Uploaded image for project: 'Moodle'
  1. Moodle
  2. MDL-43639

If auth plugin prevents local passwords, then user is updated and event is triggered on every login

    XMLWordPrintable

Details

    Description

      If you take a look at update_internal_user_password() and the auth plugin of the user prevents local passwords and we are not using the legacy hash system, then the code attempts to verify the password against $user->password which isn't a hash at all.

      Then the code thinks that the password has changed and updates the user record and then also fires the user_updated event on every user login.

      Attachments

        Activity

          People

            bushido Mark Nielsen
            bushido Mark Nielsen
            Damyon Wiese Damyon Wiese
            Eloy Lafuente (stronk7) Eloy Lafuente (stronk7)
            Michael de Raadt Michael de Raadt
            David Woloszyn, Huong Nguyen, Jake Dallimore, Michael Hawkins, Stevani Andolo
            Votes:
            0 Vote for this issue
            Watchers:
            3 Start watching this issue

            Dates

              Created:
              Updated:
              Resolved:
              8/Sep/14