Refactoring and improvements of the accesslib.php library including prevention of access for not-logged-in users when forcelogin enabled, improved context caching, OOP refactoring of contexts, fixed context loading, deduplication of role definitions in user sessions, installation improvements, decoupling of enrolment checking from capability loading, added detection of deleted and non-existent users in has_capability(), new function accesslib test, auth and enrol upgrade notes.
More details are available in tracker subtasks.
It looks like array_change_key_case() does not work recursively, so we
were not actually lowercasing the expiration attribute key. As the
configuration setting is always lowercase they didn't match.
The 'confirmed' field can't be optional. If the identity provider did
not export it, the new remote user would be created with 'confirmed' set
to default zero and as such could be a subject of scheduled deletion.
From 2.0 on we lowercase all the settings related to LDAP attributes
to cope with differences in LDAP servers when returning attribute
names as array indices (some lowercase them, some leave them as
specified in the query, some normalize them, etc.).
But we only lowercase them when saving the settings page. So on sites
that have been migrated from 1.x, it may happen that we still have
mixed-case attribute names. And this is fatal for the user_attribute
setting, as we might not detect it in the returned array from LDAP and
it will be empty (and the db layer throws and exception).
So we just make sure the attribute name is lowercased (and trimmed,
in case it's got some white space around it).
Signed-off-by: Iñaki Arenaza <iarenaza@mondragon.edu>
This patch fixes incorrect password creating, updating and resetting, updating of user fields, unsupported auth plugins are correctly identified, modification of mnethostid is prevented, fixed problem with email duplicates, new password is generated for users without email, etc. It also includes coding style improvements, more inline docs, future TODOs and license information.
The CAS protocol security model requires that you verify the cas server
certificate before you trust the answer (valid authentication and username
etc.).
Credit goes to Joachim Fritschi for reporting it and providing a patch.
internal means "uses password hash for user authentication", there is a new is_synchronised_with_external() method that indicates if moodle should automatically sync user info with external system after login; I have also improved the default for prevent_local_passwords() which is now defaulting to !is_internal()
