Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

user with no password can make themself a password #2653

Open
Alex-Jordan opened this issue Jan 8, 2025 · 4 comments
Open

user with no password can make themself a password #2653

Alex-Jordan opened this issue Jan 8, 2025 · 4 comments

Comments

@Alex-Jordan
Copy link
Contributor

Maybe this is expected behavior, not an issue...

We have the permission to change password set to "student" so they can change their own passwords. There was a student who should be entering their course via LTI. Initially they had no password. They went to Account Settings and accidentally saved a password for themselves.

I'm just wondering if that should not have been permitted. Changing a password is one thing, but creating one is different. The instructor has not set the LTI option to require users to enter from the LMS (for convenience, so the instructor herself can enter with a password). So now this student can also enter using the password they made up. Maybe that is a good thing? My first reaction is that it causes confusion. I would find it simpler to just know with certainty that none of the students have a password.

What do others think?
@somiaj
Copy link
Contributor

somiaj commented Jan 8, 2025

My use case I set the $permissionLevels{change_password} to professor to not allow students to change their password. I don't know if treating blank passwords different is needed, because it could be some other setup wants what you describe to allow users access after setting their own password, even if it starts out blank by accessing though LTI. Note I also use LDAP, so my students can access directly using their university password vs having to create their own.

@somiaj
Copy link
Contributor

somiaj commented Jan 8, 2025

In this particular use case you describe where students can change their password, are there some students who should be able to change their password and others that cannot. Or is this just a system setting, and some courses should update their configuration to not allow students in that course to change their password forcing them to enter via LTI?

@drgrice1
Copy link
Member

drgrice1 commented Jan 8, 2025

I see no reason that no password should be treated any different than having a password. If you don't want students to change their password, regardless of if they have one or not, then set the $permissionLevels{change_password} to a higher permission level than student.

@dlglin
Copy link
Member

dlglin commented Jan 9, 2025

I see valid use cases for both allowing or not allowing password changes in this scenario.
If an instructor wants to force students to access WW only via LTI, then they should set a higher permission level for $permissionLevels{change_password}.
If an instructor wants to create student accounts via LTI, but then let students log in with a password, they can leave the default.
There is already a comment in authen_LTI.conf.dist about changing this setting if external authentication is disabled.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@dlglin @Alex-Jordan @somiaj @drgrice1