#1121 closed defect (fixed)
"My Tickets" report doesn't work if the owner and $USER differ only by case
Reported by: | pLu | Owned by: | Christopher Lenz |
---|---|---|---|
Priority: | normal | Milestone: | 0.9 |
Component: | general | Version: | 0.8 |
Severity: | major | Keywords: | |
Cc: | Branch: | ||
Release Notes: | |||
API Changes: | |||
Internal Changes: |
Description
Login names are usually not case sensitive so users can login with silly capsed names and break the report functionality.
"owner LIKE '$USER'" instead of "owner = '$USER'"? Bad performance though. Maybe Trac always should lower case owner and $USER?
Attachments (1)
Change History (13)
comment:1 by , 20 years ago
comment:2 by , 20 years ago
Severity: | normal → major |
---|
It becomes a real problem when using NTLM (domain) authentication, because different browsers can report the name of the domain with different capitalizations. Suddenly, depending on what browser you use, you're either reported as DOMAIN\username or domain\UserName and so on. There's little users can do to fix this problem.
So I think an option to lowercase user names would be great.
comment:3 by , 20 years ago
Resolution: | → worksforme |
---|---|
Status: | new → closed |
You can make a simple change to the "My Tickets" report to fix this if you want the report to ignore case checking.
Replace
owner = '$USER' }} With {{{ lower(owner) = lower('$USER') }}}
comment:4 by , 20 years ago
Hmm, part of that comment seems to be missing
Replace
owner = '$USER'
With
lower(owner) = lower('$USER')
comment:5 by , 20 years ago
Component: | report system → general |
---|---|
Resolution: | worksforme |
Status: | closed → reopened |
Thanks for this work around for the reports, but I'm reopening this because:
- It won't fix the problem mentioned above regarding permissions, and
- There seems to be a similar problem with custom queries using owner or reporter, which it will also not fix
Does anyone know of other places where there may be problems? We run trac (currently 0.7 stable with various patches) on W2K server and Apache, using mod_auth_sspi to authenticate against our W2K domain controllers. I can see two approaches to resolving this:
- Modifying mod_auth_sspi to always pass lower case user names to Apache, or
- Modifying trac so that user name comparisons are case insensitive (based on a configuration parameter)
Issues with doing (1) are:
- It won't help if we switch to using LDAP against active directory, which we may do later this year because…
- We're concerns about mod_auth_sspi not really having an 'owner', and as my company doesn't have C on Windows expertise we don't really want to have to maintain it ourselves
Therefore (2) would be our preferred approach.
comment:6 by , 20 years ago
After irc discussion with cmlenz, I am proceeding with this along the lines of approach 2 as follows:
- Modifying the ini file to include a parameter 'ignore_auth_case' in the [trac] section, which will be set to 'false' by default
- Modifying auth.py so that the this parameter can be passed to the constructor of the Authenticator class, and if set to 'true', all the remote_user will be converted to lower case for storage in the session table in the database, and the cookie
This effectively ignore the case of the authentication data passed from the web server. However, it will not make the owner field in tickets and reports case insensitive - for example if you assign a ticket to a mixed or upper case owner, then try to run the 'My Tickets' report, it won't find the tickets where the owner isn't all in lower case.
comment:7 by , 20 years ago
Owner: | changed from | to
---|---|
Status: | reopened → new |
by , 20 years ago
Attachment: | ignore_auth_case.diff added |
---|
comment:8 by , 20 years ago
Patch for this ticket against 1667 added.
Tested on Windows XP SP2, Apached 2.0.54, Python 2.3, CGI.
comment:9 by , 20 years ago
Milestone: | → 0.9 |
---|
Re-tested against 1718. Includes new unit tests in trac.web.tests.auth and doesn't break any existing ones. Not sure what the procedure is for nominating something for inclusion in a particular release, so as it's a failry low impact I am just updating the milestone field to 0.9.
comment:10 by , 20 years ago
Owner: | changed from | to
---|
comment:11 by , 19 years ago
Owner: | changed from | to
---|---|
Status: | new → assigned |
comment:12 by , 19 years ago
Resolution: | → fixed |
---|---|
Status: | assigned → closed |
Patch applied in [1942]. Thanks, Ian!
Just a note: if users log in with "silly capsed names", they will also not get the permissions they might have when using the proper case.