Uploaded image for project: 'Moodle'
  1. Moodle
  2. MDL-64474

MDL-61767 regression: usernames in user table are being changed

    XMLWordPrintable

    Details

    • Type: Bug
    • Status: Closed
    • Priority: Critical
    • Resolution: Fixed
    • Affects Version/s: 3.7
    • Fix Version/s: 3.7
    • Component/s: User management
    • Labels:
    • Testing Instructions:
      Hide
      Setup
      1. Setup a Google OAuth2 service
        1. Untick the "Require email verification"
      2. Go to Site administration / Plugins / Authentication / Manage authentication.
      3. Enable the oAuth2 authentication mechanism
      Editing an existing user
      1. Still as an admin, navigate to Site administration -> Users -> Browse
      2. Edit an existing user, s1, and set the Gmail account's e-mail address as the user's e-mail address
      3. On another browser session/incognito window, log in using the Google login using s1's Google account.
      4. Confirm that your name hasn't been changed to your Google account's name
      5. Log out and log in again using s1's username and password.
      6. Confirm that you can log in.
      7. Log out.
      8. Back on the admin's browser window, edit s1's profile.
      9. Change s1's authentication method to OAuth 2
      10. Save the changes.
      11. Log in again as s1 using the Google authentication.
      12. Confirm that s1's name has been changed to the Google account's name.
      13. Log out.
      New user creation
      1. Log in via OAuth2 again using a different Gmail account which is not yet registered in your Moodle instance. Let's call this user as s2
      2. Confirm that the account was created
      3. Confirm that the details of that account were also pulled in
      Linked login
      1. Log in as a user s3
      2. Go to your user preferences and go to Linked logins.
      3. Link another, non-existing google account to your account.
      4. Confirm that you can link your account successfully.
      5. Log out.
      6. Log in as s3 using your linked Google account.
      7. Confirm that you can log in.
      8. Confirm that your details have not been changed.
      9. Log out and log in again using s3's username and password.
      10. Confirm that you can still log in.
      Locked profile fields
      1. Back on admin's browser, go to Site administration / Plugins / Authentication / OAuth 2
      2. Set the First name's lock value to Locked.
      3. Save the changes.
      4. Manually edit s2's first and last names.
      5. Save the changes.
      6. On s2's browser window, log in again as s2 using Google authentication
      7. Confirm that s2's first name hasn't been changed, but s2's last name has been synced with the Google account's last name.
      Show
      Setup Setup a Google OAuth2 service Untick the "Require email verification" Go to Site administration / Plugins / Authentication / Manage authentication. Enable the oAuth2 authentication mechanism Editing an existing user Still as an admin, navigate to Site administration -> Users -> Browse Edit an existing user, s1, and set the Gmail account's e-mail address as the user's e-mail address On another browser session/incognito window, log in using the Google login using s1's Google account. Confirm that your name hasn't been changed to your Google account's name Log out and log in again using s1's username and password. Confirm that you can log in. Log out. Back on the admin's browser window, edit s1's profile. Change s1's authentication method to OAuth 2 Save the changes. Log in again as s1 using the Google authentication. Confirm that s1's name has been changed to the Google account's name. Log out. New user creation Log in via OAuth2 again using a different Gmail account which is not yet registered in your Moodle instance. Let's call this user as s2 Confirm that the account was created Confirm that the details of that account were also pulled in Linked login Log in as a user s3 Go to your user preferences and go to Linked logins. Link another, non-existing google account to your account. Confirm that you can link your account successfully. Log out. Log in as s3 using your linked Google account. Confirm that you can log in. Confirm that your details have not been changed. Log out and log in again using s3's username and password. Confirm that you can still log in. Locked profile fields Back on admin's browser, go to Site administration / Plugins / Authentication / OAuth 2 Set the First name's lock value to Locked. Save the changes. Manually edit s2's first and last names. Save the changes. On s2's browser window, log in again as s2 using Google authentication Confirm that s2's first name hasn't been changed, but s2's last name has been synced with the Google account's last name.
    • Affected Branches:
      MOODLE_37_STABLE
    • Fixed Branches:
      MOODLE_37_STABLE
    • Pull Master Branch:
      MDL-64474-master-2

      Description

      MDL-61767 changes usernames for a user who has logged in via LDAP (or others possibly) when they use oauth2 logins.

      To reproduce this, setup a site with oauth2 enabled and create a non-auth user with a username that is not their email address, but has a matching email address to an oauth2 provider.

      Login with the username, and logout
      Check the user table for the username.
      Login with the same user but using oauth2 as the login method
      Check the user table for the username and note that it has changed to the email address.

      This is especially dangerous with users who are synchronized via LDAP as the sync process does not detect the oauth users as LDAP and deletes them after they have been modified.

        Attachments

        1. 1.PNG
          1.PNG
          101 kB
        2. 2.PNG
          2.PNG
          45 kB
        3. 3.PNG
          3.PNG
          64 kB

          Issue Links

            Activity

              People

              Assignee:
              jpataleta Jun Pataleta
              Reporter:
              prg3 Mark Paget [nee Paul]
              Peer reviewer:
              Sara Arjona (@sarjona)
              Integrator:
              Eloy Lafuente (stronk7)
              Tester:
              Janelle Barcega
              Participants:
              Component watchers:
              Amaia Anabitarte, Carlos Escobedo, Ferran Recio, Sara Arjona (@sarjona), Víctor Déniz Falcón
              Votes:
              0 Vote for this issue
              Watchers:
              7 Start watching this issue

                Dates

                Created:
                Updated:
                Resolved:
                Fix Release Date:
                20/May/19

                  Time Tracking

                  Estimated:
                  Original Estimate - 0 minutes
                  0m
                  Remaining:
                  Remaining Estimate - 0 minutes
                  0m
                  Logged:
                  Time Spent - 2 hours
                  2h