Uploaded image for project: 'Moodle'
  1. Moodle
  2. MDL-53044

Manual account auth users able to log in with expired password

XMLWordPrintable

    • MOODLE_30_STABLE
    • MOODLE_31_STABLE, MOODLE_32_STABLE
    • Hide

      By changing auth_forcepasswordchange to 1 we can force an user to change his password.
      https://github.com/moodle/moodle/compare/master...ak4t0sh:MDL-53044
      Drawback : if you logout and login again you are directly redirect to /login/change_password.php without seeing the message which explain that your password is expired.

      Show
      By changing auth_forcepasswordchange to 1 we can force an user to change his password. https://github.com/moodle/moodle/compare/master...ak4t0sh:MDL-53044 Drawback : if you logout and login again you are directly redirect to /login/change_password.php without seeing the message which explain that your password is expired.
    • Hide
      1. Log in as an admin.
      2. Visit 'Site administration' > 'Plugins' > 'Authentication'.
      3. Edit the settings for 'Manual accounts'.
      4. Change 'Enable password expiry' to 'Yes'.
      5. Set the 'Password duration' to '30 days'.
      6. Edit the database table 'user' for a student and set the timecreated value to '1'.
      7. Log in as the student you changed.
      8. Ensure you are told that your password has expired and you need to change your password.
      9. Click 'Cancel'.
      10. Confirm you are taken to the change password screen.
      11. Try to visit a course you are enrolled in, confirm you are taken to the change password screen.
      12. Log out.
      13. Log in.
      14. Confirm you are taken to the change password screen.
      15. Change your password.
      16. Confirm you can browse around Moodle as per normal.
      17. Log out.
      18. Log in.
      19. Confirm you are not taken to the change password screen.
      Show
      Log in as an admin. Visit 'Site administration' > 'Plugins' > 'Authentication'. Edit the settings for 'Manual accounts'. Change 'Enable password expiry' to 'Yes'. Set the 'Password duration' to '30 days'. Edit the database table 'user' for a student and set the timecreated value to '1'. Log in as the student you changed. Ensure you are told that your password has expired and you need to change your password. Click 'Cancel'. Confirm you are taken to the change password screen. Try to visit a course you are enrolled in, confirm you are taken to the change password screen. Log out. Log in. Confirm you are taken to the change password screen. Change your password. Confirm you can browse around Moodle as per normal. Log out. Log in. Confirm you are not taken to the change password screen.

      As reported by József Somogyi in https://moodle.org/mod/forum/discuss.php?d=327760 users with manual account authentication can select 'Cancel' when prompted to change their expired password, then continue to log in again and again with their expired password.

      Expected behaviour would be that users are no longer able to log in when their password has expired.

            ak4t0sh Arnaud Trouvé
            tsala Helen Foster
            Mark Nelson Mark Nelson
            Dan Poltawski Dan Poltawski
            Adrian Greeve Adrian Greeve
            Votes:
            1 Vote for this issue
            Watchers:
            8 Start watching this issue

              Created:
              Updated:
              Resolved:

                Error rendering 'clockify-timesheets-time-tracking-reports:timer-sidebar'. Please contact your Jira administrators.