Implement and honor a password expiry

[brendanheywood]

Mostly cut and paste or inherit from auth_manual

[Apollon1977]

+1
This is a severe security issue as anyone with an expired key can (although not enrolled in the course) create an account for the site!

[brendanheywood]

This is an expiration for the users password, not the enrollment key. The enrollment key logic is managed by core moodle and to my knowledge don't have a concept of an expiry?

[Apollon1977]

OK. Let me describe the issue I noticed a bit more in detail:

1. I have configured auth_enrolkey as authentication method.
2. In a course I configured self enrolment and entered a key and an enrolment period.
3. If a new user wants to register, he enters the key at the signup page. Then a new account in moodle is created and the user is enrolled in my course. Thats how it's supposed to be - works perfect.
4. When the enrolment period has ended, it's not anymore possible to enrol into the cours - also as supposed.
5. BUT: it is still possible to register a new user whith that key. This user therefored gets an account (what I think is not supposed). I have to deactivate self enrolment in the course to prevent registering a new user.

[brendanheywood]

Right yes that does make sense. I'll add this to our internal queue but I'm not sure when we will get to it. Pull requests welcome.