Loading...

XML

Word

Printable

Type: Improvement
Resolution: Fixed
Priority: Minor
Fix Version/s: 3.9
Affects Version/s: 3.5.2, 3.9
Component/s: Authentication, Enrolments
Labels:
- CatalystIT
- ci
- partner
- patch
- release_notes
- triaged

Affected Branches:
MOODLE_35_STABLE, MOODLE_39_STABLE
Fixed Branches:
MOODLE_39_STABLE
Pull from Repository:
https://github.com/ledship/moodle
Pull Main Branch:
~~MDL-63734~~-master_hidepassword
Pull Main Diff URL:
https://github.com/moodle/moodle/compare/master...ledship:MDL-63734-master_hidepassword
Testing Instructions:
Hide

Test for regressions when passwords are not forced

Navigate to Site administration -> Messaging -> Jabber

For the "Jabber password" field, check that you can:

edit the field

view its value

mask/unmask it

save it

view the saved value and that it is correct

Navigate to Site administration -> Plugins -> Activity modules -> URL

For the "Password" field, check that you can:

edit the field

view its value

mask/unmask it

save it

view the saved value and that it is correct

Forcing passwords

Edit your config.php and add the following line just before the require_once('setup.php'); line:

$CFG->jabberpassword = 'cfgpassword';

Navigate to Site administration -> Messaging -> Jabber

For the "Jabber password" field, check that:

the field is now a disabled text field

the password unmask features are missing (edit icon, eye icon)

Inspect the element

Confirm that you cannot see cfgpassword anywhere in the source

Test that the password is not visible and cannot be seen in source etc

Edit your config.php again and add the following line just before the require_once('setup.php'); line:

$CFG->forced_plugin_settings['url']['secretphrase'] = 'cfgpassword';

Navigate to Site administration -> Plugins -> Activity modules -> URL

For the "Jabber password" field, check that:

the field is now a disabled text field

the password unmask features are missing (edit icon, eye icon)

Inspect the element

Confirm that you cannot see cfgpassword anywhere in the source

Test that the password is not visible and cannot be seen in source etc
Show
Test for regressions when passwords are not forced Navigate to Site administration -> Messaging -> Jabber For the "Jabber password" field, check that you can: edit the field view its value mask/unmask it save it view the saved value and that it is correct Navigate to Site administration -> Plugins -> Activity modules -> URL For the "Password" field, check that you can: edit the field view its value mask/unmask it save it view the saved value and that it is correct Forcing passwords Edit your config.php and add the following line just before the require_once('setup.php'); line: $CFG->jabberpassword = 'cfgpassword'; Navigate to Site administration -> Messaging -> Jabber For the "Jabber password" field, check that: the field is now a disabled text field the password unmask features are missing (edit icon, eye icon) Inspect the element Confirm that you cannot see cfgpassword anywhere in the source Test that the password is not visible and cannot be seen in source etc Edit your config.php again and add the following line just before the require_once('setup.php'); line: $CFG->forced_plugin_settings['url']['secretphrase'] = 'cfgpassword'; Navigate to Site administration -> Plugins -> Activity modules -> URL For the "Jabber password" field, check that: the field is now a disabled text field the password unmask features are missing (edit icon, eye icon) Inspect the element Confirm that you cannot see cfgpassword anywhere in the source Test that the password is not visible and cannot be seen in source etc

GA number of passwordunmask fields should (in some situations) be hidden from admins, e.g. if you don't want Moodle admins to know the passwords for, e.g.:

auth_cas | bind_pw
enrol_database | dbpass
logstore_database | dbpass

There's cases where admins do set these values via the Moodle UI, and in those cases it should be visible.

One flexible way to do this is to prevent the value of passwordunmask fields from being populated if the value is hard-coded in config.php

pseuocode
class admin_setting_configpasswordunmask extends admin_setting_configtext {
...
public function output_html($data, $query='') {
global $OUTPUT;
$context = (object) [
'id' => $this->get_id(),
'name' => $this->get_full_name(),
'size' => $this->size,
'value' => (isset($CFG->...):'':$data),
'forceltr' => $this->get_force_ltr(),
];
$element = $OUTPUT->render_from_template('core_admin/setting_configpasswordunmask', $context);
return format_admin_setting($this, $this->visiblename, $element, $this->description, true, '', null, $query);
}

- - Sort By Name
  - Sort By Date
  - Ascending
  - Descending
  - Thumbnails
  - List
  - Download All

image-2019-12-30-18-08-53-866.png
11 kB
30/Dec/19 3:08 PM
image-2019-12-30-18-09-31-106.png
19 kB
30/Dec/19 3:09 PM
MDL-63734.jpg.PNG
60 kB
08/Jan/20 2:28 PM
MDL-63734 (2).jpg.PNG
61 kB
08/Jan/20 2:28 PM

has been marked as being related by

MDL-59326 Don't use password field for shared secrets

Closed

is duplicated by

MDL-66445 All admin_setting_configpassword should not show forced config items

Closed

Assignee:: Dan Marsden

Reporter:: Mark van Hoek

Peer reviewer:: Brendan Heywood

Integrator:: Andrew Lyons

Tester:: Anna Carissa Sadia

Participants:: Alexander Morris, Andrew Lyons, Anna Carissa Sadia, Brendan Heywood, CiBoT, Dan Marsden, Mark van Hoek, Sara Arjona (@sarjona)

Votes:: 2 Vote for this issue

Watchers:: 9 Start watching this issue

Created:: 23/Oct/18 6:57 AM

Updated:: 16/Feb/20 5:54 PM

Resolved:: 09/Jan/20 11:32 PM

Estimated:

Not Specified

Remaining:

Logged:

50m

Details

Test for regressions when passwords are not forced

Forcing passwords

Description

Attachments

Attachments

Issue Links

Activity

People

Dates

Time Tracking

Clockify