New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Fixed issue #17654 : spurious error "Incorrect username …" in webserver Auth #2448
Conversation
…plugin Dev: Add optionnal param \LimeSurvey\PluginManager\PluginEvent when potentially needed
Update API version … new feature in API : 5.4 |
Dev: check if user is allwed to connect in beforeLogin and newUserSession Dev: throw 401 if webserver is default, allow DB auth else
|
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Code structure looks OK. Haven't tested it
eead6f5
to
ca65e4b
Compare
@Shnoulle Did you test your own PR? o0 |
I check again after last commit, |
Really, a developer testing his/her own stuff is not a valid test... |
prigaux test the previous one #2170 |
Ad check with removing TEST user with autocreate and without. |
Hello, in case of an upgrade if a limesurvey instance using Authserver, I reproduce this bug : my users haven't the auth_webserver permission and have a loop during their authentication. My diagnostic was complexified because in the admin interface, when I try to edit their permissions, the corresponding permission is checked (even if I can't find it in database). By saving permissions of this user, without changing anything, the permission is effectively added in database and the user is enabled to connect. Do you think it could be also fixed ? Futhermore, in my case, I didn't find a proper solution to bulk add the missing permission to my users. When trying to fix it, I found this post suggering to add the To finish, if you have any advice to how to add the missing permission after upgrading, it could be useful for me (and idealy documented in upgrade process). |
Can you test with this commit ? |
I just test your commits by patching the two files and it seem working great : existing users without the auth_webserver permission could login. I'm not sure to understand how it's work because, in |
Yes it's the case. And if you set AuthWeb by default : throw a clean 401. Else : leave AuthDB doing his own task. |
OK, so it seem not working as expected unless the auth_webserver permission is defaulty enabled to all users. In my case, with an user without the auth_webserver permission (check in DB) and AuthWeb set by default, I haven't the expected 401 error. By adding some debug in your code, I see that the |
If i don't make error It's the case here ? Show the Permission settings for this user. |
You're right ! I try with another user (not superadmin) and I have the 401 error. So it's seem work as expected. Do you have any advice to how to bulk adding the missing permission to my users ? As said before, it could be great to document a good method in the upgrade process. |
No … except db update via direct SQL |
@olleharstedt i remove the need testing part … |
Should be merged to develop? |
There are real issue currently with WebAuth … with or without WebAuth set as default. This one for example : https://bugs.limesurvey.org/view.php?id=18169 if user is set by SERVER : always get a loop (if it don't have the right to connect to AuthWeb) |
Fixed issue #18169: Potential redirect loop with Authwebserver
Dev: Add optional param \LimeSurvey\PluginManager\PluginEvent when potentially needed