View Issue Details

This bug affects 1 person(s).
 12
IDProjectCategoryView StatusLast Update
17654Bug reportsPluginspublic2022-10-10 10:47
Reporterprigaux Assigned ToDenisChenu  
PrioritynoneSeverityminor 
Status closedResolutionfixed 
Product Version5.x 
Summary17654: spurious error "Incorrect username and/or password!" on auth_webserver autocreating user
Description

On auth_webserver login with autocreation, it displays a spurious error "Incorrect username and/or password!"

Here is why:

When autocreating a user, Authwebserver::newUserSession:

  • calls Permission::setPermissions which dispatch a new event
    => which modify $this->event
  • calls $this->setAuthSuccess ... which modifies "beforeHasPermission" event instead of modifying "newUserSession" event
    LSUserIdentity::authenticate which dispatched "newUserSession" event checks $authEvent->get('result') which is still null and sets $result as error.
Steps To Reproduce

Steps to reproduce

ensure user is not a "users" db, then access /admin page

Expected result

no warning

Actual result

it alerts "Incorrect username and/or password!"

TagsNo tags attached.
Bug heat12
Complete LimeSurvey version number (& build)5.1.14 & 210927
I will donate to the project if issue is resolvedNo
Browser
Database type & versionmysql myisam
Server OS (if known)Debian 10
Webserver software & version (if known)
PHP VersionPHP 7.3

Relationships

related to 18169 closedDenisChenu Potential redirect loop with Authwebserver 

Users monitoring this issue

DenisChenu, prigaux

Activities

prigaux

prigaux

2021-10-07 14:36

reporter   ~66796

Suggested fix: https://github.com/LimeSurvey/LimeSurvey/pull/2087

DenisChenu

DenisChenu

2021-11-26 16:26

developer   ~67594

Last edited: 2021-12-12 14:02

My opinion : must fix auth_webserver plugin and not try to fix all events with potential risk.

Add $Authwebserver = $this at line 99 : https://github.com/LimeSurvey/LimeSurvey/blob/8a093fdcfe1a27ea44db9a3cc0e5ccb05a0460a6/application/core/plugins/Authwebserver/Authwebserver.php#L99
is a quick start
(and replace all this after ;) )

DenisChenu

DenisChenu

2021-11-27 10:24

developer   ~67599

Last edited: 2021-12-12 14:02

Checked the suggested fix, currently don't find a way to really broke plugin : system is better .

Except if some plugin dev use the broken system …

https://github.com/Shnoulle/CheckIssue17654Fix

Need other plugin dev advice here …

DenisChenu

DenisChenu

2021-12-06 20:18

developer   ~67718

Last edited: 2021-12-12 14:02

@prigaux : Can you check with https://github.com/LimeSurvey/LimeSurvey/pull/2170 ? Please

Else: i think your fix is great, but broke API then need to be done for develop

prigaux

prigaux

2021-12-07 09:03

reporter   ~67723

Last edited: 2021-12-12 14:02

Sure it's ok for me.

NB : I would rather add the optional event argument to "setAuthSuccess" in AuthPluginBase.php than duplicate it in Authwebserver.php, but that's up to you guys!

DenisChenu

DenisChenu

2021-12-07 09:19

developer   ~67724

Last edited: 2021-12-12 14:02

NB : I would rather add the optional event argument to "setAuthSuccess" in AuthPluginBase.php than duplicate it in Authwebserver.php, but that's up to you guys!

Yes, i think too :) i see withn other dev .

About your fix : i need to report another issue. Maybe for 6.0 version (we can broke API compatibility)

DenisChenu

DenisChenu

2021-12-12 14:02

developer   ~67766

Last edited: 2021-12-12 14:02

https://github.com/LimeSurvey/LimeSurvey/pull/2170

DenisChenu

DenisChenu

2022-07-06 15:07

developer   ~70762

https://github.com/LimeSurvey/LimeSurvey/pull/2448

DenisChenu

DenisChenu

2022-07-06 15:08

developer   ~70763

@prigaux : can you test the commit ?
then we can merge it :)

ollehar

ollehar

2022-08-08 09:58

administrator   ~71376

Waiting for tiny code improvement

DenisChenu

DenisChenu

2022-10-06 11:27

developer   ~72151

Fix committed to master branch: http://bugs.limesurvey.org/plugin.php?page=Source/view&id=33941

LimeBot

LimeBot

2022-10-10 10:47

administrator   ~72182

Fixed in Release 5.4.5+221010

Related Changesets

LimeSurvey: master 7066f691

2022-10-06 11:11:59

DenisChenu


Committer: GitHub Details Diff
Fixed issue 17654 : spurious error "Incorrect username …" in webserver Auth (#2448)

Dev: Add optionnal param \LimeSurvey\PluginManager\PluginEvent when potentially needed
Dev: check if user is allwed to connect in beforeLogin and newUserSession
Dev: throw 401 if webserver is default, allow DB auth else
Dev: Allowed usage of Permission::model, use it
Dev: secure beforeLogin too (uneeded, but better)
Dev: use use LimeSurvey\PluginManager\PluginEvent
Affected Issues
17654
mod - application/core/plugins/Authwebserver/Authwebserver.php Diff File
mod - application/libraries/PluginManager/AuthPluginBase.php Diff File

Issue History

Date Modified Username Field Change
2021-10-07 14:33 prigaux New Issue
2021-10-07 14:35 prigaux Issue Monitored: prigaux
2021-10-07 14:35 prigaux Bug heat 0 => 2
2021-10-07 14:36 prigaux Note Added: 66796
2021-10-07 14:36 prigaux Bug heat 2 => 4
2021-10-07 16:02 DenisChenu Issue Monitored: DenisChenu
2021-10-07 16:02 DenisChenu Bug heat 4 => 6
2021-10-08 17:07 galads Assigned To => galads
2021-10-08 17:07 galads Status new => confirmed
2021-10-08 17:07 galads Zoho Project Synchronization => |Yes|
2021-10-08 17:07 galads Assigned To galads => gabrieljenik
2021-10-08 17:07 galads Status confirmed => assigned
2021-11-12 12:13 galads Zoho Project Synchronization Yes =>
2021-11-12 12:13 galads Zoho Project Synchronization => |Yes|
2021-11-26 16:26 DenisChenu Note Added: 67594
2021-11-26 16:26 DenisChenu Bug heat 6 => 8
2021-11-27 08:49 DenisChenu Assigned To gabrieljenik => DenisChenu
2021-11-27 10:24 DenisChenu Note Added: 67599
2021-12-06 20:18 DenisChenu Note Added: 67718
2021-12-07 09:03 prigaux Note Added: 67723
2021-12-07 09:19 DenisChenu Note Added: 67724
2021-12-12 14:02 DenisChenu Assigned To DenisChenu => galads
2021-12-12 14:02 DenisChenu Status assigned => ready for testing
2021-12-12 14:02 DenisChenu Note Added: 67766
2022-03-31 11:41 galads Zoho Project Synchronization Yes =>
2022-03-31 11:41 galads Assigned To galads => gabrieljenik
2022-06-02 09:37 DenisChenu Relationship added related to 18169
2022-06-02 09:37 DenisChenu Status ready for testing => ready for code review
2022-07-05 19:41 gabrieljenik Assigned To gabrieljenik => DenisChenu
2022-07-05 19:41 gabrieljenik Status ready for code review => ready for testing
2022-07-06 15:07 DenisChenu Note Added: 70762
2022-07-06 15:08 DenisChenu Note Added: 70763
2022-07-29 18:34 DenisChenu Status ready for testing => ready for merge
2022-07-29 18:34 DenisChenu Assigned To DenisChenu =>
2022-08-08 09:58 ollehar Note Added: 71376
2022-08-08 09:58 ollehar Bug heat 8 => 10
2022-08-08 09:58 ollehar Assigned To => ollehar
2022-08-08 09:58 ollehar Status ready for merge => feedback
2022-10-06 11:27 DenisChenu Changeset attached => LimeSurvey master 7066f691
2022-10-06 11:27 DenisChenu Note Added: 72151
2022-10-06 11:27 DenisChenu Assigned To ollehar => DenisChenu
2022-10-06 11:27 DenisChenu Resolution open => fixed
2022-10-06 11:49 DenisChenu Status feedback => resolved
2022-10-10 10:47 LimeBot Note Added: 72182
2022-10-10 10:47 LimeBot Status resolved => closed
2022-10-10 10:47 LimeBot Bug heat 10 => 12