Uploaded image for project: 'Moodle'
  1. Moodle
  2. MDL-63734

If passwordunmask field is hardcoded in config.php, do not show the value

    XMLWordPrintable

Details

    • MOODLE_35_STABLE, MOODLE_39_STABLE
    • MOODLE_39_STABLE
    • MDL-63734-master_hidepassword
    • Hide

      Test for regressions when passwords are not forced

      1. Navigate to Site administration -> Messaging -> Jabber
      2. For the "Jabber password" field, check that you can:
        1. edit the field
        2. view its value
        3. mask/unmask it
        4. save it
        5. view the saved value and that it is correct
      3. Navigate to Site administration -> Plugins -> Activity modules -> URL
      4. For the "Password" field, check that you can:
        1. edit the field
        2. view its value
        3. mask/unmask it
        4. save it
        5. view the saved value and that it is correct

      Forcing passwords

      1. Edit your config.php and add the following line just before the require_once('setup.php'); line: 

        $CFG->jabberpassword = 'cfgpassword';

      2. Navigate to Site administration -> Messaging -> Jabber
      3. For the "Jabber password" field, check that:
        1. the field is now a disabled text field
        2. the password unmask features are missing (edit icon, eye icon)
      4. Inspect the element
        1. Confirm that you cannot see cfgpassword anywhere in the source
      5. Test that the password is not visible and cannot be seen in source etc
      6. Edit your config.php again and add the following line just before the require_once('setup.php'); line: 

         $CFG->forced_plugin_settings['url']['secretphrase'] = 'cfgpassword';

      7. Navigate to Site administration -> Plugins -> Activity modules -> URL
      8. For the "Jabber password" field, check that:
        1. the field is now a disabled text field
        2. the password unmask features are missing (edit icon, eye icon)
      9. Inspect the element
        1. Confirm that you cannot see cfgpassword anywhere in the source
      10. Test that the password is not visible and cannot be seen in source etc
      Show
      Test for regressions when passwords are not forced Navigate to Site administration -> Messaging -> Jabber For the "Jabber password" field, check that you can: edit the field view its value mask/unmask it save it view the saved value and that it is correct Navigate to Site administration -> Plugins -> Activity modules -> URL For the "Password" field, check that you can: edit the field view its value mask/unmask it save it view the saved value and that it is correct Forcing passwords Edit your config.php and add the following line just before the require_once('setup.php'); line: $CFG->jabberpassword = 'cfgpassword'; Navigate to Site administration -> Messaging -> Jabber For the "Jabber password" field, check that: the field is now a disabled text field the password unmask features are missing (edit icon, eye icon) Inspect the element Confirm that you cannot see cfgpassword anywhere in the source Test that the password is not visible and cannot be seen in source etc Edit your config.php again and add the following line just before the require_once('setup.php'); line:  $CFG->forced_plugin_settings['url']['secretphrase'] = 'cfgpassword'; Navigate to Site administration -> Plugins -> Activity modules -> URL For the "Jabber password" field, check that: the field is now a disabled text field the password unmask features are missing (edit icon, eye icon) Inspect the element Confirm that you cannot see cfgpassword anywhere in the source Test that the password is not visible and cannot be seen in source etc

    Description

      GA number of passwordunmask fields should (in some situations) be hidden from admins, e.g. if you don't want Moodle admins to know the passwords for, e.g.:

      • auth_cas | bind_pw
      • enrol_database | dbpass
      • logstore_database | dbpass

      There's cases where admins do set these values via the Moodle UI, and in those cases it should be visible.

      One flexible way to do this is to prevent the value of passwordunmask fields from being populated if the value is hard-coded in config.php

      pseuocode

      		 
      class admin_setting_configpasswordunmask extends admin_setting_configtext {
      		 
      ...
      		 
          public function output_html($data, $query='') {
      		 
              global $OUTPUT;
      		 
              $context = (object) [
      		 
                  'id' => $this->get_id(),
      		 
                  'name' => $this->get_full_name(),
      		 
                  'size' => $this->size,
      		 
                  'value' => (isset($CFG->...):'':$data),
      		 
                  'forceltr' => $this->get_force_ltr(),
      		 
              ];
      		 
              $element = $OUTPUT->render_from_template('core_admin/setting_configpasswordunmask', $context);
      		 
              return format_admin_setting($this, $this->visiblename, $element, $this->description, true, '', null, $query);
      		 
          }

      Attachments

        Issue Links

          has been marked as being related by

          Improvement - An enhancement to an existing Moodle feature. MDL-59326 Don't use password field for shared secrets

          • Minor - Minor loss of function where workaround is possible
          • Closed
          is duplicated by

          Improvement - An enhancement to an existing Moodle feature. MDL-66445 All admin_setting_configpassword should not show forced config items

          • Minor - Minor loss of function where workaround is possible
          • Closed

          Activity

            People

              danmarsden Dan Marsden
              mwebster Mark van Hoek
              Brendan Heywood Brendan Heywood
              Andrew Lyons Andrew Lyons
              Anna Carissa Sadia Anna Carissa Sadia
              David Woloszyn, Huong Nguyen, Jake Dallimore, Meirza, Michael Hawkins, Raquel Ortega, Safat Shahin, Stevani Andolo, David Woloszyn, Huong Nguyen, Jake Dallimore, Meirza, Michael Hawkins, Raquel Ortega, Safat Shahin, Stevani Andolo
              Votes:
              2 Vote for this issue
              Watchers:
              9 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved:
                15/Jun/20

                Time Tracking

                  Estimated:
                  Original Estimate - Not Specified
                  Not Specified
                  Remaining:
                  Remaining Estimate - 0 minutes
                  0m
                  Logged:
                  Time Spent - 50 minutes
                  50m