Moodle
  1. Moodle
  2. MDL-4627

password change not disabled for restricted users in block_admin.php

    Details

    • Type: Bug Bug
    • Status: Closed
    • Priority: Minor Minor
    • Resolution: Fixed
    • Affects Version/s: 1.5.3
    • Fix Version/s: None
    • Component/s: Blocks
    • Labels:
      None
    • Environment:
      All
    • Affected Branches:
      MOODLE_15_STABLE
    • Rank:
      11181

      Description

      Suppose I have an account for a student called student and I want to make it impossible for him to change his password.

      1. In config.php, add the line $CFG->restrictusers = 'student';

      2. In \moodle\user\view.php, there is a condition which will prevent the display of the Change Password button on the View/Profile page, and this is just what I want:

      if ($currentuser and !isguest() and !is_restricted_user($USER->username)) {

      3. Unfortunately, a similar condition is absent from \moodle\blocks\admin\block_admin.php. So, if that block is displayed in my course, then the student user will see a link to Change Password page and will be able to change their password.angry

      Hack to prevent this: in \moodle\blocks\admin\block_admin.php, around line 185, change:

      $this->content->items[]='<a href='.$CFG->wwwroot.'/login/change_password.php?id='.$this->instance->pageid.'>'.get_string('changepassword').'</a>';

      to

      if (!is_restricted_user($USER->username))

      { $this->content->items[]='<a href='.$CFG->wwwroot.'/login/change_password.php?id='.$this->instance->pageid.'>'.get_string('changepassword').'</a>'; }

      Joseph

        Activity

        Hide
        Martin Dougiamas added a comment -

        From Joseph R?zeau (joseph.rezeau at uhb.fr) Thursday, 26 January 2006, 01:28 AM:

        Actually, a more radical solution would consist in not displaying the Administration block at all for restricted users!

        Hack to achieve this: in \moodle\blocks\admin\block_admin.php, around line 160, change:

        } else if (!isguest() )

        { // Students menu to }

        else if (!isguest() and !is_restricted_user($USER->username)) { // Students menu

        From Jon Papaioannou (pj at moodle.org) Sunday, 29 January 2006, 03:32 AM:

        This is mainly cosmetic and not a serious issue, as hiding the link is of course no security at all. The change password page does not allow you to change your password if you 're restricted (try submitting the form).

        Of course it's good to be consistent across Moodle, so I 've just implemented your suggestion for hiding the change password link. Thanks!

        From Joseph R?zeau (joseph.rezeau at uhb.fr) Sunday, 29 January 2006, 05:54 AM:

        Thanks!

        Joseph

        Show
        Martin Dougiamas added a comment - From Joseph R?zeau (joseph.rezeau at uhb.fr) Thursday, 26 January 2006, 01:28 AM: Actually, a more radical solution would consist in not displaying the Administration block at all for restricted users! Hack to achieve this: in \moodle\blocks\admin\block_admin.php, around line 160, change: } else if (!isguest() ) { // Students menu to } else if (!isguest() and !is_restricted_user($USER->username)) { // Students menu From Jon Papaioannou (pj at moodle.org) Sunday, 29 January 2006, 03:32 AM: This is mainly cosmetic and not a serious issue, as hiding the link is of course no security at all. The change password page does not allow you to change your password if you 're restricted (try submitting the form). Of course it's good to be consistent across Moodle, so I 've just implemented your suggestion for hiding the change password link. Thanks! From Joseph R?zeau (joseph.rezeau at uhb.fr) Sunday, 29 January 2006, 05:54 AM: Thanks! Joseph
        Hide
        Michael Blake added a comment -

        Temporary transition to reassign bug to "pj".

        Show
        Michael Blake added a comment - Temporary transition to reassign bug to "pj".
        Hide
        Michael Blake added a comment -

        Re-closing bugs after re-assigning to "pj".

        Show
        Michael Blake added a comment - Re-closing bugs after re-assigning to "pj".

          People

          • Votes:
            0 Vote for this issue
            Watchers:
            0 Start watching this issue

            Dates

            • Created:
              Updated:
              Resolved: