Uploaded image for project: 'Moodle'
  1. Moodle
  2. MDL-66984

Allow change_password_url to use $USER global

    XMLWordPrintable

Details

    • MOODLE_36_STABLE, MOODLE_37_STABLE, MOODLE_38_STABLE
    • MOODLE_36_STABLE, MOODLE_37_STABLE
    • MDL-66984-change_password_url-with-user
    • Hide

      Requirements:

      • Mail configured.

      1) Create a test user, with manual auth_type

      2) Temp hack the code for auth_manual to set a custom change password url which uses the $USER global, and trick Moodle into thinking it is an external auth type. Open the /auth/manual/auth.php file and change the following methods to make them look like this:

      function change_password_url() {
          global $USER;
          return 'https://example.com/'.$USER->id;
      }
      function is_internal() {
          return false;
      }
      function can_reset_password() {
          return false;
      }
      

      3) Logout

      4) Visit the password forgot page: /login/forgot_password.php

      5) Enter the test username or email.

      6) Check it sends an email with this url. Check the user id appears at the end of this URL (in the example below, 123)

      To change your password, please go to the following web address:
      https://example.com/123
      

      Show
      Requirements: Mail configured. 1) Create a test user, with manual auth_type 2) Temp hack the code for auth_manual to set a custom change password url which uses the $USER global, and trick Moodle into thinking it is an external auth type. Open the /auth/manual/auth.php file and change the following methods to make them look like this: function change_password_url() {     global $USER ;     return 'https://example.com/' . $USER ->id; } function  is_internal() { return  false; } function  can_reset_password() { return  false; } 3) Logout 4) Visit the password forgot page: /login/forgot_password.php 5) Enter the test username or email. 6) Check it sends an email with this url. Check the user id appears at the end of this URL (in the example below, 123) To change your password, please go to the following web address: https: //example.com/123

    Description

      The auth api explicitly says that change_password_url() can use the $USER global:

      https://github.com/moodle/moodle/blob/master/lib/authlib.php#L155

      But this contract is broken when it uses this in the forgot password process when they are not currently logged in:

      https://github.com/moodle/moodle/blob/master/lib/moodlelib.php#L6526

       

      We have some custom auth plugins where you can get a nicer user experience by deep linking to the users profile page or password change url for that user, it's not a generic url (or the generic url requires an extra couple clicks to get where you want to go)

      Attachments

        Issue Links

          Activity

            People

              brendanheywood Brendan Heywood
              brendanheywood Brendan Heywood
              Peter Burnett Peter Burnett
              Sara Arjona (@sarjona) Sara Arjona (@sarjona)
              Gladys Basiana Gladys Basiana
              David Woloszyn, Huong Nguyen, Jake Dallimore, Meirza, Michael Hawkins, Raquel Ortega, Safat Shahin, Stevani Andolo
              Votes:
              0 Vote for this issue
              Watchers:
              6 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved:
                11/Nov/19

                Time Tracking

                  Estimated:
                  Original Estimate - 0 minutes
                  0m
                  Remaining:
                  Remaining Estimate - 0 minutes
                  0m
                  Logged:
                  Time Spent - 1 hour
                  1h