Merge branch 'w40_MDL-41999_m26_userpw' of https://github.com/skodak/…

…moodle

calendar/export.php

@@ -125,7 +125,7 @@
             $weekend = intval($CFG->calendar_weekend);
         }
 
-        $authtoken = sha1($USER->id . $USER->password . $CFG->calendar_exportsalt);
+        $authtoken = sha1($USER->id . $DB->get_field('user', 'password', array('id'=>$USER->id)). $CFG->calendar_exportsalt);
         // Let's populate some vars to let "common tasks" be somewhat smart...
         // If today it's weekend, give the "next week" option
         $allownextweek  = $weekend & (1 << $now['wday']);

calendar/view.php

@@ -153,7 +153,7 @@
         echo $OUTPUT->single_button(new moodle_url('/calendar/managesubscriptions.php', array('course'=>$courseid)), get_string('managesubscriptions', 'calendar'));
     }
     if (isloggedin()) {
-        $authtoken = sha1($USER->id . $USER->password . $CFG->calendar_exportsalt);
+        $authtoken = sha1($USER->id . $DB->get_field('user', 'password', array('id'=>$USER->id)) . $CFG->calendar_exportsalt);
         $link = new moodle_url('/calendar/export_execute.php', array('preset_what'=>'all', 'preset_time'=>'recentupcoming', 'userid' => $USER->id, 'authtoken'=>$authtoken));
         $icon = html_writer::empty_tag('img', array('src'=>$OUTPUT->pix_url('i/ical'), 'height'=>'14', 'width'=>'36', 'alt'=>get_string('ical', 'calendar'), 'title'=>get_string('quickdownloadcalendar', 'calendar')));
         echo html_writer::tag('a', $icon, array('href'=>$link));

lib/upgrade.txt

@@ -40,6 +40,7 @@ information provided here is intended especially for developers.
 * Implement new method get_enabled_plugins() method in subplugin info classes.
 * Each plugin should include version information in version.php.
 * Module and block tables do not contain version column any more, use get_config('xx_yy', 'version') instead.
+* $USER->password field is intentionally unset so that session data does not contain password hashes.
 
 DEPRECATIONS:
 Various previously deprecated functions have now been altered to throw DEBUG_DEVELOPER debugging notices

mod/chat/gui_header_js/jsupdate.php

@@ -29,10 +29,10 @@
 }
 
 //Get the user theme and enough info to be used in chat_format_message() which passes it along to
-if (!$USER = $DB->get_record('user', array('id'=>$chatuser->userid))) { // no optimisation here, it would break again in future!
+if (!$user = $DB->get_record('user', array('id'=>$chatuser->userid, 'deleted'=>0, 'suspended'=>0))) { // no optimisation here, it would break again in future!
     print_error('invaliduser');
 }
-$USER->description = '';
+\core\session\manager::set_user($user);
 
 //Setup course, lang and theme
 $PAGE->set_course($course);

mod/chat/gui_header_js/jsupdated.php

@@ -55,10 +55,10 @@
 
 //Get the user theme and enough info to be used in chat_format_message() which passes it along to
 // chat_format_message_manually() -- and only id and timezone are used.
-if (!$USER = $DB->get_record('user', array('id'=>$chatuser->userid))) { // no optimisation here, it would break again in future!
+if (!$user = $DB->get_record('user', array('id'=>$chatuser->userid, 'deleted'=>0, 'suspended'=>0))) { // no optimisation here, it would break again in future!
     print_error('invaliduser');
 }
-$USER->description = '';
+\core\session\manager::set_user($user);
 
 //Setup course, lang and theme
 $PAGE->set_course($course);

mod/chat/gui_header_js/users.php

@@ -21,14 +21,13 @@
 }
 
 //Get the user theme and enough info to be used in chat_format_message() which passes it along to
-if (!$USER = $DB->get_record('user', array('id'=>$chatuser->userid))) { // no optimisation here, it would break again in future!
+if (!$user = $DB->get_record('user', array('id'=>$chatuser->userid, 'deleted'=>0, 'suspended'=>0))) { // no optimisation here, it would break again in future!
     print_error('invaliduser');
 }
+\core\session\manager::set_user($user);
 
 $PAGE->set_pagelayout('embedded');
 
-$USER->description = '';
-
 //Setup course, lang and theme
 $PAGE->set_course($course);