Reviewed: https://reviews.mahara.org/8170 Committed: https://git.mahara.org/mahara/mahara/commit/2d601f6610e412868d2bcfe948ee5f9c69e11864 Submitter: Robert Lyon (robe...@catalyst.net.nz) Branch: 17.10_STABLE
commit 2d601f6610e412868d2bcfe948ee5f9c69e11864 Author: Robert Lyon <robe...@catalyst.net.nz> Date: Tue Oct 24 07:56:15 2017 +1300 Bug 1546769: Adjusting string for the auth selection for 'none' behatnotneeded Change-Id: Ibea0816e9823c0a790564a39fd5b12455aa28339 Signed-off-by: Robert Lyon <robe...@catalyst.net.nz> (cherry picked from commit 836e37d98c5ee1b89594279fcc10056b411b1acb) -- You received this bug notification because you are a member of Mahara Contributors, which is subscribed to Mahara. Matching subscriptions: Subscription for all Mahara Contributors -- please ask on #mahara-dev or mahara.org forum before editing or unsubscribing it! https://bugs.launchpad.net/bugs/1546769 Title: The 'None' auth needs to be locked down or removed to avoid troubles with multi institutions Status in Mahara: Fix Committed Status in Mahara 16.04 series: Fix Committed Status in Mahara 16.10 series: Fix Committed Status in Mahara 17.04 series: Fix Committed Status in Mahara 17.10 series: Fix Committed Bug description: When there are multiple institutions/tenants on a mahara and one of the tenants decides to add the 'None' auth method to their institution it causes havoc for users on all institutions as if they accidentally enter their login details wrong they get logged in to institution with 'None' set as a new user rather than their normal institution/account. Things that need to be changed to avoid this problem: 1) When an institution tries to add the 'None' auth option it needs to check to see if there are any other institutions present and only allow it if institution count = 1 2) Conversely if the only institution uses 'None' auth then you shouldn't be allowed to add a new institution until that auth is removed 3) And when you are able to add "None" you should probably get some prominent message with "Do you really want to do this? You know, it means that anybody will be able to log in without any authorization" Also as part of this change it would be very good to add a ctime (and maybe userid) field to the auth_instance table to record when one adds/edits auth details to see when things changed as this human error can cause big problems for users. To manage notifications about this bug go to: https://bugs.launchpad.net/mahara/+bug/1546769/+subscriptions _______________________________________________ Mailing list: https://launchpad.net/~mahara-contributors Post to : mahara-contributors@lists.launchpad.net Unsubscribe : https://launchpad.net/~mahara-contributors More help : https://help.launchpad.net/ListHelp