** Changed in: mahara/17.10 Status: Fix Committed => Fix Released
-- You received this bug notification because you are a member of Mahara Contributors, which is subscribed to Mahara. Matching subscriptions: Subscription for all Mahara Contributors -- please ask on #mahara-dev or mahara.org forum before editing or unsubscribing it! https://bugs.launchpad.net/bugs/1692749 Title: User passwords being saved in database event_log as plain text Status in Mahara: Fix Released Status in Mahara 15.04 series: Fix Released Status in Mahara 16.04 series: Fix Released Status in Mahara 16.10 series: Fix Released Status in Mahara 17.04 series: Fix Released Status in Mahara 17.10 series: Fix Released Bug description: If you turn full logging for you site via: Admin -> Configure site -> Logging settings -> Log events Then whenever a user is created via: Admin -> Users -> Add user Admin -> Users -> Add users by CSV Or in fact any place where we create a user with the create_user() function we end up calling handle_event('createuser', $user); And if the $user object has password set then that is saved to event_log table We need to: 1) stop that from happening - in fact only save to event_log only the bits of objects that make sense rather than everything, eg I notice that there are a lot of "dirty":true and things who's value is null (we can assume if key doesn't exist then it would be null rather than explicitly record that) 2) clean up existing data and at very least remove the saved passwords To manage notifications about this bug go to: https://bugs.launchpad.net/mahara/+bug/1692749/+subscriptions _______________________________________________ Mailing list: https://launchpad.net/~mahara-contributors Post to : mahara-contributors@lists.launchpad.net Unsubscribe : https://launchpad.net/~mahara-contributors More help : https://help.launchpad.net/ListHelp