Browse files

MDL-20933 fixed a regression, we should not force changing of passwor…

…d for admins that can not actually change the password
  • Loading branch information...
1 parent 306e851 commit 89d1fd91909cf14d1e8ae01d6e97da623f0e804c @skodak skodak committed Nov 22, 2009
Showing with 40 additions and 2 deletions.
  1. +40 −2 lib/db/upgrade.php
View
42 lib/db/upgrade.php
@@ -781,6 +781,10 @@ function xmldb_main_upgrade($oldversion=0) {
}
if ($result && $oldversion < 2007021599.11) {
+
+ //NOTE: this is a wrong location for forcing of admin password change,
+ // it should have been done from each auth plugin separately
+
$messagesubject = get_string('upgrade1811noticesubject', 'admin');
$message = addslashes(get_string('upgrade1811notice', 'admin'));
if (empty($CFG->passwordmainsalt)) {
@@ -789,10 +793,10 @@ function xmldb_main_upgrade($oldversion=0) {
}
notify($message, 'notifysuccess');
-
+
$systemcontext = get_context_instance(CONTEXT_SYSTEM);
// Force administrators to change password on next login
- $sql = "SELECT DISTINCT u.id, u.firstname, u.lastname, u.picture, u.imagealt, u.email, u.password
+ $sql = "SELECT DISTINCT u.id, u.firstname, u.lastname, u.picture, u.imagealt, u.email, u.password, u.auth
FROM {$CFG->prefix}role_capabilities rc
JOIN {$CFG->prefix}role_assignments ra ON (ra.contextid = rc.contextid AND ra.roleid = rc.roleid)
JOIN {$CFG->prefix}user u ON u.id = ra.userid
@@ -807,6 +811,15 @@ function xmldb_main_upgrade($oldversion=0) {
// no need to change password if stored only outside of moodle - most probably ldap auth
continue;
}
+ if (!$auth = get_auth_plugin($adminuser->auth)) { // very ugly hack, we are not supposed to use any plugins from main upgrade!!
+ continue;
+ }
+ // let's hope no auth plugin is going to end with fatal error here
+ if (!@$auth->can_change_password()) { // very ugly hack, we are not supposed to use any plugins from main upgrade!!
+ // do not force admin to change password if there is no way to actually change it
+ continue;
+ }
+
if ($preference = get_record('user_preferences', 'userid', $adminuser->id, 'name', 'auth_forcepasswordchange')) {
if ($preference->value == '1') {
continue;
@@ -830,6 +843,31 @@ function xmldb_main_upgrade($oldversion=0) {
unset($messagesubject);
}
+ if ($result && $oldversion < 2007021599.14) {
+ // this block tries to undo incorrect forcing of new passwords for admins that have no
+ // way to change passwords MDL-20933
+ $sql = "SELECT DISTINCT u.id, u.firstname, u.lastname, u.picture, u.imagealt, u.email, u.password, u.auth
+ FROM {$CFG->prefix}role_capabilities rc
+ JOIN {$CFG->prefix}role_assignments ra ON (ra.contextid = rc.contextid AND ra.roleid = rc.roleid)
+ JOIN {$CFG->prefix}user u ON u.id = ra.userid
+ WHERE rc.capability = 'moodle/site:doanything'
+ AND rc.permission = ".CAP_ALLOW."
+ AND u.deleted = 0
+ AND rc.contextid = ".SYSCONTEXTID."";
+
+ $adminusers = get_records_sql($sql);
+ foreach ($adminusers as $adminuser) {
+ if ($adminuser->password === 'not cached') {
+ // no need to change password if stored only outside of moodle - most probably ldap auth
+ continue;
+ }
+ if ($auth = get_auth_plugin($adminuser->auth) and @$auth->can_change_password()) { // very ugly hack, we are not supposed to use any plugins from main upgrade!!
+ continue;
+ }
+ delete_records('user_preferences', 'userid', $adminuser->id, 'name', 'auth_forcepasswordchange');
+ }
+ }
+
return $result;
}

0 comments on commit 89d1fd9

Please sign in to comment.