Reviewed: https://reviews.mahara.org/8040 Committed: https://git.mahara.org/mahara/mahara/commit/a1da6ea10b5f7eb33883b58bcc801922fc1ab8be Submitter: Robert Lyon (robe...@catalyst.net.nz) Branch: 17.04_STABLE
commit a1da6ea10b5f7eb33883b58bcc801922fc1ab8be Author: Robert Lyon <robe...@catalyst.net.nz> Date: Mon Sep 18 13:46:55 2017 +1200 Bug 1546769: Stop 'none' auth being allowed to work on production site behatnotneeded Change-Id: I80432042b06f00f0e84d0bdf2d7327233c4f2ba9 Signed-off-by: Robert Lyon <robe...@catalyst.net.nz> (cherry picked from commit 3cc09ae5a9e8f9356946d2bc15164db148572692) -- You received this bug notification because you are a member of Mahara Contributors, which is subscribed to Mahara. Matching subscriptions: Subscription for all Mahara Contributors -- please ask on #mahara-dev or mahara.org forum before editing or unsubscribing it! https://bugs.launchpad.net/bugs/1546769 Title: The 'None' auth needs to be locked down or removed to avoid troubles with multi institutions Status in Mahara: Fix Committed Status in Mahara 16.04 series: Fix Committed Status in Mahara 16.10 series: Fix Committed Status in Mahara 17.04 series: Fix Committed Status in Mahara 17.10 series: Fix Committed Bug description: When there are multiple institutions/tenants on a mahara and one of the tenants decides to add the 'None' auth method to their institution it causes havoc for users on all institutions as if they accidentally enter their login details wrong they get logged in to institution with 'None' set as a new user rather than their normal institution/account. Things that need to be changed to avoid this problem: 1) When an institution tries to add the 'None' auth option it needs to check to see if there are any other institutions present and only allow it if institution count = 1 2) Conversely if the only institution uses 'None' auth then you shouldn't be allowed to add a new institution until that auth is removed 3) And when you are able to add "None" you should probably get some prominent message with "Do you really want to do this? You know, it means that anybody will be able to log in without any authorization" Also as part of this change it would be very good to add a ctime (and maybe userid) field to the auth_instance table to record when one adds/edits auth details to see when things changed as this human error can cause big problems for users. To manage notifications about this bug go to: https://bugs.launchpad.net/mahara/+bug/1546769/+subscriptions _______________________________________________ Mailing list: https://launchpad.net/~mahara-contributors Post to : mahara-contributors@lists.launchpad.net Unsubscribe : https://launchpad.net/~mahara-contributors More help : https://help.launchpad.net/ListHelp