Uploaded image for project: 'Moodle'
  1. Moodle
  2. MDL-69910

A way to infer if a username exists even if $CFG->protectusernames is set

XMLWordPrintable

    • MOODLE_310_STABLE
    • MOODLE_38_STABLE, MOODLE_39_STABLE
    • MDL-69910-calendar-protectusername
    • Hide

      1) Locate any valid user, eg the admin user and grab its id, eg 2

      2) Construct 2 urls with another existing and unrelated username, and one with a non existant username:

      /calendar/export_execute.php?authtoken=x&userid=2&username=brendan
      /calendar/export_execute.php?authtoken=x&userid=2&username=brendancrap

      3) Confirm both should result in the exact same output:

      Invalid authentication

       

      Show
      1) Locate any valid user, eg the admin user and grab its id, eg 2 2) Construct 2 urls with another existing and unrelated username, and one with a non existant username: /calendar/export_execute.php?authtoken=x&userid=2&username=brendan /calendar/export_execute.php?authtoken=x&userid=2&username=brendancrap 3) Confirm both should result in the exact same output: Invalid authentication  

      Since MDL-68845 in 3.10 you can now determine if an account exists even if $CFG->protectusernames is set.

      All you need is the valid user id of any unrelated account, it doesn't matter which, and almost all sites have an admin account with id = 2 which is enough, then compare a valid account and invalid account:

       

      http://moodle.local/calendar/export_execute.php?authtoken=x&userid=2&username=brendan

      Invalid authentication

       

      http://moodle.local/calendar/export_execute.php?authtoken=x&userid=2&username=brendancrap

      Exception - Argument 1 passed to calendar_get_export_token() must be an instance of stdClass, boolean given, called in [dirroot]/calendar/export_execute.php on line 29

       

       

        1. MDL-69910.jpg
          MDL-69910.jpg
          19 kB
        2. MDL-69910-calendar-protectusername.patch
          0.7 kB

            brendanheywood Brendan Heywood
            brendanheywood Brendan Heywood
            Juan Leyva Juan Leyva
            Jake Dallimore Jake Dallimore
            Anna Carissa Sadia Anna Carissa Sadia
            Votes:
            0 Vote for this issue
            Watchers:
            6 Start watching this issue

              Created:
              Updated:
              Resolved:

                Estimated:
                Original Estimate - 0 minutes
                0m
                Remaining:
                Remaining Estimate - 0 minutes
                0m
                Logged:
                Time Spent - 1 hour, 50 minutes
                1h 50m

                  Error rendering 'clockify-timesheets-time-tracking-reports:timer-sidebar'. Please contact your Jira administrators.