Uploaded image for project: 'Moodle'
  1. Moodle
  2. MDL-67977

Logical inconsistency between check_password_policy vs generate_password

XMLWordPrintable

    • MOODLE_38_STABLE

      If you have a password policy, and you have extra plugins that implement the check_password_policy callback to add more constraints on the password, then it can be easy to generate a password which doesn't actually meet the password policy.

      Proposing:

      1) Add a new callback 'generate_password' to round out check_password_policy adn print_password_policy which can mutate / append to the newly generate password. I think if there is a clash between the $maxlen=10 function param and $CFG->minpasswordlength then the latter should take precedence as we'll almost always be making it longer and more complicated.

      2) I can imagine some curve balls that make this non deterministic, and so core should actually test the new password against the policy after it's been generated. If it doesn't pass then retry a couple times and the either debug message or maybe an moodle_exception.

       

       

            Unassigned Unassigned
            brendanheywood Brendan Heywood
            Votes:
            0 Vote for this issue
            Watchers:
            1 Start watching this issue

              Created:
              Updated:

                Error rendering 'clockify-timesheets-time-tracking-reports:timer-sidebar'. Please contact your Jira administrators.