Hello All,
This Monday November 12th is the scheduled release date for Moodle 3.5.3 (and 3.4.6, 3.3.9 and 3.1.15).
Just a reminder that the GDPR plugins are integrated to the stable releases. There are again some improvements to the privacy functionality - these will be listed as part of the release notes. So please ensure to read these as soon as they become available.
From Moodle 3.6 onwards we will no longer backport privacy features to the stable releases.
Do not lock yourself out of your own Moodle!
MDL-63183 introduces some changes to the login template. As a result the 3.5.3 release needs to be installed with care on sites where this login template is customized. If not, every user will generate a "Invalid login token" error, and nobody will be able to access the site.
Would love to read about the issue ... need to really as am facing several site updates/upgrades.
Unfortunately I get:
You can't view this issue
It may have been deleted or you don't have permission to view it.
Even if I login to tracker.'spirit of sharing', Ken
The changes can be found in https://github.com/moodle/moodle/commit/6dfe4283635c1a80c0f288934d20745abcfc5ebc
Old template overrides do not have the login token so it is impossible to log in.
Hi Ken,
$CFG->disablelogintoken = true would be of help in your case.
HTH,
Matteo
Thanks, Matteo. Will have to make note of that ... may as well enter that line commented out in config.php of sites prior to upgrade attempts.
What am most interested in is external authentication systems ... such as SAML2 and Oauth2 (in particular Google). In looking through the changes to code provided by Renaat didn't see anything that affected those, but then again, am not a programmer either.
Guess I'll see .... nice to know there is a config file 'fix'.
'spirit of sharing', Ken
We had the same issue - updated, did not read this message, nobody could log in.
$CFG->disablelogintoken in the config.php fixed the problem, but does not seem like a perfect solution... Our site uses CAS/SSO.
Hi,
I updated to Moodle 3.5.3 yesterday, my sites use CAS, with multiauth enabled (for manual accounts), and Essential or More theme
We had the explained problem on both sites, and connexion was impossible.
Adding the command in config.php fixed the problem on both sites.
But reading the documentation, i think that something in the CAS authentication should be fixed.
Adding an information in release notes and updating documentation would also be a (very) good idea, to avoid lots of problems!
Séverin
Thank you Guido and Séverin for raising this. It will help to get confirmed that you are experiencing troubles with CAS authentication even when using a standard Moodle theme in 3.5.3 (and that it is not caused by a custom theme). If so, please feel encouraged to report a new regression issue, ideally with steps to reproduce it.
Hello,
I'm using CAS only and I can't connect if I don't use $CFG->disablelogintoken = true; in config.php
I tried with Adaptable, Boost and Clean , theme seems to have no effect on it.
Edit : link to tracker : https://tracker.moodle.org/browse/MDL-63994
Thanks Mathieu for creating MDL-63994.
I've voted for it.
For people reading french, you can read this french discussion.
Also cannot view that issue. I presume it's been marked as a security issue, thus hidden (as this change is not documented in the release notes, either...!?!)
(Though I am sure I could see these before)
"Until it gets fixed" is probably the wrong term, the situation happens only for people who override the login template in their theme. So you have to fix it yourself.
But I do agree about the warning!
Well, the issue is that there was a change in Moodle core, which means that if the designer of a third-party theme has done something that third-party theme designers quite often do, then people are locked out of their Moodle site.
That is quite a bad bit of non-backwards-compatibility, particularly on a 'stable' branch.
Hopefully there can be a fairly quick fix.
Yes, there was a new security related feature implemented. More details are now available at https://docs.moodle.org/dev/Login_token including instructions on how to update the custom themes that render the login forms themselves. Please note that disabling the login token validation should be considered as a really temporary solution for the following days only.
It was difficult in this case to inform the community about the required changes in advance, given the responsible disclosure policy that Moodle development has adopted. Thank you for understanding.
What is the impact on common auth plugins such as SAML?
They are not affected, as far as I know. The only affected area was the login forms generated by Moodle that submit username and password to login/index.php script.
Note that this issue also affects the latest release of Moodle 3.6dev+ (Build: 20181113). The fix is the same.
353_release_graph.png
