wiki:AccountManagerPlugin

Version 102 (modified by anonymous, 4 years ago) (diff)

--

ToDo

News

17-Oct-2010
more bug squashing, and i18n support has been introduced to trunk (open: 46)
09-Oct-2010
Growing number of long-standing issues resolved, prepare for a maintenance release based on current trunk (open: 61)
28-Sep-2010
Maintainership handed over from pacopablo to hasienda
26-Sep-2010
Starting ticket list cleanup and triaging (open: 96)

Account Manager Plugin

Description

The AccountManagerPlugin offers several features for managing user accounts:

  • allow users to register new accounts
  • login via an HTML form instead of using HTTP authentication
  • allow existing users to change their passwords or delete their accounts

These features are new in the plugin for Trac 0.10.

  • send a new password to users who’ve forgotten their password
  • administration of user accounts

Bugs/Feature Requests

Existing bugs and feature requests for AccountManagerPlugin are available from Trac-Hacks ticket system.

If you have any issues that is not found in existing tickets, create a new ticket, please.

You do wonder, if you could contribute here? Great! There are some recommendations, where to start.

Install

First make sure you’ve installed setuptools. Make sure you have a version >= 0.6c9, since previous versions contain a bug which makes the installation fail. xccx Then you can install the plugin using the easy_install application.

Note: Windows users will need to add easy_install to their PATH.

For Trac 0.9:

easy_install http://trac-hacks.org/svn/accountmanagerplugin/0.9

For Trac 0.10:

Install the trac:WebAdmin plugin.

Then install this plugin:

easy_install http://trac-hacks.org/svn/accountmanagerplugin/0.10

For Trac 0.11

easy_install http://trac-hacks.org/svn/accountmanagerplugin/0.11

For Trac 0.12:

easy_install https://trac-hacks.org/svn/accountmanagerplugin/trunk

If you are using the tracd standalone server or Apache 2.2.x you will need to restart it to detect the plugin.

Source

Browse the source

Subversion Checkout (depends on your Trac version):

svn co http://trac-hacks.org/svn/accountmanagerplugin/0.9
svn co http://trac-hacks.org/svn/accountmanagerplugin/0.10
svn co http://trac-hacks.org/svn/accountmanagerplugin/0.11
svn co http://trac-hacks.org/svn/accountmanagerplugin/trunk

Downloads:

Components

In order to use the features of the AccountManager you will need to enable some or all of its components.

The easiest way to enable the components is via the trac:WebAdmin plugin. Users logged in with the TRAC_ADMIN permission will be able to manage the enabled components:

screenshot of components web admin

Components can also be enabled or disabled in the trac.ini file under the [components] section. For example to enable the login form and disable user registration:

[components]
trac.web.auth.LoginModule = disabled
acct_mgr.web_ui.LoginModule = enabled
acct_mgr.web_ui.RegistrationModule = disabled

Hint: Option names are written in CamelCase style notation, but will get (re-)written all-lowercase, if added/updated via the Trac admin web-UI. Anyway, case doesn't really matter here.

Note: To make it work i also had to set (other wise wasn't working):

[components]
trac.web.auth.* = disabled

The available components are described below.

AccountManager

Package
acct_mgr.api

This is the core of this plugin. This component must be enabled to use any of the other components.

Additionally one or more sources for storing authentication information are required:

There's even some information on how to get not-yet-implemented LDAP authentication.

AccountManagerAdminPage

Package
acct_mgr.admin

Note: This component requires Trac 0.10 or later

This component adds a new page to the trac:WebAdmin section for managing user accounts. It requires the TRAC_ADMIN permission to access.

[components]
acct_mgr.admin.AccountManagerAdminPage = enabled

screenshot of account administration

AccountModule

Package
acct_mgr.web_ui

Allows users to change their password, or delete their account. When logged in it will appear as a tab “Account” after clicking the “Preferences” link.

[components]
acct_mgr.web_ui.AccountModule = enabled

New for Trac 0.10: When used in combination with the LoginModule it adds a link to the login page “Forgot your password?” where users can reset their password if they’ve forgotten it. You will need to have your SMTP server information configured in your trac.ini for the “Forgot your password?” link to show up and enable AccountChangeListener:

[components]
acct_mgr.notification.accountchangelistener = enabled

To disable just the password reset functionality add the following line to the [account-manager] section:

[account-manager]
reset_password = False

New for Trac 0.11: When a user resets their password they will be required to change their password on the next successful login. This can be disabled via the trac.ini by setting:

[account-manager]
force_passwd_change = false

LoginModule

Package
acct_mgr.web_ui

Warning: this module is not supported using the tracd stand-alone server on Trac 0.9. It either needs Trac 0.10 or later, or an external webserver such as Apache.

Allows users to login via a HTML form instead of using HTTP authentication.

[components]
acct_mgr.web_ui.LoginModule = enabled

screenshot of login form

Disable HTTP authentication

To use the AccountManager’s form-based login system instead, add this your trac.ini:

[components]
trac.web.auth.LoginModule = disabled 

When using the tracd server be sure not to use the --auth or --basic-auth options. Using either of these options will cause tracd to popup the username/password dialog box and you will not be able to use the HTML form.

If you have previously enabled authentication for Trac on Apache, you will need to disable it or Apache will popup the username/password dialog and you will be unable to use the HTML form. In order to disable the authentication look for a section in the Apache configuration file like:

<Location /trac/login>
   # Some options like AuthType and AuthUserFile
   Require valid-user
</Location>

Deleting or commenting the Require valid-user line should be sufficient to disable HTTP authentication. After you’ve tested it you can probably delete or comment out the rest of the authentication options. In some pre-bundled packages as Bitnami Trac you will find it inside an apache configuration extension as trac.conf (BitnamiTrac\trac\conf\trac.conf)

RegistrationModule

Package
acct_mgr.web_ui

Enables users to register a new account. It adds a “Register” link on the same menu bar as the “Login” link.

[components]
acct_mgr.web_ui.RegistrationModule = enabled

screenshot of registration page

Warning: You must enable one of the password storage modules for the Registration Module to work.

Note: You must not enable ignore_auth_case in trac.ini as otherwise this module won’t work.

EmailVerificationModule

Package
acct_mgr.web_ui

If you enable this, users will be sent an email with a verification code to enter, to approve it is really their own email address:

[components]
acct_mgr.web_ui.EmailVerificationModule = enabled

Until they entered the verification code on the URL sent with the email, their permissions will be restricted (even if they have the TRAC_ADMIN privilege, they won't be able to access anything exceeding the standard privileges of authenticated users). Update: After changeset [9304] ACCTMGR_ADMIN (and TRAC_ADMIN, as it inherits it among all other privileges) won't be bothered with the verification procedure.

This has been added as a strict requirement now as suggested by ticket #5509 to trunk code with changeset [9277], but was not enforced before, so verification only happened, if an email had been specified on registration. In other words, if some user registered w/o specifying an email address, this was possible and an unrestricted account was created without requiring further actions.

Note that if you don't want to enforce entering a valid email on registration, you may want to disable this component. An option

[account-manager]
verify_email = false

for switching this off easily, to restore the old behavior of AccountManagerPlugin by default, is available since changeset [9304] as well.

Post Setup/Configuration

In order to use the Account Manager plugin, while logged in as a user with TRAC_ADMIN rights, use the new “Admin” link on the menubar.

Once in, you might want to enable the permissions to allow the “authenticated” user group permissions. For instance, if you remove the anonymous group from TICKET_MODIFY, and WIKI_MODIFY, and add the “authenticated” group instead, only authenticated, logged-in (registered) users can perform ticket modifications and wiki editing.

About i18n/l10n support

The development version of this plugin is prepared for localization.
But English message texts are still the (POSIX) default. If this isn't your preferred language, you can

  1. look, if it's already available from the Trac plugin l10n project at Transifex or
  2. do it yourself (see the l10n cookbook page for Trac plugins for more details).

You've done a new translation? Superb! Contributing your translation is highly appreciated.
You could send it to the plugin's maintainer or contribute to Trac plugin l10n project via Transifex:

Top translations: Trac_Plugin-L10N » acct_mgr

http://www.transifex.net/projects/p/Trac_Plugin-L10N/c/acct_mgr/chart/image_png

Kindly provided by http://sw.transifex.net/2/static/charts/images/tx-logo-micro.png

Preparing the plugin from source requires no additional steps for compiling message catalog files. Only to include translations marked as # fuzzy by the translator, you'll want to do a manual message catalog compilation with the extra -f argument before packaging:

cd accountmanagerplugin/
python ./setup.py compile_catalog -f
python ./setup.py bdist_egg

Complaints about missing locale directory are often a side-effect of failure to compile any message catalog for inclusion into Python egg, hence the whole path is missing. Due to a know Trac issue Babel has to be installed prior to Trac, to get it all working as expected.
Again, for more details see the l10n cookbook page for Trac plugins.

Recent Changes

[13806] by hasienda on 2014-04-03 01:20:36
AccountManagerPlugin: Publish maintenance release 0.4.4.

Spread fixed code after a reported XSS vulnerability researched and kindly
reported by 'ayoub nait lamine' - thank you very much for your effort.

[13805] by hasienda on 2014-04-03 00:45:29
AccountManagerPlugin: Escape email for notification message.

It has been demonstrated, that by typing a carefully crafted email address on
registration time a malicious user could trigger arbitrary JavaScript code
right after logging-in for the first time.

A successful exploit, like the one demonstrated by security researcher
'ayoub nait lamine', requires the email verification process to be configured
and enabled, but standard registration verification check for email input
(part of acct_mgr.register.RegExpCheck) disabled or configured to
non-default, rather permissive values at the same time.

Please note, that the default recommended configuration for the registration
procedure includes the aforementioned check on registration time, and will
prevent unsane user input in the first place.

[13756] by hasienda on 2014-03-16 21:46:44
AccountManagerPlugin: Prevent skipping creation of a new authenticated session ID, refs #11622.

Research done for resolving another issue suddenly revealed this issue.

Author/Contributors

Author: mgood
Maintainer: hasienda
Contributors: coderanger, crocea, manski, mrelbe, otaku42, pacopablo, s0undt3ch

Attachments (9)

Download all attachments as: .zip