Uploaded image for project: 'Moodle'
  1. Moodle
  2. MDL-53044

Manual account auth users able to log in with expired password

    XMLWordPrintable

    Details

    • Testing Instructions:
      Hide
      1. Log in as an admin.
      2. Visit 'Site administration' > 'Plugins' > 'Authentication'.
      3. Edit the settings for 'Manual accounts'.
      4. Change 'Enable password expiry' to 'Yes'.
      5. Set the 'Password duration' to '30 days'.
      6. Edit the database table 'user' for a student and set the timecreated value to '1'.
      7. Log in as the student you changed.
      8. Ensure you are told that your password has expired and you need to change your password.
      9. Click 'Cancel'.
      10. Confirm you are taken to the change password screen.
      11. Try to visit a course you are enrolled in, confirm you are taken to the change password screen.
      12. Log out.
      13. Log in.
      14. Confirm you are taken to the change password screen.
      15. Change your password.
      16. Confirm you can browse around Moodle as per normal.
      17. Log out.
      18. Log in.
      19. Confirm you are not taken to the change password screen.
      Show
      Log in as an admin. Visit 'Site administration' > 'Plugins' > 'Authentication'. Edit the settings for 'Manual accounts'. Change 'Enable password expiry' to 'Yes'. Set the 'Password duration' to '30 days'. Edit the database table 'user' for a student and set the timecreated value to '1'. Log in as the student you changed. Ensure you are told that your password has expired and you need to change your password. Click 'Cancel'. Confirm you are taken to the change password screen. Try to visit a course you are enrolled in, confirm you are taken to the change password screen. Log out. Log in. Confirm you are taken to the change password screen. Change your password. Confirm you can browse around Moodle as per normal. Log out. Log in. Confirm you are not taken to the change password screen.
    • Workaround:
      Hide

      By changing auth_forcepasswordchange to 1 we can force an user to change his password.
      https://github.com/moodle/moodle/compare/master...ak4t0sh:MDL-53044
      Drawback : if you logout and login again you are directly redirect to /login/change_password.php without seeing the message which explain that your password is expired.

      Show
      By changing auth_forcepasswordchange to 1 we can force an user to change his password. https://github.com/moodle/moodle/compare/master...ak4t0sh:MDL-53044 Drawback : if you logout and login again you are directly redirect to /login/change_password.php without seeing the message which explain that your password is expired.
    • Affected Branches:
      MOODLE_30_STABLE
    • Fixed Branches:
      MOODLE_31_STABLE, MOODLE_32_STABLE
    • Pull Master Branch:

      Description

      As reported by József Somogyi in https://moodle.org/mod/forum/discuss.php?d=327760 users with manual account authentication can select 'Cancel' when prompted to change their expired password, then continue to log in again and again with their expired password.

      Expected behaviour would be that users are no longer able to log in when their password has expired.

        Attachments

          Issue Links

            Activity

              People

              • Votes:
                1 Vote for this issue
                Watchers:
                8 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved:
                  Fix Release Date:
                  9/Jan/17