"My Tickets" report doesn't work if the owner and $USER differ only by case

[pLu]

Login names are usually not case sensitive so users can login with silly capsed names and break the report functionality.

"owner LIKE '$USER'" instead of "owner = '$USER'"? Bad performance though. Maybe Trac always should lower case owner and $USER?

[Christopher Lenz]

Just a note: if users log in with "silly capsed names", they will also not get the permissions they might have when using the proper case.

[nil4]

It becomes a real problem when using NTLM (domain) authentication, because different browsers can report the name of the domain with different capitalizations. Suddenly, depending on what browser you use, you're either reported as DOMAIN\username or domain\UserName and so on. There's little users can do to fix this problem.

So I think an option to lowercase user names would be great.

[Matthew Good]

You can make a simple change to the "My Tickets" report to fix this if you want the report to ignore case checking.

Replace

owner = '$USER'
}}

With
{{{
lower(owner) = lower('$USER')
}}}

[Matthew Good]

Hmm, part of that comment seems to be missing

Replace

owner = '$USER'

With

lower(owner) = lower('$USER')

[___ian.leader___@…]

Thanks for this work around for the reports, but I'm reopening this because:

1. It won't fix the problem mentioned above regarding permissions, and
2. There seems to be a similar problem with custom queries using owner or reporter, which it will also not fix

Does anyone know of other places where there may be problems? We run trac (currently 0.7 stable with various patches) on W2K server and Apache, using mod_auth_sspi to authenticate against our W2K domain controllers. I can see two approaches to resolving this:

1. Modifying mod_auth_sspi to always pass lower case user names to Apache, or
2. Modifying trac so that user name comparisons are case insensitive (based on a configuration parameter)

Issues with doing (1) are:

• It won't help if we switch to using LDAP against active directory, which we may do later this year because…
• We're concerns about mod_auth_sspi not really having an 'owner', and as my company doesn't have C on Windows expertise we don't really want to have to maintain it ourselves

Therefore (2) would be our preferred approach.

[anonymous]

After irc discussion with cmlenz, I am proceeding with this along the lines of approach 2 as follows:

1. Modifying the ini file to include a parameter 'ignore_auth_case' in the [trac] section, which will be set to 'false' by default
2. Modifying auth.py so that the this parameter can be passed to the constructor of the Authenticator class, and if set to 'true', all the remote_user will be converted to lower case for storage in the session table in the database, and the cookie

This effectively ignore the case of the authentication data passed from the web server. However, it will not make the owner field in tickets and reports case insensitive - for example if you assign a ticket to a mixed or upper case owner, then try to run the 'My Tickets' report, it won't find the tickets where the owner isn't all in lower case.

[Ian Leader <__ian.leader__@…>]

Patch for this ticket against 1667 added.

Tested on Windows XP SP2, Apached 2.0.54, Python 2.3, CGI.

[anonymous]

Re-tested against 1718. Includes new unit tests in trac.web.tests.auth and doesn't break any existing ones. Not sure what the procedure is for nominating something for inclusion in a particular release, so as it's a failry low impact I am just updating the milestone field to 0.9.

[Christopher Lenz]

Patch applied in [1942]. Thanks, Ian!