Uploaded image for project: 'Moodle'
  1. Moodle
  2. MDL-66984

Allow change_password_url to use $USER global

    XMLWordPrintable

    Details

    • Testing Instructions:
      Hide

      Requirements:

      • Mail configured.

      1) Create a test user, with manual auth_type

      2) Temp hack the code for auth_manual to set a custom change password url which uses the $USER global, and trick Moodle into thinking it is an external auth type. Open the /auth/manual/auth.php file and change the following methods to make them look like this:

      function change_password_url() {
          global $USER;
          return 'https://example.com/'.$USER->id;
      }
      function is_internal() {
          return false;
      }
      function can_reset_password() {
          return false;
      }
      

      3) Logout

      4) Visit the password forgot page: /login/forgot_password.php

      5) Enter the test username or email.

      6) Check it sends an email with this url. Check the user id appears at the end of this URL (in the example below, 123)

      To change your password, please go to the following web address:
      https://example.com/123
      

      Show
      Requirements: Mail configured. 1) Create a test user, with manual auth_type 2) Temp hack the code for auth_manual to set a custom change password url which uses the $USER global, and trick Moodle into thinking it is an external auth type. Open the /auth/manual/auth.php file and change the following methods to make them look like this: function change_password_url() {     global $USER ;     return 'https://example.com/' . $USER ->id; } function  is_internal() { return  false; } function  can_reset_password() { return  false; } 3) Logout 4) Visit the password forgot page: /login/forgot_password.php 5) Enter the test username or email. 6) Check it sends an email with this url. Check the user id appears at the end of this URL (in the example below, 123) To change your password, please go to the following web address: https: //example.com/123
    • Affected Branches:
      MOODLE_36_STABLE, MOODLE_37_STABLE, MOODLE_38_STABLE
    • Fixed Branches:
      MOODLE_36_STABLE, MOODLE_37_STABLE
    • Pull 3.7 Branch:
      MDL-66984-change_password_url-with-user-MOODLE_37_STABLE
    • Pull Master Branch:
      MDL-66984-change_password_url-with-user

      Description

      The auth api explicitly says that change_password_url() can use the $USER global:

      https://github.com/moodle/moodle/blob/master/lib/authlib.php#L155

      But this contract is broken when it uses this in the forgot password process when they are not currently logged in:

      https://github.com/moodle/moodle/blob/master/lib/moodlelib.php#L6526

       

      We have some custom auth plugins where you can get a nicer user experience by deep linking to the users profile page or password change url for that user, it's not a generic url (or the generic url requires an extra couple clicks to get where you want to go)

        Attachments

          Issue Links

            Activity

              People

              Assignee:
              brendanheywood Brendan Heywood
              Reporter:
              brendanheywood Brendan Heywood
              Peer reviewer:
              Peter Burnett
              Integrator:
              Sara Arjona (@sarjona)
              Tester:
              Gladys Basiana
              Participants:
              Component watchers:
              Adrian Greeve, Jake Dallimore, Mathew May, Mihail Geshoski, Peter Dias
              Votes:
              0 Vote for this issue
              Watchers:
              6 Start watching this issue

                Dates

                Created:
                Updated:
                Resolved:
                Fix Release Date:
                11/Nov/19

                  Time Tracking

                  Estimated:
                  Original Estimate - 0 minutes
                  0m
                  Remaining:
                  Remaining Estimate - 0 minutes
                  0m
                  Logged:
                  Time Spent - 1 hour
                  1h