Modify

Opened 5 years ago

Closed 2 years ago

#6616 closed defect (fixed)

Invalid entries for usernames in table

Reported by: rjollos Owned by: hasienda
Priority: normal Component: AccountManagerPlugin
Severity: normal Keywords: user session invalid
Cc: Trac Release: 0.11

Description

I have users named kangy and kenl on my system. Today I noticed that the UserStats macro is listing two entries that should not be valid:

  • KENL
  • kangy kangy

These are listed in addition to:

  • kenl
  • kangy

Need to investigate the cause of this behavior.

Attachments (0)

Change History (10)

comment:1 Changed 4 years ago by rjollos

I think this is an issue with invalid login attempts being stored in the session table.

comment:2 follow-up: Changed 4 years ago by hieroglyph

I agree but I do not think this is a problem with the UserStatsMacro ~ it is more a need for a User Session Management plugin to allow you to create / update / delete session records...

This is probably a wontfix...

comment:3 in reply to: ↑ 2 ; follow-up: Changed 4 years ago by rjollos

  • Resolution set to wontfix
  • Status changed from new to closed

Replying to hieroglyph:

I agree but I do not think this is a problem with the UserStatsMacro ~ it is more a need for a User Session Management plugin to allow you to create / update / delete session records...

This is probably a wontfix...

Perhaps as a feature of the AccountManagerPlugin? (if it does not already exist)

comment:4 in reply to: ↑ 3 Changed 3 years ago by hasienda

  • Keywords user session invalid added
  • Resolution wontfix deleted
  • Status changed from closed to reopened

Replying to rjollos:

Replying to hieroglyph:

... This is probably a wontfix...

Maybe, but this could be done now, see #9852 and wiki:AccountManagerPlugin/WikiMacros for details.

Perhaps as a feature of the AccountManagerPlugin? (if it does not already exist)

Good point, and thought much earlier that I did. It took me a long time to see the potential for WikiMacros in that plugin. Now I know, I'm not the only one seeing this. Let's do it then...

comment:5 Changed 3 years ago by hasienda

  • Component changed from UserStatsMacro to AccountManagerPlugin
  • Owner changed from rjollos to hasienda
  • Status changed from reopened to new

Pulling over to the place, where it could be resolved.

Of course we'll not fix UserStatsMacro itself, rather create a fixed version of the UserStats wiki macro. Might have been the right thing, but build on the wrong foundation.

comment:6 Changed 3 years ago by hasienda

(In [11345]) AccountManagerPlugin: Provide user statistics similar to UserStatsMacro and more, refs #6616 and #9852.

UserQuery parameters 'email' and 'name' will add corresponding columns to the result table.

format_author is used to ensure email address obfuscation for web-UI persistence matching Trac core behavior.

The user query link is currently not implemented similar to UserStatsMacro, but users with `ACCTMGR_USER_ADMIN permission will see links to user details instead, like in recent version of the user admin panel.

comment:7 Changed 3 years ago by hasienda

(In [11346]) AccountManagerPlugin: Add flexible date/time rendering for user lists, refs #6616 and #9852.

Now the time stamps are combined with a relative time interval hint (tool-tip). This is an enhancement to the user admin panel too.

Support for bleeding-edge user configurable time in Trac 0.13 is accompanied here by a fallback for Trac 0.11 and 0.12, that looks great and is worth a lot of the effort put into this rather complicated fallback code.

comment:8 Changed 3 years ago by hasienda

(In [11347]) AccountManagerPlugin: Don't give away account/user details without elevated permission, refs #6616 and #9852.

USER_VIEW permission is required, where anonymous users could learn about sensitive information like existing accounts/users. This permission shouldn't be granted lightly in publicly available Trac applications, because it has the potential to encourage efficient brute-force attacks without the need to guess existing accounts.

comment:9 Changed 3 years ago by hasienda

(In [11349]) AccountManagerPlugin: Restore 0.11 compatibility, refs #6616, #9506 and #9852.

Use of user_time (from Trac 0.13) defeated the value of the compat function. The syntax for inheritance of USER_VIEW by ACCTMGR_USER_ADMIN is corrected, and finally ACCTMGR_USER_ADMIN now inherits EMAIL_VIEW from Trac core too, because setting user properties without seeing them by default felt wrong.

comment:10 Changed 2 years ago by hasienda

  • Resolution set to fixed
  • Status changed from new to closed

(In [12398]) AccountManagerPlugin: Releasing version 0.4, pushing development to acct_mgr-0.5dev.

Availability of that code as stable release closes #874, #3459, #4677, #5295, #5691, #6616, #7577, #8076, #8685, #8770, #8791, #8990, #9052, #9079, #9090, #9139, #9246, #9252, #9547, #9618, #9676, #9843, #9852, #9940, #10023, #10028, #10123, #10142, #10204, #10276, #10397, #10412, #10594, #10625 and #10644.

Some more issues have been worked-on, yet without confirmed resolution, refs #5464 (for JiraToTracIntegration), #8927 and #10134.

And finally there are some issues and enhancement requests showing progress, but known to require more work to resolve them satisfactorily, refs #843, #1600, #5964, #8217, #8933.

Thanks to all contributors and followers, that enabled and encouraged a good portion of this development work.

Add Comment

Modify Ticket

Action
as closed The owner will remain hasienda.
The resolution will be deleted. Next status will be 'reopened'.
Author


E-mail address and user name can be saved in the Preferences.

 
Note: See TracTickets for help on using tickets.