MDL-57021 passwords: only use unmask field with shared secrets
authorDan Poltawski <dan@moodle.com>
Thu, 15 Jun 2017 11:54:58 +0000 (12:54 +0100)
committerDan Poltawski <dan@moodle.com>
Thu, 15 Jun 2017 11:59:19 +0000 (12:59 +0100)
When a user is entering a password which isn't returned back to them
then its not correct to use the unmask element - this element was
designed for places where we are storing shared secrets.

enrol/guest/locallib.php
enrol/self/locallib.php
login/signup_form.php

index b1757a7..934d47a 100644 (file)
@@ -38,7 +38,7 @@ class enrol_guest_enrol_form extends moodleform {
         $heading = $plugin->get_instance_name($instance);
         $mform->addElement('header', 'guestheader', $heading);
 
-        $mform->addElement('passwordunmask', 'guestpassword', get_string('password', 'enrol_guest'));
+        $mform->addElement('password', 'guestpassword', get_string('password', 'enrol_guest'));
 
         $this->add_action_buttons(false, get_string('submit'));
 
index a60224e..dc17af1 100644 (file)
@@ -78,7 +78,7 @@ class enrol_self_enrol_form extends moodleform {
 
         if ($instance->password) {
             // Change the id of self enrolment key input as there can be multiple self enrolment methods.
-            $mform->addElement('passwordunmask', 'enrolpassword', get_string('password', 'enrol_self'),
+            $mform->addElement('password', 'enrolpassword', get_string('password', 'enrol_self'),
                     array('id' => 'enrolpassword_'.$instance->id));
             $context = context_course::instance($this->instance->courseid);
             $keyholders = get_users_by_capability($context, 'enrol/self:holdkey', user_picture::fields('u'));
index 07980d8..f0a33a3 100644 (file)
@@ -46,7 +46,7 @@ class login_signup_form extends moodleform implements renderable, templatable {
         if (!empty($CFG->passwordpolicy)){
             $mform->addElement('static', 'passwordpolicyinfo', '', print_password_policy());
         }
-        $mform->addElement('passwordunmask', 'password', get_string('password'), 'maxlength="32" size="12"');
+        $mform->addElement('password', 'password', get_string('password'), 'maxlength="32" size="12"');
         $mform->setType('password', core_user::get_property_type('password'));
         $mform->addRule('password', get_string('missingpassword'), 'required', null, 'client');