Uploaded image for project: 'Moodle'
  1. Moodle
  2. MDL-65459

Logging: Missed two points relying on non-JSON log format

    XMLWordPrintable

Details

    • Bug
    • Status: Closed
    • Minor
    • Resolution: Fixed
    • 3.7
    • 3.7
    • Logging
    • MOODLE_37_STABLE
    • MOODLE_37_STABLE
    • MDL-65459-master
    • Hide

      You must have a server where email works. Or use mailcatcher solution.

      1. In admin, turn on the 'notifyloginfailures' option, setting it to send email to yourself.
      2. Using another browser, or after logging out, attempt to log in 10 times in a row using an incorrect username (one that does not match a Moodle user, for example 'frogfrog')
      3. Wait for the 'Send failed login notifications' scheduled task to run, or run it from the web (@ admin/tool/task/scheduledtasks.php) or cli (with php admin/tool/task/cli/schedule_task.php --execute='\core\task\send_failed_login_notifications_task') - if you run it, be aware it has an annoying limit so it won't check more than once per hour.
        • It should show a message like 'Emailing admins about 12 failed login attempts'.
        • The email should correctly list the fake username you used for each request, like this: 'Wednesday, 1 May 2019, 12:08 PM, IP: x.x.x.x, User: frogfrog, User full name: Unknown user'

      If this fix failed, there might be a fatal error running the task, or it would not include the username.

      Show
      You must have a server where email works. Or use mailcatcher solution. In admin, turn on the 'notifyloginfailures' option, setting it to send email to yourself. Using another browser, or after logging out, attempt to log in 10 times in a row using an incorrect username (one that does not match a Moodle user, for example 'frogfrog') Wait for the 'Send failed login notifications' scheduled task to run, or run it from the web (@ admin/tool/task/scheduledtasks.php) or cli (with php admin/tool/task/cli/schedule_task.php --execute='\core\task\send_failed_login_notifications_task' ) - if you run it, be aware it has an annoying limit so it won't check more than once per hour. It should show a message like 'Emailing admins about 12 failed login attempts'. The email should correctly list the fake username you used for each request, like this: 'Wednesday, 1 May 2019, 12:08 PM, IP: x.x.x.x, User: frogfrog, User full name: Unknown user' If this fix failed, there might be a fatal error running the task, or it would not include the username.

    Description

      I happened to do a different type of code search (searched for regex 'unser.*->other') and found two places which were still relying on the log 'other' field being PHP-serialised. These are:

      1. Somewhere in privacy helper (I am not sure what this one does!)
      2. When sending out email about failed logins

      Note: I didn't work out a way to test the privacy helper one, it seems only to occur in an unexpected case. I wrote a test script for the other one though, and the fix is straightforward and identical both places...

      Attachments

        Issue Links

          Activity

            People

              quen Sam Marshall
              quen Sam Marshall
              Tim Hunt Tim Hunt
              Eloy Lafuente (stronk7) Eloy Lafuente (stronk7)
              Janelle Barcega Janelle Barcega
              Andrew Lyons, Huong Nguyen, Jun Pataleta, Michael Hawkins, Shamim Rezaie, Simey Lameze, Stevani Andolo
              Votes:
              0 Vote for this issue
              Watchers:
              2 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved:
                20/May/19

                Time Tracking

                  Estimated:
                  Original Estimate - Not Specified
                  Not Specified
                  Remaining:
                  Remaining Estimate - 0 minutes
                  0m
                  Logged:
                  Time Spent - 35 minutes
                  35m