Uploaded image for project: 'Moodle'
  1. Moodle
  2. MDL-42935

user_create_user and user_update_user functions do not validate auth, lang or theme

    XMLWordPrintable

    Details

    • Type: Bug
    • Status: Reopened
    • Priority: Minor
    • Resolution: Unresolved
    • Affects Version/s: 2.4.7, 2.5, 2.6
    • Fix Version/s: BACKEND
    • Component/s: Authentication
    • Labels:
    • Testing Instructions:
      Hide
      Test 1 - Creating a user.
      1. Create a user on your site.
      2. Visit <yoursite>/admin/tool/langimport/index.php and install a new language pack.
      3. Place the attached 'test_create_user.php' file into your Moodle directory.
      4. Use the attached script to create a user with the 'auth' setting to something that does not exist, eg. "blahblah".
      5. An error should be returned stating this is not valid.
      6. Use the attached script to create a user with the 'auth' setting to 'mnet'.
      7. An error should be returned stating why this can not be changed.
      8. Try again with a valid auth method (but different than the one they are currently using) and check that the user's 'auth' setting is correct in the DB (note the script will print the user's data from the DB if there are no exceptions).
      9. Use the function to create a user with the 'lang' setting to something that does not exist.
      10. An error should be returned stating this is not valid.
      11. Try again using a valid language and check that it worked.
      12. Use the function to create a user with the 'theme' setting to something that does not exist.
      13. An error should be returned stating this is not valid.
      14. Try again with a valid theme and check that it worked.
      Test 2 - Updating a user
      1. Create a user on your site.
      2. Visit <yoursite>/admin/tool/langimport/index.php and install a new language pack.
      3. Place the attached 'test_update_user.php' file into your Moodle directory.
      4. Use the attached script to update the 'auth' setting to something that does not exist, eg. "blahblah".
      5. An error should be returned stating this is not valid.
      6. Use the attached script to update the 'auth' setting to 'mnet'.
      7. An error should be returned stating why this can not be changed.
      8. Try again with a valid auth method (but different than the one they are currently using) and check that the user's 'auth' setting has been changed in the DB (note the script will print the user's data from the DB if there are no exceptions).
      9. Use the function to update the 'lang' setting for this user to something that does not exist.
      10. An error should be returned stating this is not valid.
      11. Try again using a valid language (but different than the one they are currently using) and check that it worked.
      12. Use the function to update the 'theme' setting to something that does not exist.
      13. An error should be returned stating this is not valid.
      14. Try again with a valid theme (but different than the one they are currently using) and check that the user's 'theme' setting has been changed.
      15. Now remove the change to the $user variable in the script.
      16. Check that it works and none of the values changed.
      Show
      Test 1 - Creating a user. Create a user on your site. Visit <yoursite>/admin/tool/langimport/index.php and install a new language pack. Place the attached 'test_create_user.php' file into your Moodle directory. Use the attached script to create a user with the 'auth' setting to something that does not exist, eg. "blahblah". An error should be returned stating this is not valid. Use the attached script to create a user with the 'auth' setting to 'mnet'. An error should be returned stating why this can not be changed. Try again with a valid auth method (but different than the one they are currently using) and check that the user's 'auth' setting is correct in the DB (note the script will print the user's data from the DB if there are no exceptions). Use the function to create a user with the 'lang' setting to something that does not exist. An error should be returned stating this is not valid. Try again using a valid language and check that it worked. Use the function to create a user with the 'theme' setting to something that does not exist. An error should be returned stating this is not valid. Try again with a valid theme and check that it worked. Test 2 - Updating a user Create a user on your site. Visit <yoursite>/admin/tool/langimport/index.php and install a new language pack. Place the attached 'test_update_user.php' file into your Moodle directory. Use the attached script to update the 'auth' setting to something that does not exist, eg. "blahblah". An error should be returned stating this is not valid. Use the attached script to update the 'auth' setting to 'mnet'. An error should be returned stating why this can not be changed. Try again with a valid auth method (but different than the one they are currently using) and check that the user's 'auth' setting has been changed in the DB (note the script will print the user's data from the DB if there are no exceptions). Use the function to update the 'lang' setting for this user to something that does not exist. An error should be returned stating this is not valid. Try again using a valid language (but different than the one they are currently using) and check that it worked. Use the function to update the 'theme' setting to something that does not exist. An error should be returned stating this is not valid. Try again with a valid theme (but different than the one they are currently using) and check that the user's 'theme' setting has been changed. Now remove the change to the $user variable in the script. Check that it works and none of the values changed.
    • Affected Branches:
      MOODLE_24_STABLE, MOODLE_25_STABLE, MOODLE_26_STABLE
    • Pull from Repository:
    • Pull Master Branch:
      MDL-42935_master
    • Pull Master Diff URL:
    • Story Points:
      13

      Description

      The function update_users_parameters contains -

      'auth' => new external_value(PARAM_PLUGIN, 'Auth plugins include manual, ldap, imap, etc', VALUE_OPTIONAL, '', NULL_NOT_ALLOWED),
      		 
      'lang' => new external_value(PARAM_SAFEDIR, 'Language code such as "en", must exist on server', VALUE_OPTIONAL, '', NULL_NOT_ALLOWED),
      		 
      'theme' => new external_value(PARAM_PLUGIN, 'Theme name such as "standard", must exist on server', VALUE_OPTIONAL),

      However, none of this is validated (like it is in the create_users function).

        Attachments

          Issue Links

          Testing discovered

          Improvement - An enhancement to an existing Moodle feature. MDL-42932 Introduce calendar type choice at system level

          • Minor - Minor loss of function where workaround is possible
          • Closed

            Activity

              People

              Assignee:
              Unassigned Unassigned
              Reporter:
              markn Mark Nelson
              Peer reviewer:
              Jérôme Mouneyrac
              Participants:
              Component watchers:
              Adrian Greeve, Jake Dallimore, Mathew May, Mihail Geshoski, Peter Dias, Sujith Haridasan
              Votes:
              0 Vote for this issue
              Watchers:
              4 Start watching this issue

                Dates

                Created:
                Updated: