This Monday November 12th is the scheduled release date for Moodle 3.5.3 (and 3.4.6, 3.3.9 and 3.1.15).
Just a reminder that the GDPR plugins are integrated to the stable releases. There are again some improvements to the privacy functionality - these will be listed as part of the release notes. So please ensure to read these as soon as they become available.
From Moodle 3.6 onwards we will no longer backport privacy features to the stable releases.
Do not lock yourself out of your own Moodle!
MDL-63183 introduces some changes to the login template. As a result the 3.5.3 release needs to be installed with care on sites where this login template is customized. If not, every user will generate a "Invalid login token" error, and nobody will be able to access the site.
Would love to read about the issue ... need to really as am facing several site updates/upgrades.
Unfortunately I get:
You can't view this issue
It may have been deleted or you don't have permission to view it.Even if I login to tracker.
'spirit of sharing', Ken
Thanks, Matteo. Will have to make note of that ... may as well enter that line commented out in config.php of sites prior to upgrade attempts.
What am most interested in is external authentication systems ... such as SAML2 and Oauth2 (in particular Google). In looking through the changes to code provided by Renaat didn't see anything that affected those, but then again, am not a programmer either.
Guess I'll see .... nice to know there is a config file 'fix'.
'spirit of sharing', Ken
I updated to Moodle 3.5.3 yesterday, my sites use CAS, with multiauth enabled (for manual accounts), and Essential or More theme
We had the explained problem on both sites, and connexion was impossible.
Adding the command in config.php fixed the problem on both sites.
But reading the documentation, i think that something in the CAS authentication should be fixed.
Adding an information in release notes and updating documentation would also be a (very) good idea, to avoid lots of problems!
Thank you Guido and Séverin for raising this. It will help to get confirmed that you are experiencing troubles with CAS authentication even when using a standard Moodle theme in 3.5.3 (and that it is not caused by a custom theme). If so, please feel encouraged to report a new regression issue, ideally with steps to reproduce it.
I'm using CAS only and I can't connect if I don't use $CFG->disablelogintoken = true; in config.php
I tried with Adaptable, Boost and Clean , theme seems to have no effect on it.
Edit : link to tracker : https://tracker.moodle.org/browse/MDL-63994
Well, the issue is that there was a change in Moodle core, which means that if the designer of a third-party theme has done something that third-party theme designers quite often do, then people are locked out of their Moodle site.
That is quite a bad bit of non-backwards-compatibility, particularly on a 'stable' branch.
Hopefully there can be a fairly quick fix.
Yes, there was a new security related feature implemented. More details are now available at https://docs.moodle.org/dev/Login_token including instructions on how to update the custom themes that render the login forms themselves. Please note that disabling the login token validation should be considered as a really temporary solution for the following days only.
It was difficult in this case to inform the community about the required changes in advance, given the responsible disclosure policy that Moodle development has adopted. Thank you for understanding.