Description
I've upgraded my 1.8 install to 1.9 My useraccount, the superuser, can nolonger use see the 'switch user' link from its preferences, nor manually craft a ?action=userprefs&sub=suid link to get there.
I am using GivenAuth (Apache mod_sspi)
I can however see the SystemInfo & SystemAdmin pages, so I assume I am a superuser...
Steps to reproduce
superuser = [u"Jpc", ]
from MoinMoin.auth import GivenAuth auth = [GivenAuth(autocreate=True, titlecase=True, )]
Example
Component selection
MoinMoin\userprefs\suid.py
def allowed(self):
return (self.request.user.auth_method in self.request.cfg.auth_can_logout and
UserPrefBase.allowed(self) and self.request.user.isSuperUser())The changes were made here...
Details
MoinMoin Version |
1.9.* |
OS and Version |
Windows Server 2003/XP Pro |
Python Version |
2.6 |
Server Setup |
Apache |
Server Details |
|
Language you are using the wiki in (set in the browser/UserPreferences) |
English |
Workaround
I've changed
MoinMoin\userprefs\suid.py
def allowed(self):
return (self.request.user.auth_method in self.request.cfg.auth_can_logout and
UserPrefBase.allowed(self) and self.request.user.isSuperUser())back to
def allowed(self):
return UserPrefBase.allowed(self) and self.request.user.isSuperUser()while testing... and everything works perfectly again. I guess I'd suggest testing this first before implementing it live... incase you can't log out for whatever reason. Oh and not doing this unless its broken in the first place...?
Discussion
When installed for 1.8, I used show_login = 0 following recommendations from a guide here. That option doesn't seem to be necessary anymore. Neither does changing it allow me to 'logout', or switch user.
I assume that using GivenAuth does the above for me so I'm not going to use that option from now on.
You can only logout from a GivenAuth session by closing your browser. I need to investigate it a bit more. You can logout in current version from the suid session.
- This was just my ramblings while I was figuring out what configuration settings were breaking it for me. Yes you can still log out from the suid session, but you can't enter the suid session in the first place because of the check in the code I pasted above.
setuidfix.diff please try this patch
This patch restores correct behaviour for me. 'Logout' appears (only) when suid'd. I have only tested this while using GivenAuth. Thank you very much for looking into the issue. -- JosephPrice 2010-03-22 11:12:56
Your problem is still not solved. Because for GivenAuth you logout by closing your browser. This does not invalidate the suid session if you haven't closed it yourself. So I think current behaviour is safer until we have the real solution. -- ReimarBauer 2010-03-22 13:22:11
Ah yep sorry... when I close down and log back in I am still suid'd. I'm not sure that this is 'unsafe' though? I still had to authenticate? I guess it could be considered 'unexpected' behaviour by some though.. -- JosephPrice 2010-03-22 16:57:24
It depends on the scope of view. If you share your computer with an user than the user can easily get your session and your identity. This must be avoided. Also I guess noone would expect such a behaviour for an http_auth session. If the browser is closed every session cookie must be invalidated - somehow. Lets look for the better solution. -- ReimarBauer 2010-03-22 17:14:54
My mistake. I didn't realise that it would be possible to hijack the entire session without re-authenticating. I'll be quiet now. -- JosephPrice 2010-03-23 09:05:26
Just pointing it out, i'm effected by this bug too and would love a resolution -- -- 209.132.186.34 2010-04-06 14:32:49
- Any updates?
Plan
- Priority:
- Assigned to:
- Status: