General developer forum

HEADS UP: Moodle 3.5.3 release (and other minor versions) - November 12th

 
Picture of Sander Bangma
HEADS UP: Moodle 3.5.3 release (and other minor versions) - November 12th
Moodle HQParticularly helpful MoodlersPlugin developers

Hello All,

This Monday November 12th is the scheduled release date for Moodle 3.5.3 (and 3.4.6, 3.3.9 and 3.1.15).

Just a reminder that the GDPR plugins are integrated to the stable releases. There are again some improvements to the privacy functionality - these will be listed as part of the release notes. So please ensure to read these as soon as they become available.

From Moodle 3.6 onwards we will no longer backport privacy features to the stable releases.


 
Average of ratings: -
Renaat
Re: HEADS UP: Moodle 3.5.3 release (and other minor versions) - November 12th
Core developersParticularly helpful MoodlersPlugin developers

Do not lock yourself out of your own Moodle!

MDL-63183 introduces some changes to the login template.  As a result the 3.5.3 release needs to be installed with care on sites where this login template is customized. If not, every user will generate a "Invalid login token" error, and nobody will be able to access the site.



 
Average of ratings: Useful (3)
Picture of Ken Task
Re: HEADS UP: Moodle 3.5.3 release (and other minor versions) - November 12th
Particularly helpful Moodlers

Would love to read about the issue ... need to really as am facing several site updates/upgrades.

Unfortunately I get:

You can't view this issue

It may have been deleted or you don't have permission to view it.

Even if I login to tracker.

'spirit of sharing', Ken


 
Average of ratings: -
Renaat
Re: HEADS UP: Moodle 3.5.3 release (and other minor versions) - November 12th
Core developersParticularly helpful MoodlersPlugin developers

The changes can be found in https://github.com/moodle/moodle/commit/6dfe4283635c1a80c0f288934d20745abcfc5ebc

Old template overrides do not have the login token so it is impossible to log in.

 
Average of ratings: Useful (2)
Picture of Matteo Scaramuccia
Re: HEADS UP: Moodle 3.5.3 release (and other minor versions) - November 12th
Core developersParticularly helpful MoodlersPlugin developers

Hi Ken,
$CFG->disablelogintoken = true would be of help in your case.

HTH,
Matteo

 
Average of ratings: Useful (1)
Picture of Ken Task
Re: HEADS UP: Moodle 3.5.3 release (and other minor versions) - November 12th
Particularly helpful Moodlers

Thanks, Matteo.  Will have to make note of that ... may as well enter that line commented out in config.php of sites prior to upgrade attempts.

What am most interested in is external authentication systems ... such as SAML2 and Oauth2 (in particular Google).  In looking through the changes to code provided by Renaat didn't see anything that affected those, but then again, am not a programmer either.

Guess I'll see .... nice to know there is a config file 'fix'. smile

'spirit of sharing', Ken


 
Average of ratings: -
Picture of Guido Roessling
Re: HEADS UP: Moodle 3.5.3 release (and other minor versions) - November 12th
Plugin developers

We had the same issue - updated, did not read this message, nobody could log in.

$CFG->disablelogintoken in the config.php fixed the problem, but does not seem like a perfect solution... Our site uses CAS/SSO.

 
Average of ratings: -
C'est moi :-)
Re: HEADS UP: Moodle 3.5.3 release (and other minor versions) - November 12th
Documentation writersParticularly helpful MoodlersTestersTranslators

Hi,

I updated to Moodle 3.5.3 yesterday, my sites use CAS, with multiauth enabled (for manual accounts), and Essential or More theme

We had the explained problem on both sites, and connexion was impossible.

Adding the command in config.php fixed the problem on both sites.

But reading the documentation, i think that something in the CAS authentication should be fixed.

Adding an information in release notes and updating documentation would also be a (very) good idea, to avoid lots of problems!

Séverin

 
Average of ratings: -
Picture of David Mudrák
Re: HEADS UP: Moodle 3.5.3 release (and other minor versions) - November 12th
Core developersDocumentation writersMoodle HQParticularly helpful MoodlersPlugin developersPlugins guardiansTestersTranslators

Thank you Guido and Séverin for raising this. It will help to get confirmed that you are experiencing troubles with CAS authentication even when using a standard Moodle theme in 3.5.3 (and that it is not caused by a custom theme). If so, please feel encouraged to report a new regression issue, ideally with steps to reproduce it.

 
Average of ratings: -
Picture of Mathieu Domingo
Re: HEADS UP: Moodle 3.5.3 release (and other minor versions) - November 12th
 

Hello,

I'm using CAS only and I can't connect if I don't use $CFG->disablelogintoken = true; in config.php

I tried with Adaptable, Boost and Clean , theme seems to have no effect on it.


Edit : link to tracker : https://tracker.moodle.org/browse/MDL-63994

 
Average of ratings: Useful (1)
C'est moi :-)
Re: HEADS UP: Moodle 3.5.3 release (and other minor versions) - November 12th
Documentation writersParticularly helpful MoodlersTestersTranslators

Thanks Mathieu for creating MDL-63994.

I've voted for it.

 
Average of ratings: -
C'est moi :-)
Re: HEADS UP: Moodle 3.5.3 release (and other minor versions) - November 12th
Documentation writersParticularly helpful MoodlersTestersTranslators

For people reading french, you can read this french discussion.

 
Average of ratings: Useful (1)
poseypic
Re: HEADS UP: Moodle 3.5.3 release (and other minor versions) - November 12th
Core developersTesters

Also cannot view that issue. I presume it's been marked as a security issue, thus hidden (as this change is not documented in the release notes, either...!?!)

(Though I am sure I could see these before)

 
Average of ratings: -
Picture of Derek Chaplin
Re: HEADS UP: Moodle 3.5.3 release (and other minor versions) - November 12th
Particularly helpful Moodlers
Found out the hard way - went into a bit of a panic! Perhaps this should be noted on the download page in bold red font until it gets fixed.

Just my 2 cents.
 
Average of ratings: -
Renaat
Re: HEADS UP: Moodle 3.5.3 release (and other minor versions) - November 12th
Core developersParticularly helpful MoodlersPlugin developers

"Until it gets fixed" is probably the wrong term, the situation happens only for people who override the login template in their theme. So you have to fix it yourself.

But I do agree about the warning!


 
Average of ratings: -
Picture of Derek Chaplin
Re: HEADS UP: Moodle 3.5.3 release (and other minor versions) - November 12th
Particularly helpful Moodlers
I’m guessing it’s a theme issue then, not a Moodle core issue.
 
Average of ratings: -
Tim at Lone Pine Koala Sanctuary
Re: HEADS UP: Moodle 3.5.3 release (and other minor versions) - November 12th
Core developersDocumentation writersParticularly helpful MoodlersPlugin developers

Well, the issue is that there was a change in Moodle core, which means that if the designer of a third-party theme has done something that third-party theme designers quite often do, then people are locked out of their Moodle site.

That is quite a bad bit of non-backwards-compatibility, particularly on a 'stable' branch.

Hopefully there can be a fairly quick fix.

 
Average of ratings: Useful (3)
Picture of David Mudrák
Re: HEADS UP: Moodle 3.5.3 release (and other minor versions) - November 12th
Core developersDocumentation writersMoodle HQParticularly helpful MoodlersPlugin developersPlugins guardiansTestersTranslators

Yes, there was a new security related feature implemented. More details are now available at https://docs.moodle.org/dev/Login_token including instructions on how to update the custom themes that render the login forms themselves. Please note that disabling the login token validation should be considered as a really temporary solution for the following days only.

It was difficult in this case to inform the community about the required changes in advance, given the responsible disclosure policy that Moodle development has adopted. Thank you for understanding.

 
Average of ratings: Useful (3)
Picture of Richard Oelmann
Re: HEADS UP: Moodle 3.5.3 release (and other minor versions) - November 12th
Core developersParticularly helpful MoodlersPlugin developersTesters

What is the impact on common auth plugins such as SAML?

 
Average of ratings: -
Picture of David Mudrák
Re: HEADS UP: Moodle 3.5.3 release (and other minor versions) - November 12th
Core developersDocumentation writersMoodle HQParticularly helpful MoodlersPlugin developersPlugins guardiansTestersTranslators

They are not affected, as far as I know. The only affected area was the login forms generated by Moodle that submit username and password to login/index.php script.

 
Average of ratings: Useful (1)
Picture of Derek Chaplin
Re: HEADS UP: Moodle 3.5.3 release (and other minor versions) - November 12th
Particularly helpful Moodlers

Note that this issue also affects the latest release of Moodle 3.6dev+ (Build: 20181113). The fix is the same.

 
Average of ratings: -