Modify

Opened 7 months ago

Last modified 7 months ago

#11798 new enhancement

Display message to users with revoked account access

Reported by: rjollos Owned by: hasienda
Priority: normal Component: AccountManagerPlugin
Severity: normal Keywords:
Cc: Trac Release:

Description (last modified by rjollos)

I'll describe an issue I encountered today in one of my Trac instances.

A user has several permissions including WIKI_VIEW, however on login only the Preferences and About navigation items were displayed. Navigating to the base url showed: WIKI_VIEW privileges are required to perform this operation on WikiStart. You don't have the required permissions.

The issue was revealed on setting the LOG_LEVEL to debug:

2014-05-28 17:51:02,128 Trac[main] DEBUG: Dispatching <RequestWithSession "GET '/'">
2014-05-28 17:51:02,142 Trac[api] INFO: Synchronized '(default)' repository in 0.01 seconds
2014-05-28 17:51:02,143 Trac[session] DEBUG: Retrieving session for ID 'jenkins'
2014-05-28 17:51:02,151 Trac[authz_policy] DEBUG: Checking ACCTMGR_USER_ADMIN on 
2014-05-28 17:51:02,156 Trac[perm] DEBUG: No policy allowed jenkins performing ACCTMGR_USER_ADMIN on None
2014-05-28 17:51:02,156 Trac[api] DEBUG: AccountManager.pre_process_request: Permissions for 'jenkins' stripped (account approval revoked)
2014-05-28 17:51:02,157 Trac[GroupBasedRedirection] INFO: Redirecting jenkins to /wiki
2014-05-28 17:51:02,358 Trac[main] DEBUG: Dispatching <RequestWithSession "GET '/wiki'">
2014-05-28 17:51:02,372 Trac[api] INFO: Synchronized '(default)' repository in 0.01 seconds
2014-05-28 17:51:02,373 Trac[session] DEBUG: Retrieving session for ID 'jenkins'
2014-05-28 17:51:02,382 Trac[authz_policy] DEBUG: Checking ACCTMGR_USER_ADMIN on 
2014-05-28 17:51:02,383 Trac[perm] DEBUG: No policy allowed jenkins performing ACCTMGR_USER_ADMIN on None
2014-05-28 17:51:02,384 Trac[api] DEBUG: AccountManager.pre_process_request: Permissions for 'jenkins' stripped (account approval revoked)
2014-05-28 17:51:02,399 Trac[authz_policy] DEBUG: Checking WIKI_VIEW on wiki:WikiStart@*
2014-05-28 17:51:02,403 Trac[perm] DEBUG: No policy allowed anonymous performing WIKI_VIEW on <Resource u'wiki:WikiStart'>

I had been careless when revoking account access for a large number of users and accidentally revoked permissions for this user.

Here are some sanitized details on my AccountManagerPlugin 0.5dev-r13806 configuration:

[account-manager]
account_changes_notify_addresses = <redacted>
allow_delete_account = false
force_passwd_change = true
group_file = <redacted>
hash_method = HtPasswdHashMethod
htpasswd_file = <redacted>
htpasswd_hash_type = crypt
login_attempt_max_count = 0
notify_actions = new,change,delete
password_file = <redacted>
password_store = HtPasswdStore
persistent_sessions = False
refresh_passwd = False
verify_email = true

How about displaying a message to a user after login?: Account access has been revoked. Please contact your administrator.

Attachments (2)

Warning.png (23.9 KB) - added by rjollos 7 months ago.
t11798.patch (1.1 KB) - added by rjollos 7 months ago.

Download all attachments as: .zip

Change History (4)

comment:1 Changed 7 months ago by rjollos

  • Description modified (diff)

Changed 7 months ago by rjollos

Changed 7 months ago by rjollos

comment:2 Changed 7 months ago by rjollos

I changed the proposed warning message to be more generally applicable to an account that has not been approved: t11798.patch.

Add Comment

Modify Ticket

Action
as new The owner will remain hasienda.
Author


E-mail address and user name can be saved in the Preferences.

 
Note: See TracTickets for help on using tickets.