Uploaded image for project: 'Moodle'
  1. Moodle
  2. MDL-61694

Create an extension point for adding extra password validation functionality

    XMLWordPrintable

    Details

    • Testing Instructions:
      Hide
      1. Create a "local" plugin that implements the <pluginname>_check_password_policy() function.
      2. The plugin function should accept a single string argument; this should be the password that was entered.
      3. The plugin function should output a single string value, this should be an error message if the password is invalid, or a blank string if it is ok.
      4. Testing can be done by checking that the password is passed into the function correctly, that the return value is treated as an error message in the same way as existing password check errors.
      5. You should also check that the existing password check mechanism continues to work as expected, per its own configuration.
      6. The plugin should be called regardless of whether the primary password check is enabled or not, because plugins can be enabled separately.
      7. I have also created a plugin of my own that implements this callback. You can find it here: https://github.com/Spudley/moodle-local_hibp. This is a 'real' plugin that implements the "HaveIBeenPwned" API as I mentioned in the original ticket description. Please feel free to use this plugin to test the callback as well.
      Show
      Create a "local" plugin that implements the <pluginname>_check_password_policy() function. The plugin function should accept a single string argument; this should be the password that was entered. The plugin function should output a single string value, this should be an error message if the password is invalid, or a blank string if it is ok. Testing can be done by checking that the password is passed into the function correctly, that the return value is treated as an error message in the same way as existing password check errors. You should also check that the existing password check mechanism continues to work as expected, per its own configuration. The plugin should be called regardless of whether the primary password check is enabled or not, because plugins can be enabled separately. I have also created a plugin of my own that implements this callback. You can find it here: https://github.com/Spudley/moodle-local_hibp . This is a 'real' plugin that implements the "HaveIBeenPwned" API as I mentioned in the original ticket description. Please feel free to use this plugin to test the callback as well.
    • Affected Branches:
      MOODLE_34_STABLE, MOODLE_36_STABLE
    • Fixed Branches:
      MOODLE_36_STABLE
    • Pull from Repository:
    • Pull Master Branch:
      wip-MDL-61694_Check_Password_Callback
    • Pull Master Diff URL:

      Description

      Hi.

      I have a requirement to add some new password validation to a variety of systems that I maintain.

      Specifically, I need to integrate with the Have I Been Pwned API, which allows a system to check whether a newly entered password is known to be insecure because it has been previously found in a hacked database.

      I have already written plugins for Joomla and Drupal to do this, and I now need to do so for Moodle as well.

      Unfortunately, however, Moodle does not seem to provide the ability to easily do this; there is no extension point that hooks into the password validation. I tried working around it with an Auth plugin, using the user_update_password() method, but this method only gets called for the specific auth plugin that has been used to create the user account, which doesn't work for me; I need to continue using the existing auth types, and have my method get triggered for any of them that involve a password update.

      I would therefore like to please request that an extension capability is added that will enable me to do this.

      Many thanks.

       

      Forum reference: https://moodle.org/mod/forum/discuss.php?d=367393

        Attachments

          Issue Links

          has a non-specific relationship to

          New Feature - A new Moodle feature which has yet to be developed. MDL-67309 Have options to call check_password_policy on every login

          • Minor - Minor loss of function where workaround is possible
          • Closed
          has been marked as being related by

          Bug - A problem which impairs or prevents Moodle from functioning correctly. MDL-67950 Logical inconsistency between $CFG->passwordpolicy between check_password_policy vs print_password_policy

          • Minor - Minor loss of function where workaround is possible
          • Closed

            Activity

              People

              Assignee:
              sc-sfw Simon Champion
              Reporter:
              sc-sfw Simon Champion
              Peer reviewer:
              Mark Nelson
              Integrator:
              David Monllaó
              Tester:
              David Mudrák (@mudrd8mz)
              Participants:
              Component watchers:
              Adrian Greeve, Jake Dallimore, Mathew May, Mihail Geshoski, Peter Dias, Sujith Haridasan
              Votes:
              0 Vote for this issue
              Watchers:
              7 Start watching this issue

                Dates

                Created:
                Updated:
                Resolved:
                Fix Release Date:
                3/Dec/18