Description

When logged in as superuser, it is possible to go to UserPreferences and select another user account. But as you save the changed settings, this will lead to a situation where the superuser account is overwritten by a duplicate account that matches the said account. Ultimately, superuser privileges are revoked similar to MoinMoinBugs/AdminSelfDemotion.

Steps to reproduce

  1. Log in as superuser

  2. Go to UserPreferences

  3. Select another user (say, JohnDoe) from the drop-down list, and press "Select User"

  4. A help text will appear saying "Use UserPreferences to change settings of the selected user account".

  5. Go to UserPreferences again

  6. Type in a new email address for the user (MoinMoin will complain about a duplicate email address otherwise)

  7. Press "Save"
  8. Log out
  9. Log in with the superuser credentials

  10. The "superuser" account is now named JohnDoe, but has no superuser privileges.

Example

Component selection

Details

MoinMoin Version

1.6.0

OS and Version

Linux

Python Version

Python 2.4.1

Server Setup

Apache 1.3

Server Details

Language you are using the wiki in (set in the browser/UserPreferences)

English

Workaround

Discussion

As a sidenote, it is possible to gain superuser privileges by following these steps:

  1. Contact the Wiki administrator and ask him to change your password or email etc.
  2. Wiki administrator will log in, make the changes to your account and log out
  3. Create a new dummy account

  4. MoinMoin will recalculate the cache file name2id 1

  5. Create a new account with the same name as the superuser account
  6. Congratulations!

-- HenriOssi 2008-02-05 14:00:51

Plan

CategoryMoinMoinBugFixed

  1. According to HelpOnUserHandling, MoinMoin might need to be restarted for this to work. (1)

MoinMoin: MoinMoinBugs/1.6.0ChangingSelectedUserAccountOverwritesSuperuserAccount (last edited 2008-04-20 21:37:29 by ThomasWaldmann)