Uploaded image for project: 'Moodle'
  1. Moodle
  2. MDL-53044

Manual account auth users able to log in with expired password

    XMLWordPrintable

Details

    • MOODLE_30_STABLE
    • MOODLE_31_STABLE, MOODLE_32_STABLE
    • Hide

      By changing auth_forcepasswordchange to 1 we can force an user to change his password.
      https://github.com/moodle/moodle/compare/master...ak4t0sh:MDL-53044
      Drawback : if you logout and login again you are directly redirect to /login/change_password.php without seeing the message which explain that your password is expired.

      Show
      By changing auth_forcepasswordchange to 1 we can force an user to change his password. https://github.com/moodle/moodle/compare/master...ak4t0sh:MDL-53044 Drawback : if you logout and login again you are directly redirect to /login/change_password.php without seeing the message which explain that your password is expired.
    • Hide
      1. Log in as an admin.
      2. Visit 'Site administration' > 'Plugins' > 'Authentication'.
      3. Edit the settings for 'Manual accounts'.
      4. Change 'Enable password expiry' to 'Yes'.
      5. Set the 'Password duration' to '30 days'.
      6. Edit the database table 'user' for a student and set the timecreated value to '1'.
      7. Log in as the student you changed.
      8. Ensure you are told that your password has expired and you need to change your password.
      9. Click 'Cancel'.
      10. Confirm you are taken to the change password screen.
      11. Try to visit a course you are enrolled in, confirm you are taken to the change password screen.
      12. Log out.
      13. Log in.
      14. Confirm you are taken to the change password screen.
      15. Change your password.
      16. Confirm you can browse around Moodle as per normal.
      17. Log out.
      18. Log in.
      19. Confirm you are not taken to the change password screen.
      Show
      Log in as an admin. Visit 'Site administration' > 'Plugins' > 'Authentication'. Edit the settings for 'Manual accounts'. Change 'Enable password expiry' to 'Yes'. Set the 'Password duration' to '30 days'. Edit the database table 'user' for a student and set the timecreated value to '1'. Log in as the student you changed. Ensure you are told that your password has expired and you need to change your password. Click 'Cancel'. Confirm you are taken to the change password screen. Try to visit a course you are enrolled in, confirm you are taken to the change password screen. Log out. Log in. Confirm you are taken to the change password screen. Change your password. Confirm you can browse around Moodle as per normal. Log out. Log in. Confirm you are not taken to the change password screen.

    Description

      As reported by József Somogyi in https://moodle.org/mod/forum/discuss.php?d=327760 users with manual account authentication can select 'Cancel' when prompted to change their expired password, then continue to log in again and again with their expired password.

      Expected behaviour would be that users are no longer able to log in when their password has expired.

      Attachments

        Issue Links

          Activity

            People

              ak4t0sh Arnaud Trouvé
              tsala Helen Foster
              Mark Nelson Mark Nelson
              Dan Poltawski Dan Poltawski
              Adrian Greeve Adrian Greeve
              Adrian Greeve, Jake Dallimore, Mathew May, Mihail Geshoski, Sujith Haridasan
              Votes:
              1 Vote for this issue
              Watchers:
              8 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved:
                9/Jan/17