Mahara

Add password recovery with CLI

Bug #1396564 reported by Dominique-Alain JAN on 2014-11-26

This bug affects 1 person

Affects		Status	Importance	Assigned to	Milestone
	Mahara	Fix Released	Wishlist	Unassigned	Mahara 15.10.0
	15.10	Fix Released	Undecided	Unassigned

Bug Description

Moodle offers many services accessible by CLI in the admin/cli folder and also in individual modulename/cli folders.

One of the cli service provides a way for admin to change user's password, which is very convenient to do it quickly for one user or for many users, with some unix programming.

I would like to suggest you to adding such a cli service into the admin/cli folder for Mahara.

See original description

Tags:

Dominique-Alain JAN (dajan) on 2014-11-26

Changed in mahara:
milestone:	none → 15.04.0
importance:	Undecided → Wishlist
description:	updated

Revision history for this message

Kristina Hoeppner (kris-hoeppner) wrote on 2014-11-30:

Hi dajan,

Why do you want a cli script? You can already do that easily via the Add users via CSV option.

Cheers
Kristina

Changed in mahara:
milestone:	15.04.0 → none
status:	New → Triaged
status:	Triaged → Opinion

Revision history for this message

Dominique-Alain JAN (dajan) wrote on 2014-11-30:

Why I suggest this is :

1/ Creating a CSV is longer
2/ Moreover what do you do when the admin has lost the admin password?

On Moodle you just launch the changepassword.php CLI, enter the username, enter the new password when prompted. Done. Quick, clean and works with any type of users.

Revision history for this message

Aaron Wells (u-aaronw) wrote on 2014-12-10:

pwreset.php Edit (809 bytes, application/x-httpd-php)

A CLI script is actually our current recommended way of resetting the admin password. There's a sample one laid out here: https://wiki.mahara.org/index.php/System_Administrator%27s_Guide/Installing_Mahara/Troubleshooting#Q:_If_I.27ve_locked_myself_out.2C_how_can_I_reset_the_password_for_my_user.3F

And I've also written up a slightly smoother one for my own use, which I'll attach to this bug.

I've not included it with the standard Mahara distribution because I was concerned that it might not be secure. I'll run the idea by Hugh and see what he thinks though.

Revision history for this message

Aaron Wells (u-aaronw) wrote on 2014-12-10:

Hi Hugh,

I added you to this bug to see whether you think we could securely add a CLI script for resetting the admin password, into the standard Mahara distro.

Cheers,
Aaron

Revision history for this message

Hugh Davenport (hugh-davenport) wrote on 2015-03-03:

Hi,

Yeh, cli scripts are save enough. I mean while the command is running any user on the system it is running on can see the arguments (and a user could automatically scrape these), so the new password could be leaked to users on the host system. Security on the web side shouldn't be an issue as done directly with mahara codebase.

So yeh, save enough.

Cheers,

Hugh

Revision history for this message

Aaron Wells (u-aaronw) wrote on 2015-03-03:

Very well, I'll upstream my password reset CLI script. Unfortunately since we're about two weeks after the 15.04 feature freeze now, it'll need to wait for 15.10 to be included with the core distro.

Cheers,
Aaron

Changed in mahara:
milestone:	none → 15.10.0

Revision history for this message

Mahara Bot (dev-mahara) wrote on 2015-03-03: A patch has been submitted for review

Patch for "master" branch: https://reviews.mahara.org/4347

Aaron Wells (u-aaronw) on 2015-03-03

Changed in mahara:
status:	Opinion → Confirmed
tags:	added: admin cli

Kristina Hoeppner (kris-hoeppner) on 2015-03-07

Changed in mahara:
status:	Confirmed → In Progress

Revision history for this message

Aaron Wells (u-aaronw) wrote on 2015-06-29:

Testing instructions:

1. Install Mahara
2. Set up an institution with the "Persona" (aka BrowserID) authentication method.
3. Create a user "user1" who is using the Persona auth method.
4. At the command-line, execute the script. As with any Mahara CLI script, depending on your filesystem permissions you will probably need to run it as the same user as Apache in order to avoid permission warnings:

cd /path/to/mahara
sudo -u www-data htdocs/admin/cli/pwreset.php

5. Running the script without any arguments should simply display a help message.

6. Running the script for "user1" should prompt you for a password, then give you a message about how the user's password could not be changed because they're not an the internal auth:

sudo -u www-data htdocs/admin/cli/pwreset.php -u=user1

7. Run it again with the -i flag, to force their auth method to be changed:

sudo -u www-data htdocs/admin/cli/pwreset.php -u=user1 -i

8. You should now be able to log in to your Mahara install as user1, using the password you entered at the command line.

9. Run it again, providing the password on the command-line:

sudo -u www-data htdocs/admin/cli/pwreset.php -u=user1 -p=password

10. Log in again as user1, with password "password". You should be forced to reset your password after you log in.

11. Run it again, with the "-f=false" flag.

sudo -u www-data htdocs/admin/cli/pwreset.php -u=user1 -p=password -f=false

12. Log in again as user1, with password "password". You should not be forced to reset your password after you log in.

Revision history for this message

Dominique-Alain JAN (dajan) wrote on 2015-06-30:

Thank you for this Aaron.

Could we rename it "reset_password.php" for a coherence with the same feature on Moodle. So webmasters have less things to remember when they manage Moodle and Mahara on their servers.

Thanks again.

Revision history for this message

Aaron Wells (u-aaronw) wrote on 2015-07-01:

#10

Sure, "reset_password.php" makes more sense anyway.

Revision history for this message

Mahara Bot (dev-mahara) wrote on 2015-07-02:

#11

Patch for "master" branch: https://reviews.mahara.org/4916

Revision history for this message

Mahara Bot (dev-mahara) wrote on 2015-07-03: A change has been merged

#12

Reviewed: https://reviews.mahara.org/4347
Committed: https://git.nzoss.org.nz/mahara/mahara/commit/432c892ffcef3f8d65d1a3aa473195e3790da1f0
Submitter: Aaron Wells (<email address hidden>)
Branch: master

commit 432c892ffcef3f8d65d1a3aa473195e3790da1f0
Author: Aaron Wells <email address hidden>
Date: Wed Mar 4 11:00:55 2015 +1300

Command-line utility for resetting user passwords

Bug 1396564

Change-Id: Iac269d93d37add7053c7993dfcbb412c01ddf6d3

Revision history for this message

Aaron Wells (u-aaronw) wrote on 2015-07-03:

#13

I'm spinning off the session-ending stuff to a separate Bug 1471103.

Changed in mahara:
status:	In Progress → Fix Committed

Revision history for this message

Aaron Wells (u-aaronw) wrote on 2015-07-03:

#14

Okay, with that spun off, we can mark this one "committed".

Unfortunately, since I made some changes to other parts of the code in order to accommodate this script, it can't be easily backported to earlier versions of Mahara.

So if you want a Mahara password-reset script that will work in 15.04 or earlier, I suggest using the one I attached to this bug: https://bugs.launchpad.net/mahara/+bug/1396564/+attachment/4277368/+files/pwreset.php