Security and privacy

 
 
Picture of Dimitris Chatzipanagiotidis
Re: Disable password Unmask option
 

Yes, it is true that no passwords are stored using the ldap authentication.

However I use the smtp server of MS Exchange, so administrator credentials for that system need to be stored in moodle.

If someone goes to that settings and unmask the password, will be able to see administrative credentials of the other system.

Is it possible to remove that Unmask option, somehow?

Thank you

 
Average of ratings: -
Tim at Lone Pine Koala Sanctuary
Re: Disable password Unmask option
Group DevelopersGroup Documentation writersGroup Particularly helpful Moodlers

Well, for someone with Moodle adminsitrator access, it is quite hard to stop the accessing things. (For example if you had https://moodle.org/plugins/view.php?plugin=report_customsql installed, admins could read the data directly from the database.)

However, there are some things you could do:

  1. In your theme, add a style rule div.unmask {display: none;} That will hide the option, but it is not very secure.
  2. Tweak the Moode code, to change calls like $mform->addElement('passwordunmask', ...) to $mform->addElement('text', ...), and admin_setting_configpasswordunmask -> admin_setting_configtext.

Also, you could set up your SMTP server so that the username and password that Moodle uses only has the minimum number of permissions necessary. Moodle does not need the SMTP server administrator password. It only needs to be able to send emails through the SMTP server.

 
Average of ratings:Useful (1)
Picture of Dimitris Chatzipanagiotidis
Re: Disable password Unmask option
 

Thank you for your reply.

I will try your suggestions or check for another workaround.

 
Average of ratings: -