Description

If one switches by superuser on an http_auth configuration to a different user he seems to be able to set the password for that user. But he does change the password for moins auth.

Steps to reproduce

from MoinMoin.auth.http import GivenAuth
auth = [GivenAuth(autocreate=True)]

Example

Component selection

Details

MoinMoin Version

OS and Version

Python Version

Server Setup

Server Details

Language you are using the wiki in (set in the browser/UserPreferences)

Workaround

Discussion

I think we should check the env var 'REMOTE_USER' and if it is set we have an external auth. For that case we should disable the password change form. 

   1 diff -r 83483f4e26cb MoinMoin/userprefs/changepass.py
   2 --- a/MoinMoin/userprefs/changepass.py  Sat Mar 07 22:38:00 2009 +0100
   3 +++ b/MoinMoin/userprefs/changepass.py  Sun Mar 08 10:22:43 2009 +0100
   4 @@ -26,7 +26,8 @@
   5 
   6 
   7      def allowed(self):
   8 -        return (not 'password' in self.cfg.user_form_remove and
   9 +        return (not self.request.environ.get('REMOTE_USER', '') and
  10 +                not 'password' in self.cfg.user_form_remove and
  11                  not 'password' in self.cfg.user_form_disable and
  12                  UserPrefBase.allowed(self) and
  13                  not 'password' in self.request.user.auth_attribs)

(!) I don't think it should behave that way. Moin can support multiple auth methods at the same time. The user profiles can store a password for some of these methods, while other methods rely on external password checking (like when letting apache check your password against htpasswd files). What we maybe could do to avoid user confusion is to put a hint on the password change page, that using that will just change the password stored in the profile and that some auth methods do no not use this at all. OTOH, if this only happens for the superuser changing other people's passwords, it is a bit pointless because the superuser should definitely know how the authentication works in his wiki installation. -- ThomasWaldmann 2009-03-08 22:24:44

related to MoinMoinBugs/1.9SuperUserUnableToSuid and because superuser is not able to su for this setup indirectly solved

Plan

CategoryMoinMoinBug

MoinMoin: MoinMoinBugs/1.9_remote_auth_should_never_allow_password_change (last edited 2011-01-18 07:09:45 by ReimarBauer)