mfprimo
commented
3 years ago The user is forced to change password by the Moodle core function complete_user_login() which, in my opinion, behaves in a wrong way.
// Check whether the user should be changing password.
if (get_user_preferences('auth_forcepasswordchange', false)) {
if ($userauth->can_change_password()) {
if ($changeurl = $userauth->change_password_url()) {
redirect($changeurl);
} else {
require_once($CFG->dirroot . '/login/lib.php');
$SESSION->wantsurl = core_login_get_return_url();
redirect($CFG->wwwroot.'/login/change_password.php');
}
} else {
print_error('nopasswordchangeforced', 'auth');
}
}
If the password is handled by an external system, the policy on passwords is up to the external system itself, not by Moodle. I will open a issue on the Moodle's bug tracker.
Describe the bug If a user is signed in via SAML, but their account is set to manual auth in the system and force password change ticked, they are still forced to change their password - which they cannot do/don't want to do [i'm not sure which] but it's not desirable anyway.
Is there a way to suppress the password change unless they actually log in with user/pass?
Cheers
Niall