Since I have disabled the 'guestloginbutton' I don't see a reason why the Guest User account still has to exist. Even if I delete that account, Moodle every time re-creates it, enabling everybody to login with the username and password "guest". Maybe I'm a bit paranoid but I see a potential security hole here. The only way I was able to get rid of the Guest User account was to comment out the section
"/// Check if the guest user exists. If not, create one." hardcoded in both 'admin/index.php' and 'login/index.php'. So, my suggestion is, why not allowing making the Guest User account optional, too?
Hi Robert
What version of Moodle are you using?
Out of curiosity, just tried logging in with username and password as "guest" on a 1.5.3+, 1.5.4 and 1.6 Beta 5 install and none of them allowed me in.
Regards
Harry
What version of Moodle are you using?
Out of curiosity, just tried logging in with username and password as "guest" on a 1.5.3+, 1.5.4 and 1.6 Beta 5 install and none of them allowed me in.
Regards
Harry
Hi Harry,
I am using the latest official Moodle version [1.5.4 + (2005060240)]. Look into 'admin/index.php' and 'login/index.php' - you will find the following code:
/// Check if the guest user exists. If not, create one.
if (! record_exists("user", "username", "guest")) {
$guest->auth = "manual";
$guest->username = "guest";
$guest->password = md5("guest");
$guest->firstname = addslashes(get_string("guestuser"));
$guest->lastname = " ";
$guest->email = "root@localhost";
$guest->description = addslashes(get_string("guestuserinfo"));
$guest->confirmed = 1;
$guest->lang = $CFG->lang;
$guest->timemodified= time();
if (! $guest->id = insert_record("user", $guest)) {
notify("Could not create guest user record !!!");
}
}
I would also suggest to manually check the mdl_user table of moodle's DB:
mysql> SELECT firstname, lastname, username, password FROM mdl_user ORDER BY firstname;
In my original Moodle installation the result of the above query included the following:
+------------+--------------+---------------------------+----------------------------------+
| firstname | lastname | username | password |
+------------+--------------+---------------------------+----------------------------------+
| | | changeme | |
| Guest User | | guest | 084e0343a0486ff05530df6c705c8bb4 |
| Guest User | | root@localhost.1148758697 | 084e0343a0486ff05530df6c705c8bb4 |
I deleted those 3 "suspect" accounts, but one Guest User account has been automatically re-created unless I have commented out the code mentioned above in both mentioned files.
So far, Moodle runs smoothless without that accounts.
best,
rob.
I am using the latest official Moodle version [1.5.4 + (2005060240)]. Look into 'admin/index.php' and 'login/index.php' - you will find the following code:
/// Check if the guest user exists. If not, create one.
if (! record_exists("user", "username", "guest")) {
$guest->auth = "manual";
$guest->username = "guest";
$guest->password = md5("guest");
$guest->firstname = addslashes(get_string("guestuser"));
$guest->lastname = " ";
$guest->email = "root@localhost";
$guest->description = addslashes(get_string("guestuserinfo"));
$guest->confirmed = 1;
$guest->lang = $CFG->lang;
$guest->timemodified= time();
if (! $guest->id = insert_record("user", $guest)) {
notify("Could not create guest user record !!!");
}
}
I would also suggest to manually check the mdl_user table of moodle's DB:
mysql> SELECT firstname, lastname, username, password FROM mdl_user ORDER BY firstname;
In my original Moodle installation the result of the above query included the following:
+------------+--------------+---------------------------+----------------------------------+
| firstname | lastname | username | password |
+------------+--------------+---------------------------+----------------------------------+
| | | changeme | |
| Guest User | | guest | 084e0343a0486ff05530df6c705c8bb4 |
| Guest User | | root@localhost.1148758697 | 084e0343a0486ff05530df6c705c8bb4 |
I deleted those 3 "suspect" accounts, but one Guest User account has been automatically re-created unless I have commented out the code mentioned above in both mentioned files.
So far, Moodle runs smoothless without that accounts.
best,
rob.
Hi Rob
It was the:
part of your original post that got me curious enough to try logging in using "guest" as username and password on my three installs mentioned.
On my installs you can not login that way as, as mentioned by Samuli Karevaara below, I have disabled the guest login button. As far as I was aware, if you disable it you shouldn't be able to access your site using "guest" either.
As for the "guest" account itself, have never thought of deleting it as there is no need to.
Regards
H
It was the:
Even if I delete that account, Moodle every time re-creates it,
enabling everybody to login with the username and password "guest".
part of your original post that got me curious enough to try logging in using "guest" as username and password on my three installs mentioned.
On my installs you can not login that way as, as mentioned by Samuli Karevaara below, I have disabled the guest login button. As far as I was aware, if you disable it you shouldn't be able to access your site using "guest" either.
As for the "guest" account itself, have never thought of deleting it as there is no need to.
Regards
H
Generally Guest account is used to map user specific accounts to low-priority, low-security database account with strong restrictions over database operations, so you wouldn't have to create a particular one for the same role when tomorrow (or the day after tomorrow) you'll be facing the requirment to allow guest users to your site (and db). If you're paranoid about viewing you're site at all, obviously you'll have to choose another strategy when handling users.
So deleting completely the guest account is not a good solution and in this stream of thought optional Guest acount could lead to lack of functionalities (or at least this is my modest oppinion). The Guest account must be built in,
while fixinig the UI must be optional.
Regards
Petar
So deleting completely the guest account is not a good solution and in this stream of thought optional Guest acount could lead to lack of functionalities (or at least this is my modest oppinion). The Guest account must be built in,
while fixinig the UI must be optional.
Regards
Petar
Hello Petar,
could you please explain why deleting the Guest User could lead to lack of functionalities in Moodle? What exactly will probably not work anymore? And why have there been even two "guest accounts" created by moodle itself?
Thanks,
rob.
could you please explain why deleting the Guest User could lead to lack of functionalities in Moodle? What exactly will probably not work anymore? And why have there been even two "guest accounts" created by moodle itself?
Thanks,
rob.
Yes,
Of coarse - with pleasure (read once more my previous post, carefully) -
I have even tryed to lead you to some of the possible uses of the Guest account (again in my previous post), but if you found it insufficient, there is no other thing that I can do except recommending you some books of general db, administration and etc.
Moodle developers have decided to give you functionality which you don't want to use - it's ok - but if someone other than you wants and appreciates the ground work - how is he/she supposed to use it if it's removed acording your proposition?
Bug free software doesn't exist, and if you expect something,
maybe a nice approach would be to minimize your expectations.
2 guest accounts, could be result of testing, future plan of migration of the existing to the new one, or something else - which I do not pretend to know or predict.
2 guest accounts could be a bug, while NONE guest accounts is lack of functionality.
Why - you'll have to see it for yourself.
And definetly - will have to create one Guest Account soon
Regards
Petar
Of coarse - with pleasure (read once more my previous post, carefully) -
I have even tryed to lead you to some of the possible uses of the Guest account (again in my previous post), but if you found it insufficient, there is no other thing that I can do except recommending you some books of general db, administration and etc.
Moodle developers have decided to give you functionality which you don't want to use - it's ok - but if someone other than you wants and appreciates the ground work - how is he/she supposed to use it if it's removed acording your proposition?
Bug free software doesn't exist, and if you expect something,
maybe a nice approach would be to minimize your expectations.
2 guest accounts, could be result of testing, future plan of migration of the existing to the new one, or something else - which I do not pretend to know or predict.
2 guest accounts could be a bug, while NONE guest accounts is lack of functionality.
Why - you'll have to see it for yourself.
And definetly - will have to create one Guest Account soon
Regards
Petar
Your explantation why Moodle needs the Guest User, in order for having full functionality, was
Since that sounds very general to me, I asked for at least one conrcete example what exactly would not work without that account which would otherwise.
I think you can imagine of which degree of use your recent answer, recommending me to read books of general db and administration, is.
regards,
rob.
Since that sounds very general to me, I asked for at least one conrcete example what exactly would not work without that account which would otherwise.
I think you can imagine of which degree of use your recent answer, recommending me to read books of general db and administration, is.
regards,
rob.
Have you tried logging in as "guest" if the guestloginbutton is disabled? I seem to remember that logging in as guest is disabled in this case alltogether.
Thanks for the info. I cannot try to login directly into Moodle, since we have set the authentication mthod to use an external database and attempts to login directly into Moodle will be redirected to our portal's login page.
Sorry that I originally assumed disabling the guestloginbutton will still allow logging in using the username and password "guest". I have now reverted back to the default login/index.php, making sure that the guest account will be created if it does not exist, following the advise here.
regards
rob.
Sorry that I originally assumed disabling the guestloginbutton will still allow logging in using the username and password "guest". I have now reverted back to the default login/index.php, making sure that the guest account will be created if it does not exist, following the advise here.
regards
rob.