There is at least one LDAP server (Sun Directory Server) that doesn't
support Paged Results extension, even if it supports LDAP version 3. So
checking just for LDAP version is not enough.
If possible, we check the supportedControl attribute of the LDAP rootDSE
and see if the paged results control is available. This needs an LDAP
connection, which might not be possible to establish before we configure
some essential LDAP settings (server, bind user, password, etc.). Thus
we try to establish the connection and check the supportedControl
attribute. But if we fail, we perform only basic checks that are less
accurate and err on the side of cautiousness.
A bug introduced with MDL-45893 meant that the failure count was being
reset, causing the footer code to be skipped. This patch fixes that
bug and adds behat tests covering the displayloginfailures feature.
This patch modifies can_change_password() and adds change_password_url() to allow Shibboleth users to change their password
in case there is an (external) password change URL defined in Moodle. If no such URL is defined, the behaviour is the same
as without the proposed change.
Thanks FH-HWZ.ch for the contribution.
No longer set the return url to $SESSION->wantsurl, it doens't make
sense in this context, as the user is probably on the page they want.
Also add a note about this functionality to auth/ugrade.txt
If there is a required custom field that the user can fill by editing
their profile, and that field is missing, the user should be considered
as not fully set up. Instead, we want to redirect them to edit their
profile first.
There are some exceptions when we want to fall back to the previous
behaviour and check just the name and email fields. These exceptional
cases include checking remote user data in incoming MNet request (no
user id, no custom fields supported) and calls to require_login() with
redirecting disabled (typically ajax filepicker requests on profile
editing page itself).
Additional plugins that call the function user_not_fully_set_up()
themselves, should perform the strict check in most/typical cases. So
the strict mode is enabled by default even if it changes the behaviour
slightly. In improbable case of additional plugins relying on the
previous behaviour of the function, they can use the $strict parameter
and keep performing the lax check. However, I am sure the correct fix in
that case will likely be to stop abusing this function.
Note that custom fields are not currently transferred during the MNet
roaming. So having custom fields configured as required on MNet service
provider site (where users can't edit their profiles) is expected to
display an error (as the site is considered as misconfigured).
dirname() is a slow function compared with __DIR__ and using
'/../'. Moodle has a large number of legacy files that are included
each time a page loads and is not able to use an autoloader as it is
functional code. This allows those required includes to perform as
best as possible in this situation.
Add a hook for auth plugins to be able to modify or check a user, before
raising any authentication errors.
The auth plugin needs to add a public function like this:
/**
* Pre user_login hook.
* This method is called from authenticate_user_login() right after the user
* object is generated. This gives the auth plugins an option to make adjustments
* before the verification process starts.
*
* @param object $user user object, later used for $USER
*/
public function pre_user_login_hook(&$user) {
// Override if needed.
}
