Edgewall Software
Modify

Opened 16 years ago

Closed 15 years ago

Last modified 14 years ago

#1121 closed defect (fixed)

"My Tickets" report doesn't work if the owner and $USER differ only by case

Reported by: pLu Owned by: Christopher Lenz
Priority: normal Milestone: 0.9
Component: general Version: 0.8
Severity: major Keywords:
Cc: Branch:
Release Notes:
API Changes:
Internal Changes:

Description

Login names are usually not case sensitive so users can login with silly capsed names and break the report functionality.

"owner LIKE '$USER'" instead of "owner = '$USER'"? Bad performance though. Maybe Trac always should lower case owner and $USER?

Attachments (1)

ignore_auth_case.diff (5.5 KB ) - added by Ian Leader <__ian.leader__@…> 15 years ago.

Download all attachments as: .zip

Change History (13)

comment:1 by Christopher Lenz, 16 years ago

Just a note: if users log in with "silly capsed names", they will also not get the permissions they might have when using the proper case.

comment:2 by nil4, 15 years ago

Severity: normalmajor

It becomes a real problem when using NTLM (domain) authentication, because different browsers can report the name of the domain with different capitalizations. Suddenly, depending on what browser you use, you're either reported as DOMAIN\username or domain\UserName and so on. There's little users can do to fix this problem.

So I think an option to lowercase user names would be great.

comment:3 by Matthew Good, 15 years ago

Resolution: worksforme
Status: newclosed

You can make a simple change to the "My Tickets" report to fix this if you want the report to ignore case checking.

Replace

owner = '$USER'
}}

With
{{{
lower(owner) = lower('$USER')
}}}

comment:4 by Matthew Good, 15 years ago

Hmm, part of that comment seems to be missing

Replace

owner = '$USER'

With

lower(owner) = lower('$USER')

comment:5 by ___ian.leader___@…, 15 years ago

Component: report systemgeneral
Resolution: worksforme
Status: closedreopened

Thanks for this work around for the reports, but I'm reopening this because:

  1. It won't fix the problem mentioned above regarding permissions, and
  2. There seems to be a similar problem with custom queries using owner or reporter, which it will also not fix

Does anyone know of other places where there may be problems? We run trac (currently 0.7 stable with various patches) on W2K server and Apache, using mod_auth_sspi to authenticate against our W2K domain controllers. I can see two approaches to resolving this:

  1. Modifying mod_auth_sspi to always pass lower case user names to Apache, or
  2. Modifying trac so that user name comparisons are case insensitive (based on a configuration parameter)

Issues with doing (1) are:

  • It won't help if we switch to using LDAP against active directory, which we may do later this year because…
  • We're concerns about mod_auth_sspi not really having an 'owner', and as my company doesn't have C on Windows expertise we don't really want to have to maintain it ourselves

Therefore (2) would be our preferred approach.

comment:6 by anonymous, 15 years ago

After irc discussion with cmlenz, I am proceeding with this along the lines of approach 2 as follows:

  1. Modifying the ini file to include a parameter 'ignore_auth_case' in the [trac] section, which will be set to 'false' by default
  2. Modifying auth.py so that the this parameter can be passed to the constructor of the Authenticator class, and if set to 'true', all the remote_user will be converted to lower case for storage in the session table in the database, and the cookie

This effectively ignore the case of the authentication data passed from the web server. However, it will not make the owner field in tickets and reports case insensitive - for example if you assign a ticket to a mixed or upper case owner, then try to run the 'My Tickets' report, it won't find the tickets where the owner isn't all in lower case.

comment:7 by Ian Leader <__ian.leader__@…>, 15 years ago

Owner: changed from daniel to Ian Leader <__ian.leader__@…>
Status: reopenednew

by Ian Leader <__ian.leader__@…>, 15 years ago

Attachment: ignore_auth_case.diff added

comment:8 by Ian Leader <__ian.leader__@…>, 15 years ago

Patch for this ticket against 1667 added.

Tested on Windows XP SP2, Apached 2.0.54, Python 2.3, CGI.

comment:9 by anonymous, 15 years ago

Milestone: 0.9

Re-tested against 1718. Includes new unit tests in trac.web.tests.auth and doesn't break any existing ones. Not sure what the procedure is for nominating something for inclusion in a particular release, so as it's a failry low impact I am just updating the milestone field to 0.9.

comment:10 by anonymous, 15 years ago

Owner: changed from Ian Leader <__ian.leader__@…> to anonymous

comment:11 by Christopher Lenz, 15 years ago

Owner: changed from anonymous to Christopher Lenz
Status: newassigned

comment:12 by Christopher Lenz, 15 years ago

Resolution: fixed
Status: assignedclosed

Patch applied in [1942]. Thanks, Ian!

Modify Ticket

Change Properties
Set your email in Preferences
Action
as closed The owner will remain Christopher Lenz.
The resolution will be deleted. Next status will be 'reopened'.
to The owner will be changed from Christopher Lenz to the specified user.

Add Comment


E-mail address and name can be saved in the Preferences .
 
Note: See TracTickets for help on using tickets.