wiki:AccountManagerPlugin

Version 111 (modified by hasienda, 3 years ago) (diff)

announce new development results

ToDo

News

12-Jun-2011
Account editor finally reworked, a password hash refresh feature has been added some days before (open: 47)
29-Nov-2010
Account locking feature and account details admin page added to trunk (open: 43)
17-Oct-2010
more bug squashing, and i18n support has been introduced to trunk (open: 46)
28-Sep-2010
Maintainership handed over from pacopablo to hasienda
26-Sep-2010
Starting ticket list cleanup and triaging (open: 96)

Account Manager Plugin

Description

The AccountManagerPlugin offers several features for managing user accounts:

  • enable authentication through a number of build-in authentication resources and some more by 3rd party extensions
  • allow users to register new accounts
  • login via an HTML form instead of using HTTP authentication
  • allow existing users to change their passwords or delete their accounts

These features are new in the plugin for Trac 0.10.

  • send a new password to users who’ve forgotten their password
  • administration of user accounts

Bugs/Feature Requests

Existing bugs and feature requests for AccountManagerPlugin are available from Trac-Hacks ticket system.

If you have any issues that is not found in existing tickets, create a new ticket, please.

You do wonder, if you could contribute here? Great! There are some recommendations, where to start.

Install

First make sure you’ve installed setuptools. Make sure you have a version >= 0.6c9, since previous versions contain a bug which makes the installation fail. Then you can install the plugin using the easy_install application.

Note: Windows users will need to add easy_install to their PATH.

For Trac 0.9:

easy_install http://trac-hacks.org/svn/accountmanagerplugin/0.9

For Trac 0.10:

Install the trac:WebAdmin plugin.

Then install this plugin:

easy_install http://trac-hacks.org/svn/accountmanagerplugin/0.10

For Trac 0.11

easy_install http://trac-hacks.org/svn/accountmanagerplugin/0.11

For Trac 0.12:

easy_install https://trac-hacks.org/svn/accountmanagerplugin/trunk

If you are using the tracd standalone server or Apache 2.2.x you will need to restart it to detect the plugin.

Source

Browse the source

Subversion Checkout (depends on your Trac version):

svn co http://trac-hacks.org/svn/accountmanagerplugin/0.9
svn co http://trac-hacks.org/svn/accountmanagerplugin/0.10
svn co http://trac-hacks.org/svn/accountmanagerplugin/0.11
svn co http://trac-hacks.org/svn/accountmanagerplugin/trunk

Downloads:

Components

In order to use the features of the AccountManager you will need to enable some or all of its components.

The easiest way to enable the components is via the trac:WebAdmin plugin. Users logged in with the TRAC_ADMIN permission will be able to manage the enabled components:

screenshot of components web admin

Components can also be enabled or disabled in the trac.ini file under the [components] section. For example to enable the login form and disable user registration:

[components]
trac.web.auth.LoginModule = disabled
acct_mgr.web_ui.LoginModule = enabled
acct_mgr.web_ui.RegistrationModule = disabled

Hint: Option names are written in CamelCase style notation, but will get (re-)written all-lowercase, if added/updated via the Trac admin web-UI. Anyway, case doesn't really matter here.

Note: To make it to replace the traditional trac login feature with a webform, also add:

[components]
trac.web.auth.loginmodule = disabled

The available components are mentioned below, but described in greater details on a separate page.

See configuration cookbook page for hint's on proper configuration.

AccountManager

This holds core code of this plugin, so this component must be enabled to use any of the other components.

See details.

AccountManagerAdminPage

This component adds new pages to the trac:WebAdmin section for managing related parts of Trac's configuration (found in trac.ini).

See details.

AccountModule

Allows users to change their password, or delete their account via tab “Account” in users “Preferences”.

See details.

LoginModule

Allows users to login via a HTML form instead of using HTTP authentication.

See details.

RegistrationModule

Enables users to register a new account. It adds a “Register” link on metanav, the same menu bar as the “Login” link.

See details.

EmailVerificationModule

Adding or changing an email address will trigger an email with a verification code to enter, to approve it is really users own email address, and user account priviledges cut down until successful verification.

See details.

Post Setup/Configuration

In order to use the Account Manager plugin, while logged in as a user with TRAC_ADMIN rights, use the new “Admin” link on the menubar.

Once in, you might want to enable the permissions to allow the “authenticated” user group permissions. For instance, if you remove the anonymous group from TICKET_MODIFY, and WIKI_MODIFY, and add the “authenticated” group instead, only authenticated, logged-in (registered) users can perform ticket modifications and wiki editing.

About i18n/l10n support

The development version of this plugin is prepared for localization.
But English message texts are still the (POSIX) default. If this isn't your preferred language, you can

  1. look, if it's already available from the Trac plugin l10n project at Transifex or
  2. do it yourself (see the l10n cookbook page for Trac plugins for more details).

You've done a new translation? Superb! Contributing your translation is highly appreciated.
You could send it to the plugin's maintainer or contribute to Trac plugin l10n project via Transifex:

Top translations: Trac_Plugin-L10N » r-acct_mgr-locale-messages-pot_0

http://www.transifex.net/projects/p/Trac_Plugin-L10N/resource/r-acct_mgr-locale-messages-pot_0/chart/image_png

Kindly provided by http://sw.transifex.net/3/static/charts/images/tx-logo-micro.png

Preparing the plugin from source requires no additional steps for compiling message catalog files. Only to include translations marked as # fuzzy by the translator, you'll want to do a manual message catalog compilation with the extra -f argument before packaging:

cd accountmanagerplugin/
python ./setup.py compile_catalog -f
python ./setup.py bdist_egg

Complaints about missing locale directory are often a side-effect of failure to compile any message catalog for inclusion into Python egg, hence the whole path is missing. Due to a know Trac issue Babel has to be installed prior to Trac, to get it all working as expected.
Again, for more details see the l10n cookbook page for Trac plugins.

Recent Changes

[13806] by hasienda on 2014-04-03 01:20:36
AccountManagerPlugin: Publish maintenance release 0.4.4.

Spread fixed code after a reported XSS vulnerability researched and kindly
reported by 'ayoub nait lamine' - thank you very much for your effort.

[13805] by hasienda on 2014-04-03 00:45:29
AccountManagerPlugin: Escape email for notification message.

It has been demonstrated, that by typing a carefully crafted email address on
registration time a malicious user could trigger arbitrary JavaScript code
right after logging-in for the first time.

A successful exploit, like the one demonstrated by security researcher
'ayoub nait lamine', requires the email verification process to be configured
and enabled, but standard registration verification check for email input
(part of acct_mgr.register.RegExpCheck) disabled or configured to
non-default, rather permissive values at the same time.

Please note, that the default recommended configuration for the registration
procedure includes the aforementioned check on registration time, and will
prevent unsane user input in the first place.

[13756] by hasienda on 2014-03-16 21:46:44
AccountManagerPlugin: Prevent skipping creation of a new authenticated session ID, refs #11622.

Research done for resolving another issue suddenly revealed this issue.

Author/Contributors

Author: mgood
Maintainer: hasienda
Contributors: coderanger, crocea, manski, mrelbe, otaku42, pacopablo, riggs, s0undt3ch

Attachments (9)

Download all attachments as: .zip