roperto
commented
7 years ago A few notes:
-
Changing the
$CFGin bootstrap does not help much as it may be overwritten bylib/setup.phplater, unless they are defined in theconfig.phpinstead of database. -
This will allow the user to bypass the external auth only if it uses the
$CFG->alternateloginurlto redirect to the authentication service. SAML2 for example uses a internal redirect, which would occur even with that fix. -
We expect the users to test during the outage ipblock time using local accounts only. Ideally we should allow them to login using external tools so they can test with the users they usually use instead of Moodle local accounts.
I am opening a new issue (opened #109) to allow certain URLs to bypass the the IP Blocking system, which could potentially allow webservices to be tested during the outage and auth callbacks to be processed.
This needs more investigation. I may be barking up the wrong tree, but I think perhaps the issue could be resolved by having a set of config that we optionally set in the outage bootstrap if the outage page is shown.
So we could say in the outage config: "During an outage, the $CFG->auth_saml2->duallogin = true;" so the pre_loginhook would never fire. In theory we may need to do this for any plugin which trys to attach callbacks early in the page render / setup phase.
So I'd probably just want something really simple like an array of key value pairs in a textarea eg
which would translate into this being dynamically set by the bootstrap:
OR possibly we could just have an eval around a chunk of php but I don't like that much. It would also potentially clobber, or be clobbered by other forced plugin settings inside the config.php
Potentially this whole thing is overkill, and we just need to hardcode $CFG->forcelogin=false and that's all we actually need here.