Modify

Opened 3 years ago

Closed 2 years ago

#10028 closed defect (fixed)

Account delete does not purge user's auth cookie

Reported by: gary.martin@… Owned by: hasienda
Priority: normal Component: AccountManagerPlugin
Severity: normal Keywords: user delete authentication cookie
Cc: rjollos Trac Release: 0.12

Description

I would expect that if a specific user is logged at the point just prior to their account being deleted, they should lose the authenticated status in future requests. This does not appear to be the case (0.11 branch of AccountManagerPlugin and Trac 0.13dev).

Attachments (1)

delete_user_delete_auth.diff (582 bytes) - added by gary.martin@… 3 years ago.

Download all attachments as: .zip

Change History (8)

Changed 3 years ago by gary.martin@…

comment:1 Changed 3 years ago by gary.martin@…

The attached patch is just part of what I found that might just contribute to a possible fix that seems to work for me. I hope it is of some use.

comment:2 Changed 3 years ago by rjollos

  • Cc rjollos added; anonymous removed

comment:3 Changed 3 years ago by hasienda

  • Keywords user delete authentication cookie added

Thank you for the hint and inspiration. I'm testing a modified version of your patch right now. Please allow some comments on your patch:

Invalidation of authentication cookie data is not done in trunk development branch as well. This is the more appropriate place to discuss, since all ongoing development is happening there and that code is subsequently merged back into the stable branch(es), currently 0.11 that you referred to. For this reason I prefer patches against trunk too.

env.db_transaction is top, but I defer adoption of the latest Trac db API until I did a final 0.11 release. Switching towards a 0.13 branch means maintenance of significant diverging code or leaving 0.11 backwards-compatibility behind, that I personally still value very high these days. I know of Trac applications, that even can't go beyond Python2.4 for various reasons, that I don't feel authorized to argue with.

The additional DELETE statement will interrupt any of possibly multiple parallel authenticated sessions for the deleted user, but of course this is rightful table cleanup anyway.

comment:4 Changed 3 years ago by hasienda

(In [11554]) AccountManagerPlugin: Improve db cleanup on user deletion, refs #10028.

Thanks to Gary Martin from WanDisco for pointing out this weak spot.

comment:5 follow-up: Changed 3 years ago by anonymous

Fantastic.. the trunk development branch code now works well against my test 0.13 based system.

Thanks for making time to look at this so quickly.

comment:6 in reply to: ↑ 5 Changed 3 years ago by hasienda

  • Status changed from new to assigned

Replying to anonymous:

Fantastic.. the trunk development branch code now works well against my test 0.13 based system.

Good new. Thank you for reporting back.

Thanks for making time to look at this so quickly.

You're welcome. I've been lucky to use some free time last night, more than within the last ten week together. And code rules: With a plausible description and a patch everything is much easier. If you happen to get more observations, fixes and improvements, I'd be eager to have a look too.

comment:7 Changed 2 years ago by hasienda

  • Resolution set to fixed
  • Status changed from assigned to closed

(In [12398]) AccountManagerPlugin: Releasing version 0.4, pushing development to acct_mgr-0.5dev.

Availability of that code as stable release closes #874, #3459, #4677, #5295, #5691, #6616, #7577, #8076, #8685, #8770, #8791, #8990, #9052, #9079, #9090, #9139, #9246, #9252, #9547, #9618, #9676, #9843, #9852, #9940, #10023, #10028, #10123, #10142, #10204, #10276, #10397, #10412, #10594, #10625 and #10644.

Some more issues have been worked-on, yet without confirmed resolution, refs #5464 (for JiraToTracIntegration), #8927 and #10134.

And finally there are some issues and enhancement requests showing progress, but known to require more work to resolve them satisfactorily, refs #843, #1600, #5964, #8217, #8933.

Thanks to all contributors and followers, that enabled and encouraged a good portion of this development work.

Add Comment

Modify Ticket

Action
as closed The owner will remain hasienda.
The resolution will be deleted. Next status will be 'reopened'.
Author


E-mail address and user name can be saved in the Preferences.

 
Note: See TracTickets for help on using tickets.