MDL-56159 webservice: Improve not fully setup and missing pwd checks

Removing the check in login/token.php is secure since the auth_forcepasswordchange is checked in require_login that is called via validate_context. The user must be able to get a token even if that setting is on. With that token we’ll redirect the user to the site or we’ll change the password when a new WS for that is available.
2025-01-19 06:18:28 +01:00 · 2016-09-28 11:06:20 +01:00 · 2016-09-28 11:06:20 +01:00 · 80e0f0b85b
commit 80e0f0b85b
parent b7676ef92c
3 changed files with 5 additions and 11 deletions
--- a/lang/en/error.php
+++ b/lang/en/error.php
@ -562,6 +562,7 @@ $string['usernotdeletedadmin'] = 'User not deleted - can not delete administrato
 $string['usernotdeletederror'] = 'User not deleted - error';
 $string['usernotdeletedmissing'] = 'User not deleted - could not find the username';
 $string['usernotdeletedoff'] = 'User not deleted - deleting not allowed';
+$string['usernotfullysetup'] = 'User not fully set-up';
 $string['usernotincourse'] = 'This user is not in this course!';
 $string['usernotrenamedadmin'] = 'Cannot rename admin accounts';
 $string['usernotrenamedexists'] = 'User not renamed - the new username is already in use';
--- a/lib/moodlelib.php
+++ b/lib/moodlelib.php
@ -2639,8 +2639,10 @@ function require_login($courseorid = null, $autologinguest = true, $cm = null, $
                    redirect($wwwroot .'/login/change_password.php');
                }
            }
+        } else if ($userauth->can_change_password()) {
+            throw new moodle_exception('forcepasswordchangenotice');
        } else {
-            print_error('nopasswordchangeforced', 'auth');
+            throw new moodle_exception('nopasswordchangeforced', 'auth');
        }
    }

@ -2656,7 +2658,7 @@ function require_login($courseorid = null, $autologinguest = true, $cm = null, $

    if ($usernotfullysetup) {
        if ($preventredirect) {
-            throw new require_login_exception('User not fully set-up');
+            throw new moodle_exception('usernotfullysetup');
        }
        if ($setwantsurltome) {
            $SESSION->wantsurl = qualified_me();
--- a/login/token.php
+++ b/login/token.php
@ -71,15 +71,6 @@ if (!empty($user)) {
        }
    }

-    // Check whether the user should be changing password.
-    if (get_user_preferences('auth_forcepasswordchange', false, $user)) {
-        if ($userauth->can_change_password()) {
-            throw new moodle_exception('forcepasswordchangenotice');
-        } else {
-            throw new moodle_exception('nopasswordchangeforced', 'auth');
-        }
-    }
-
    // let enrol plugins deal with new enrolments if necessary
    enrol_check_plugins($user);