Reviewed: https://reviews.mahara.org/6696 Committed: https://git.mahara.org/mahara/mahara/commit/792fb47bdc4dbbb058a2b5e6ac7dc9483cb4be34 Submitter: Robert Lyon ([email protected]) Branch: 15.10_STABLE
commit 792fb47bdc4dbbb058a2b5e6ac7dc9483cb4be34 Author: Robert Lyon <[email protected]> Date: Fri Jul 8 09:05:53 2016 +1200 Bug 1580399: Stop users logging in to suspended/expired institutions Moving the code from LiveUser->login() to ensure_user_account_is_active() so that internal and external logins can use the same code. This means the check now will fall after LiveUser->authenticate() so a user's lastlogin values will be updated. but that should be ok as the login was successful, it's just they can't go any further as their institution is not active. behatnotneeded Change-Id: Ie78a60978d5936f78af5a962ca3efdcdee148b93 Signed-off-by: Robert Lyon <[email protected]> -- You received this bug notification because you are a member of Mahara Contributors, which is subscribed to Mahara. Matching subscriptions: Subscription for all Mahara Contributors -- please ask on #mahara-dev or mahara.org forum before editing or unsubscribing it! https://bugs.launchpad.net/bugs/1580399 Title: Users can login to suspended institutions via external auth under some circumstances Status in Mahara: Fix Committed Status in Mahara 15.04 series: Fix Committed Status in Mahara 15.10 series: Fix Committed Status in Mahara 16.04 series: Fix Committed Bug description: The problem is this: The code that checks if the user's authinstance is from a suspended institution, is in LiveUser->login(). This is the method used by the username/password login box. But if you login with an auth method that doesn't use the login box, say SAML, XMLRPC, Shibboleth, you don't hit that check. We need to move the check into the "ensure_user_account_is_active()" method in auth/lib.php which is already called at the start of LiveUser->authenticate() so we should update that to make sure it checks that their auth institution isn't suspended and (maybe) remove the redundant code from LiveUser->login() See also https://bugs.launchpad.net/mahara/+bug/903534 for some more information about this issue That bug report is public but I'll mark this as private as it mentions the attack vector To manage notifications about this bug go to: https://bugs.launchpad.net/mahara/+bug/1580399/+subscriptions _______________________________________________ Mailing list: https://launchpad.net/~mahara-contributors Post to : [email protected] Unsubscribe : https://launchpad.net/~mahara-contributors More help : https://help.launchpad.net/ListHelp
