Uploaded image for project: 'Moodle'
  1. Moodle
  2. MDL-46247

Improved message for unauthorised external users

    XMLWordPrintable

    Details

    • Type: Improvement
    • Status: Closed
    • Priority: Minor
    • Resolution: Fixed
    • Affects Version/s: 2.7
    • Fix Version/s: 2.8
    • Component/s: Authentication
    • Labels:
    • Testing Instructions:
      Hide

      CAS

      To test this you will need a working CAS environment and a working Moodle instance with CAS authentication configured and in a known working state. You will need two CAS-capable user accounts, User A and User B.

      1. Make sure that $CFG->authpreventaccountcreation is set to false (new accounts are permitted).
      2. Login to the instance with User A. Verify that the account is provisioned correctly.
      3. Set $CFG->authpreventaccountcreation to "true" (new accounts are not permitted).
      4. Login to the instance with User B. Verify that your account is authenticated by CAS but that you cannot login and the message you receive is 'The user account "foo" is not available on this site'.

      LDAP

      To test this you will need a working LDAP environment and a working Moodle instance with LDAP authentication configured and in a known working state. You will need two LDAP-capable user accounts, User A and User B.

      1. Make sure that $CFG->authpreventaccountcreation is set to false (new accounts are permitted).
      2. Login to the instance with User A. Verify that the account is provisioned correctly.
      3. Set $CFG->authpreventaccountcreation to "true" (new accounts are not permitted).
      4. Login to the instance with User B. Verify that your account is authenticated by LDAP but that you cannot login and the message you receive is 'The user account "foo" is not available on this site'.
      5. Attempt to login with a username which you know does not exist. Verify that you fail with the message "Invalid login, please try again".
      6. Attempt to login with User B but with a malformed password. Verify that you fail with the message "Invalid login, please try again".
      Show
      CAS To test this you will need a working CAS environment and a working Moodle instance with CAS authentication configured and in a known working state. You will need two CAS-capable user accounts, User A and User B. Make sure that $CFG->authpreventaccountcreation is set to false (new accounts are permitted). Login to the instance with User A. Verify that the account is provisioned correctly. Set $CFG->authpreventaccountcreation to "true" (new accounts are not permitted). Login to the instance with User B. Verify that your account is authenticated by CAS but that you cannot login and the message you receive is 'The user account "foo" is not available on this site'. LDAP To test this you will need a working LDAP environment and a working Moodle instance with LDAP authentication configured and in a known working state. You will need two LDAP-capable user accounts, User A and User B. Make sure that $CFG->authpreventaccountcreation is set to false (new accounts are permitted). Login to the instance with User A. Verify that the account is provisioned correctly. Set $CFG->authpreventaccountcreation to "true" (new accounts are not permitted). Login to the instance with User B. Verify that your account is authenticated by LDAP but that you cannot login and the message you receive is 'The user account "foo" is not available on this site'. Attempt to login with a username which you know does not exist. Verify that you fail with the message "Invalid login, please try again". Attempt to login with User B but with a malformed password. Verify that you fail with the message "Invalid login, please try again".
    • Affected Branches:
      MOODLE_27_STABLE
    • Fixed Branches:
      MOODLE_28_STABLE
    • Pull from Repository:
    • Pull Master Branch:
      wip-MDL-46247-master

      Description

      We have a Moodle instance with CAS SSO enabled but have turned off automatic user creation ("Prevent account creation"). We manually provision accounts. Right now users who don't yet have rights attempt to login they get the default error message "Invalid login, please try again" and get dumped to the standard login form.

      With external authentication methods we rely on the method to do the authentication but on Moodle to do the authorisation. Right now it's not clear to the user why their logon attempt has failed, and in the case of some login forms (CAS, Shibboleth) being dropped to the standard login form is confusing at best.

      I think this can be improved in two ways. The first is a revision of MDL-34101 so that an external authentication attempt is still processed regardless of whether new account creation is allowed. If you're using CAS or Shibboleth you've already gone through authentication before that code block is reached. That way if you're authenticated but not authorised Moodle can display a more helpful message such as 'The user account "foo" is not available on this site'. Contra MDL-35835 I don't see this as a security risk to Moodle because the user has already authenticated elsewhere.

      The second, which may be specific to CAS, would better detection of the correct login page when the user encounters an error. Once you're dumped to the manual login form there's no way to auth to CAS.

        Attachments

          Activity

            People

            Assignee:
            cfulton Charles Fulton
            Reporter:
            cfulton Charles Fulton
            Peer reviewer:
            Dan Poltawski
            Integrator:
            Sam Hemelryk
            Tester:
            Adrian Greeve
            Participants:
            Component watchers:
            Adrian Greeve, Jake Dallimore, Mathew May, Mihail Geshoski, Peter Dias
            Votes:
            1 Vote for this issue
            Watchers:
            3 Start watching this issue

              Dates

              Created:
              Updated:
              Resolved:
              Fix Release Date:
              10/Nov/14