mahara-contributors team mailing list archive

Thread
Date

[Bug 1546769] A change has been merged

To: mahara-contributors@xxxxxxxxxxxxxxxxxxx
From: Mahara Bot <1546769@xxxxxxxxxxxxxxxxxx>
Date: Mon, 23 Oct 2017 21:56:06 -0000
Reply-to: Bug 1546769 <1546769@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx

Reviewed:  https://reviews.mahara.org/8171
Committed: https://git.mahara.org/mahara/mahara/commit/54f05eae282ee481adb8745dd45d4b89fb2b6b2e
Submitter: Robert Lyon (robertl@xxxxxxxxxxxxxxx)
Branch:    17.04_STABLE

commit 54f05eae282ee481adb8745dd45d4b89fb2b6b2e
Author: Robert Lyon <robertl@xxxxxxxxxxxxxxx>
Date:   Tue Oct 24 07:56:15 2017 +1300

Bug 1546769: Adjusting string for the auth selection for 'none'

behatnotneeded

Change-Id: Ibea0816e9823c0a790564a39fd5b12455aa28339
Signed-off-by: Robert Lyon <robertl@xxxxxxxxxxxxxxx>
(cherry picked from commit 836e37d98c5ee1b89594279fcc10056b411b1acb)
(cherry picked from commit 2d601f6610e412868d2bcfe948ee5f9c69e11864)

-- 
You received this bug notification because you are a member of Mahara
Contributors, which is subscribed to Mahara.
Matching subscriptions: Subscription for all Mahara Contributors -- please ask on #mahara-dev or mahara.org forum before editing or unsubscribing it!
https://bugs.launchpad.net/bugs/1546769

Title:
  The 'None' auth needs to be locked down or removed to avoid troubles
  with multi institutions

Status in Mahara:
  Fix Committed
Status in Mahara 16.04 series:
  Fix Committed
Status in Mahara 16.10 series:
  Fix Committed
Status in Mahara 17.04 series:
  Fix Committed
Status in Mahara 17.10 series:
  Fix Committed

Bug description:
  When there are multiple institutions/tenants on a mahara and one of
  the tenants decides to add the 'None' auth method to their institution
  it causes havoc for users on all institutions as if they accidentally
  enter their login details wrong they get logged in to institution with
  'None' set as a new user rather than their normal institution/account.

  Things that need to be changed to avoid this problem:

  1) When an institution tries to add the 'None' auth option it needs to
  check to see if there are any other institutions present and only
  allow it if institution count = 1

  2) Conversely if the only institution uses 'None' auth then you
  shouldn't be allowed to add a new institution until that auth is
  removed

  3) And when you are able to add "None" you should probably get some
  prominent message with "Do you really want to do this? You know, it
  means that anybody will be able to log in without any authorization"

  Also as part of this change it would be very good to add a ctime (and
  maybe userid) field to the auth_instance table to record when one
  adds/edits auth details to see when things changed as this human error
  can cause big problems for users.

To manage notifications about this bug go to:
https://bugs.launchpad.net/mahara/+bug/1546769/+subscriptions

References

[Bug 1546769] [NEW] The 'None' auth needs to be locked down more to avoid troubles with multi institutions
From: Robert Lyon, 2016-02-17