Uploaded image for project: 'Moodle'
  1. Moodle
  2. MDL-65459

Logging: Missed two points relying on non-JSON log format

XMLWordPrintable

    • Icon: Bug Bug
    • Resolution: Fixed
    • Icon: Minor Minor
    • 3.7
    • 3.7
    • Logging
    • MOODLE_37_STABLE
    • MOODLE_37_STABLE
    • MDL-65459-master
    • Hide

      You must have a server where email works. Or use mailcatcher solution.

      1. In admin, turn on the 'notifyloginfailures' option, setting it to send email to yourself.
      2. Using another browser, or after logging out, attempt to log in 10 times in a row using an incorrect username (one that does not match a Moodle user, for example 'frogfrog')
      3. Wait for the 'Send failed login notifications' scheduled task to run, or run it from the web (@ admin/tool/task/scheduledtasks.php) or cli (with php admin/tool/task/cli/schedule_task.php --execute='\core\task\send_failed_login_notifications_task') - if you run it, be aware it has an annoying limit so it won't check more than once per hour.
        • It should show a message like 'Emailing admins about 12 failed login attempts'.
        • The email should correctly list the fake username you used for each request, like this: 'Wednesday, 1 May 2019, 12:08 PM, IP: x.x.x.x, User: frogfrog, User full name: Unknown user'

      If this fix failed, there might be a fatal error running the task, or it would not include the username.

      Show
      You must have a server where email works. Or use mailcatcher solution. In admin, turn on the 'notifyloginfailures' option, setting it to send email to yourself. Using another browser, or after logging out, attempt to log in 10 times in a row using an incorrect username (one that does not match a Moodle user, for example 'frogfrog') Wait for the 'Send failed login notifications' scheduled task to run, or run it from the web (@ admin/tool/task/scheduledtasks.php) or cli (with php admin/tool/task/cli/schedule_task.php --execute='\core\task\send_failed_login_notifications_task' ) - if you run it, be aware it has an annoying limit so it won't check more than once per hour. It should show a message like 'Emailing admins about 12 failed login attempts'. The email should correctly list the fake username you used for each request, like this: 'Wednesday, 1 May 2019, 12:08 PM, IP: x.x.x.x, User: frogfrog, User full name: Unknown user' If this fix failed, there might be a fatal error running the task, or it would not include the username.

      I happened to do a different type of code search (searched for regex 'unser.*->other') and found two places which were still relying on the log 'other' field being PHP-serialised. These are:

      1. Somewhere in privacy helper (I am not sure what this one does!)
      2. When sending out email about failed logins

      Note: I didn't work out a way to test the privacy helper one, it seems only to occur in an unexpected case. I wrote a test script for the other one though, and the fix is straightforward and identical both places...

        1. image-2019-05-02-11-08-44-818.png
          image-2019-05-02-11-08-44-818.png
          148 kB

            quen Sam Marshall
            quen Sam Marshall
            Tim Hunt Tim Hunt
            Eloy Lafuente (stronk7) Eloy Lafuente (stronk7)
            Janelle Barcega Janelle Barcega
            Votes:
            0 Vote for this issue
            Watchers:
            2 Start watching this issue

              Created:
              Updated:
              Resolved:

                Estimated:
                Original Estimate - Not Specified
                Not Specified
                Remaining:
                Remaining Estimate - 0 minutes
                0m
                Logged:
                Time Spent - 35 minutes
                35m

                  Error rendering 'clockify-timesheets-time-tracking-reports:timer-sidebar'. Please contact your Jira administrators.