While testing you might want to run a query on the database to look at the format of the password field:
> SELECT id, username, password FROM mdl_user;
id |
username |
password |
3 |
testuser |
b0c1805f9b6435abbf6c2d3fe81ecb36 |
if the password is of the form:
b0c1805f9b6435abbf6c2d3fe81ecb36
then it's the old-style md5 hash. If it looks more like:
$2y$10$DzO4FuCYRFnx1wyiYiOI8udJA8yrALCYFnMyFOfX.ZbNLo6.VtV/y
then it is in the new (bcrypt) format
Test functionality with PHP version that supports bcrypt (typically PHP 5.3.7 or above)
Hashes updated on first login following upgrade
- Install a site without the patch applied
- Create some users with known passwords
- Upgrade site to include patch
- Login as some of the users (they should still be able to login)
- Log out and log back in again (they should still be able to login)
- Try to login as a user with the wrong password (should not be able to login)
DB checks:
After step 2 - old style hash
After step 3 - same as step 2
After step 4 - new style hash
After step 5 - same as step 4
e.g. the hash changes once when the user first successfully logs in
New users created by admin
- Install a new site with the patch installed
- Create some users with known passwords
- Login as some of the users (they should be able to login)
DB checks: password should always be the new format
Self registration
- Create a site with patch applied
- As admin enable self-registration via Site Admin > Plugins > Authentication > Manage Authentication > Self registration
- Logout
- Create a user account (note: mail must be working on your site to test this)
- Test you can login with the password you provided
DB checks: password should always be the new format
Password change
- Create a site with patch applied
- Login as any user
- Click My Profile Settings > Change password and enter a new password
- Logout
- Check that you can login again with the new password
DB checks: password should always be the new format
Note: You will get a PHP Notice when changing passwords due to MDL-37515.
Bulk upload with passwords specified
- Create a text file containing the following:
firstname,lastname,username,email,password
Test,User,testuser,test@example.com,abc123
- As an admin visit Site Admin > Users > Accounts > Upload Users
- Choose the file you created in step 1 and click upload users
- Under 'New user password' choose 'Field required in file'
- Click upload users
- Test user should be created
- Logout
- Login with testuser and password abc123
- You should be able to login
- Logout and log back in again
DB checks:
After step 5 - new hash starting '$2y$04$'
After step 8 - new style hash starting '$2y$10$'
After step 10 - same as step 8
Bulk upload with passwords not specified
- Create a text file containing the following:
firstname,lastname,username,email
Test,User2,testuser2,test2@example.com
- As an admin visit Site Admin > Users > Accounts > Upload Users
- Choose the file you created in step 1 and click upload users
- Under 'New user password' choose 'Create password if needed'
- Click upload users
- Test user should be created
- Run the cron
- Check email, you should have received an email with a temporary password (note: mail must be working on your site to test this)
- Logout
- Login with testuser and password from the email
- You should be able to login. You will be prompted to change the password
- Change the password
- Logout and log back in again with the new password
- You should be able to log in
DB checks:
After step 5 - 'to be generated'
After step 7 - new style hash starting '$2y$04$'
After step 9 - new style hash starting '$2y$10$'
After step 11 - same as step 9
Test forgotten password functionality
- Create a new site with the patch applied
- Visit the login page (not logged in)
- Click "Forgotten your username or password?"
- Enter an existing username or password that you have access to the email of
- Click the confirmation link in your email
- Check your email again to get the new password
- Check you can login with the new password
DB checks:
After step 1 - new style hash
After step 5 - new style hash, but different to before
After step 7 - same as step 5
Account access via non-caching auth plugin
- Create a new site with the patch applied
- Add the attached test auth plugin to auth/test/
- Visit the notification page to install
- Go to Site admin > Plugins > Authentication > Manage Authentication Plugins
- Enable the plugin
- Create a new user, assigning them the 'test auth' authentication type
- Logout
- Login as the test user (any password will work)
- The password should not be stored in the user table
- Logout and log back in as admin
- Change the users auth method to manual and set a password
- Logout and login as that user checking the password works
- Log back in as admin and switch back to the test auth plugin
- Log back in as the user with the same password
- Logout and back in as the user with a different password
DB checks:
After step 6 - 'not cached'
After step 8 - same as step 6
After step 11 - new style hash
After step 14 - same as step 11
After step 15 - 'not cached'
Test functionality with PHP version that doesn't support bcrypt (typically 5.3.6 or below)
Repeat the tests above making sure everything works - should continue
to function as before but using only the old algorithm (md5)
Note: Some distributions have backported bcrypt support to releases prior to 5.3.7.