Moodle
  1. Moodle
  2. MDL-20948

Port security upgrades from 1.9.7 to HEAD

    Details

    • Type: Bug Bug
    • Status: Closed
    • Priority: Blocker Blocker
    • Resolution: Fixed
    • Affects Version/s: 2.0
    • Fix Version/s: 2.0
    • Component/s: Authentication
    • Labels:
      None
    • Affected Branches:
      MOODLE_20_STABLE
    • Fixed Branches:
      MOODLE_20_STABLE
    • Rank:
      31849

      Description

      All of MDL-18807, and the upgrade.php parts of MDL-18006 and MDL-20853 need to be ported to HEAD, for people who upgrade to 2.0 from versions < 1.9.7

        Issue Links

          Activity

          Hide
          Martin Dougiamas added a comment -

          Petr, can you confirm this still needs doing? Did you leave out the upgrades on purpose?

          Show
          Martin Dougiamas added a comment - Petr, can you confirm this still needs doing? Did you leave out the upgrades on purpose?
          Hide
          Petr Škoda added a comment -

          latest upgrades in HEAD are not needed IMO, it supports upgrades only from 1.9.x and everybody responsible should go through 1.9.7, there is a potential problem that the upgrade code with things like password reset would be executed twice

          hmmm, the only important upgrade seems to be the 'not cached' password change for all auth plugins, going to add it now

          Show
          Petr Škoda added a comment - latest upgrades in HEAD are not needed IMO, it supports upgrades only from 1.9.x and everybody responsible should go through 1.9.7, there is a potential problem that the upgrade code with things like password reset would be executed twice hmmm, the only important upgrade seems to be the 'not cached' password change for all auth plugins, going to add it now
          Hide
          Martin Dougiamas added a comment -

          I don't think double upgrades are a problem if the dates are set properly... Do we really want to take the risk that someone upgrading from 1.9.6 will miss out on some of these important settings? I don't feel so.

          Show
          Martin Dougiamas added a comment - I don't think double upgrades are a problem if the dates are set properly... Do we really want to take the risk that someone upgrading from 1.9.6 will miss out on some of these important settings? I don't feel so.
          Hide
          Petr Škoda added a comment -

          done:
          1/ password hashes are no automatically replaced with 'not set' in plugins that do not need the hashes
          2/ admin notified again if main salt not set

          later:
          a/ force admin password change if salt not set, noted in upgrade.php - depends on planned admin role changes

          Show
          Petr Škoda added a comment - done: 1/ password hashes are no automatically replaced with 'not set' in plugins that do not need the hashes 2/ admin notified again if main salt not set later: a/ force admin password change if salt not set, noted in upgrade.php - depends on planned admin role changes
          Hide
          Petr Škoda added a comment -

          should be done, please reopen if needed

          Show
          Petr Škoda added a comment - should be done, please reopen if needed
          Hide
          Anthony Borrow added a comment -

          Petr - Not sure if the emails (or messages) should be part of the upgrade if a site goes from 1.9.6 to 2.0 but figured I would link this issue with MDL-20978 so that you can see what was done. Peace - Anthony

          Show
          Anthony Borrow added a comment - Petr - Not sure if the emails (or messages) should be part of the upgrade if a site goes from 1.9.6 to 2.0 but figured I would link this issue with MDL-20978 so that you can see what was done. Peace - Anthony

            People

            • Votes:
              0 Vote for this issue
              Watchers:
              2 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved: