new one. However, your suggestion is, I think, that's pretty much what it did before. If you look back in CVS around version 1.37, you can see where I made a fix to some changes that Martin Langhoff had put in. The area that my change is in is exactly the area that seems to have gone missing recently.

Hide

Permalink

Petr Škoda (skodak) added a comment - 20/Apr/07 2:33 AM

Method change_password_url() should be IMO used only when user is logged in. You never know how is the auth plugin going to construct the url, it might contain data from user table, session, $_SERVER array or something else. I am going to update the inline docs to make the clear. I really want to keep changing and resetting of passwords separate.

The recommended way should be to allow resetting of passwords through Moodle interface and updating of the password in external source.

Show

Petr Škoda (skodak) added a comment - 20/Apr/07 2:33 AM Method change_password_url() should be IMO used only when user is logged in. You never know how is the auth plugin going to construct the url, it might contain data from user table, session, $_SERVER array or something else. I am going to update the inline docs to make the clear. I really want to keep changing and resetting of passwords separate. The recommended way should be to allow resetting of passwords through Moodle interface and updating of the password in external source.

Hide

Permalink

Jenny Gray added a comment - 20/Apr/07 4:03 PM

But that functionality has been in core since 1.6 stable, nealy 2 years ago. I can't be the only person that will be surprised that its disappeared.

I do understand what you're saying about change password should be separated from forgot password functionality, but in that case we need this stuff back in with new auth properties for external forgot password url and external forgot password help at the very least.

Show

Jenny Gray added a comment - 20/Apr/07 4:03 PM But that functionality has been in core since 1.6 stable, nealy 2 years ago. I can't be the only person that will be surprised that its disappeared. I do understand what you're saying about change password should be separated from forgot password functionality, but in that case we need this stuff back in with new auth properties for external forgot password url and external forgot password help at the very least.

Hide

Permalink

Petr Škoda (skodak) added a comment - 20/Apr/07 5:59 PM

I am sorry, the multi auth brought several other changes too. There were many hacks throughout the codebase for various auth plugins and all of them were removed (with the exception of mnet which is a special case). Since 1.8 individual plugins are defined only in /auth/xx/ directories - there is no code outside. I had to change the API and add new methods to allow this.

The reset password is a different problem, for security reasons it treturns always the same result so that ppl can not guess username or password - with your proposed patch it tells the attackers which emails/usernames exist - that is not acceptable for default installs.

Originally the change password was working without login which was often confusing ppl and was non-standard. The mixing of change password and reset password is really not a good idea.

Another solution could be emails with custom instructions for each plugin. Student would recieve email with link to change his/her password.

Show

Petr Škoda (skodak) added a comment - 20/Apr/07 5:59 PM I am sorry, the multi auth brought several other changes too. There were many hacks throughout the codebase for various auth plugins and all of them were removed (with the exception of mnet which is a special case). Since 1.8 individual plugins are defined only in /auth/xx/ directories - there is no code outside. I had to change the API and add new methods to allow this. The reset password is a different problem, for security reasons it treturns always the same result so that ppl can not guess username or password - with your proposed patch it tells the attackers which emails/usernames exist - that is not acceptable for default installs. Originally the change password was working without login which was often confusing ppl and was non-standard. The mixing of change password and reset password is really not a good idea. Another solution could be emails with custom instructions for each plugin. Student would recieve email with link to change his/her password.

Hide

Permalink

Jenny Gray added a comment - 20/Apr/07 11:22 PM

Sorry, I think I've confused you. Reset password is working fine. Its just what happens with forgot password that I'm worried about.

I agree with your proposal that each plugin could offer custom instructions for forgotten password separate to the custom change password stuff. If you feel it is safer to email those instructions rather than display them directly on the screen, then I guess that's fine by me.

Show

Jenny Gray added a comment - 20/Apr/07 11:22 PM Sorry, I think I've confused you. Reset password is working fine. Its just what happens with forgot password that I'm worried about. I agree with your proposal that each plugin could offer custom instructions for forgotten password separate to the custom change password stuff. If you feel it is safer to email those instructions rather than display them directly on the screen, then I guess that's fine by me.

Hide

Permalink

Petr Škoda (skodak) added a comment - 20/Apr/07 11:40 PM

The mailing of password resetting instructions is IMO the only secure solution - I am going to prepare a patch for review with 1.9 as target (because it will require a minor API change).

Thanks

Show

Petr Škoda (skodak) added a comment - 20/Apr/07 11:40 PM The mailing of password resetting instructions is IMO the only secure solution - I am going to prepare a patch for review with 1.9 as target (because it will require a minor API change). Thanks

Hide

Permalink

Duarte Silvestre added a comment - 08/Jun/07 7:03 AM

Hello Petr,

This feature was working in 1.6 and 1.7 versions. Not working in the actual stable version (1.8). And you only correct for the next version (1.9)? A version most of the people don't use because is under development...

You (the Moodle team) are doing a very fine job! But seems that you are essentially focused in the development of new versions.
Remember me Microsoft strategy: every time we close and open the eyes they put in the market a new version of their products...

If is always like that, Moodle never will have a full corrected or full stable version...

It seems to me that the right strategy should be: Bugs and very useful improvements must be fixed for the current stable version and for the next version; other improvements only for the next version.

I also need this lost feature for 1.8...

Show

Duarte Silvestre added a comment - 08/Jun/07 7:03 AM Hello Petr, This feature was working in 1.6 and 1.7 versions. Not working in the actual stable version (1.8). And you only correct for the next version (1.9)? A version most of the people don't use because is under development... You (the Moodle team) are doing a very fine job! But seems that you are essentially focused in the development of new versions. Remember me Microsoft strategy: every time we close and open the eyes they put in the market a new version of their products... If is always like that, Moodle never will have a full corrected or full stable version... It seems to me that the right strategy should be: Bugs and very useful improvements must be fixed for the current stable version and for the next version; other improvements only for the next version. I also need this lost feature for 1.8...

Hide

Permalink

Michael de Raadt added a comment - 05/Jan/12 1:51 PM

Thanks for reporting this issue.

We have detected that this issue has been inactive for over a year has been recorded as affecting versions that are no longer supported.

If you believe that this issue is still relevant to current versions (2.1 and beyond), please comment on the issue. Issues left inactive for a further month will be closed.

Michael d;

lqjjLKA0p6

Show

Michael de Raadt added a comment - 05/Jan/12 1:51 PM Thanks for reporting this issue. We have detected that this issue has been inactive for over a year has been recorded as affecting versions that are no longer supported. If you believe that this issue is still relevant to current versions (2.1 and beyond), please comment on the issue. Issues left inactive for a further month will be closed. Michael d; lqjjLKA0p6

Hide

Permalink

Michael de Raadt added a comment - 06/Feb/12 4:26 PM

I'm closing this issue as it has become inactive and does not appear to affect a current supported version. If you are encountering this problem or one similar, please launch a new issue.

Show

Michael de Raadt added a comment - 06/Feb/12 4:26 PM I'm closing this issue as it has become inactive and does not appear to affect a current supported version. If you are encountering this problem or one similar, please launch a new issue.

People

Assignee:

moodle.com

Reporter:

Jenny Gray

Participants:

Duarte Silvestre, Jenny Gray, Michael de Raadt, moodle.com, Petr Škoda (skodak)

Vote (3)

Watch (2)

Dates

Created:

18/Apr/07 8:42 PM

Updated:

06/Feb/12 4:26 PM

Resolved:

06/Feb/12 4:26 PM