Uploaded image for project: 'Moodle'
  1. Moodle
  2. MDL-67802

Allow disabling email verification for all OAuth clients

XMLWordPrintable

    • MOODLE_310_STABLE, MOODLE_311_STABLE, MOODLE_37_STABLE, MOODLE_38_STABLE, MOODLE_39_STABLE
    • MOODLE_311_STABLE
    • master_MDL-67802_2
    • Hide

      To test creating a service:

      1. Log in as an admin
      2. Navigate to Site Administration > Server > OAuth 2 services
      3. Click the "Custom" button option for "Create new service"
      4. Enter in details for: Name, Client ID and Client Secret (fake details are fine)
      5. Confirm that the "require email verification" checkbox is checked by default
      6. Uncheck the "require email verification" checkbox
      7. Confirm that a new checkbox appears below the email checkbox warning about the potential security risk.
      8. Click the "Save changes" button on the form.
      9. Confirm a required form validation messages appears highlighting that you need to confirm that you accept the risk
      10. Check the "I understand that disabling email verification can be a security issue " checkbox.
      11. Click the "Save changes" button on the form.
      12. Confirm that the service has been created.

      To test editing a service:

      1. Edit the service you created in the first test.
      2. Confirm the unchecked "require email verification" checkbox
      3. Check the "require email verification" checkbox
      4. Click the "Save changes" button on the form.
      5. Confirm that the service has been saved.
      Show
      To test creating a service: Log in as an admin Navigate to Site Administration > Server > OAuth 2 services Click the "Custom" button option for "Create new service" Enter in details for: Name, Client ID and Client Secret (fake details are fine) Confirm that the "require email verification" checkbox is checked by default Uncheck the "require email verification" checkbox Confirm that a new checkbox appears below the email checkbox warning about the potential security risk. Click the "Save changes" button on the form. Confirm a required form validation messages appears highlighting that you need to confirm that you accept the risk Check the "I understand that disabling email verification can be a security issue " checkbox. Click the "Save changes" button on the form. Confirm that the service has been created. To test editing a service: Edit the service you created in the first test. Confirm the unchecked "require email verification" checkbox Check the "require email verification" checkbox Click the "Save changes" button on the form. Confirm that the service has been saved.
    • 1

      Commit df6092d65c21dbb54dc76703af98652ccef0c37c (MDL-66598?) reads

      Only Facebook, Google, and Microsoft issuers can optionally offer to
      		 
      require account confirmation via email. We will require email
      		 
      confirmation for the rest of the issuers.

      Seriously? Are these three the only trustworthy OAuth providers in the world? Have sysadmins really become this dumb that you need to hard-code the words "Google", "Facebook" and "Microsoft" for security reasons? This commit effectively makes it impossible for my organization to use the module to login with an internal provider.

        1. email confirm notification.png
          email confirm notification.png
          49 kB
        2. form confirmation modal V2.png
          form confirmation modal V2.png
          32 kB
        3. form confirm modal.png
          form confirm modal.png
          34 kB
        4. MDL-67802_master.webm
          983 kB
        5. MDL-67802_v311_retest.webm
          1.16 MB
        6. MDL-67802_v311.webm
          690 kB
        7. Require email verification.png
          Require email verification.png
          25 kB

            Votes:
            26 Vote for this issue
            Watchers:
            33 Start watching this issue

              Created:
              Updated:
              Resolved:

                Estimated:
                Original Estimate - 0 minutes
                0m
                Remaining:
                Remaining Estimate - 0 minutes
                0m
                Logged:
                Time Spent - 1 day, 2 hours, 16 minutes
                1d 2h 16m

                  Error rendering 'clockify-timesheets-time-tracking-reports:timer-sidebar'. Please contact your Jira administrators.