Details
-
Type:
Improvement
-
Status: Closed
-
Priority:
Minor
-
Resolution: Fixed
-
Affects Version/s: 2.7
-
Fix Version/s: 2.8
-
Component/s: Authentication
-
Testing Instructions:
-
Affected Branches:MOODLE_27_STABLE
-
Fixed Branches:MOODLE_28_STABLE
-
Pull from Repository:
-
Pull Master Branch:wip-
MDL-46247-master -
Pull Master Diff URL:
Description
We have a Moodle instance with CAS SSO enabled but have turned off automatic user creation ("Prevent account creation"). We manually provision accounts. Right now users who don't yet have rights attempt to login they get the default error message "Invalid login, please try again" and get dumped to the standard login form.
With external authentication methods we rely on the method to do the authentication but on Moodle to do the authorisation. Right now it's not clear to the user why their logon attempt has failed, and in the case of some login forms (CAS, Shibboleth) being dropped to the standard login form is confusing at best.
I think this can be improved in two ways. The first is a revision of MDL-34101 so that an external authentication attempt is still processed regardless of whether new account creation is allowed. If you're using CAS or Shibboleth you've already gone through authentication before that code block is reached. That way if you're authenticated but not authorised Moodle can display a more helpful message such as 'The user account "foo" is not available on this site'. Contra MDL-35835 I don't see this as a security risk to Moodle because the user has already authenticated elsewhere.
The second, which may be specific to CAS, would better detection of the correct login page when the user encounters an error. Once you're dumped to the manual login form there's no way to auth to CAS.