wiki:AccountManagerPlugin

Version 127 (modified by hasienda, 3 years ago) (diff)

actually it's the other way round: permission is granted/withdrawn to/from accounts and groups

ToDo

  • short-term: continue code review and bug squashing...

News

26-Aug-2011
Maintenance release, acct_mgr-0.3.2 in 0.11 branch with fixed browser cookie handling, user deletion and more (open: 40)
13-Jul-2011
Maintenance release, acct_mgr-0.3.1 - now compatible with Trac 0.11 as well (open: 36)
07-Jul-2011
Stable release acct_mgr-0.3 - for Trac 0.11, 0.12, 0.13dev (open: 36)
26-Sep-2010
Starting ticket list cleanup and triaging (open: 96)

Account Manager Plugin

Description

The AccountManagerPlugin offers several features for managing user accounts:

  • enable authentication through a number of built-in authentication resources and some more by 3rd party extensions
  • allow users to register new accounts
  • login via an HTML form instead of using HTTP authentication
  • allow existing users to change their passwords or delete their accounts

These features are new in the plugin for Trac 0.10.

  • send a new password to users who’ve forgotten their password
  • administration of user accounts

These features are new in the plugin for Trac 0.11 and later

  • login tracking and rule based account locking
  • account details admin page
  • password hash refresh on user login
  • i18n support (requires Trac 0.12 or later)

Bugs/Feature Requests

Existing bugs and feature requests for AccountManagerPlugin are available from Trac-Hacks ticket system.

If you have any issues that is not found in existing tickets, create a new ticket, please.

You do wonder, if you could contribute here? Great! There are some recommendations, where to start.

Install

Prerequisites

First make sure you’ve installed setuptools. Make sure you have a version >= 0.6c9, since previous versions contain a bug which makes the installation fail. Then you can install the plugin using the easy_install application.

Note: Windows users will need to add easy_install to their PATH.

Release Status, Downloads and Source

While in general the branch name suggests the corresponding Trac version, 0.11 should work equally well for Trac 0.11 (old stable), 0.12 (current stable) and Trac 0.13dev (development).

Old, obsolete Version easy_install https://trac-hacks.org/svn/accountmanagerplugin/0.10 download subversion
Stable Version easy_install https://trac-hacks.org/svn/accountmanagerplugin/0.11 download subversion
Under Development easy_install https://trac-hacks.org/svn/accountmanagerplugin/trunk download subversion

Browse the source with Trac. For Subversion checkout use svn co <url> with URL depending on your Trac version and target release (see links above).

Hint: If you are using the tracd standalone server or Apache 2.2.x you will need to restart it to detect the plugin.

About i18n/l10n support

Starting with acct_mgr-0.3 this plugin has been prepared for localization.
But English message texts are still the (POSIX) default. If this isn't your preferred language, you can

  1. look, if it's already available from the Trac plugin l10n project at Transifex or
  2. do it yourself (see the l10n cookbook page for Trac plugins for more details).

You've done a new translation? Superb! Contributing your translation is highly appreciated.
You could send it to the plugin's maintainer or contribute to Trac plugin l10n project via Transifex:

Top translations: Trac_Plugin-L10N » acct_mgr-messages

translation coverage - stable release http://www.transifex.net/projects/p/Trac_Plugin-L10N/resource/acct_mgr-messages/chart/image_png

Left: Status for acct_mgr-0.3, right: near-sync to trunk - kindly provided by http://sw.transifex.net/3/static/charts/images/tx-logo-micro.png

Preparing the plugin from source requires no additional steps for compiling message catalog files. Only to include translations marked as # fuzzy by the translator, you'll want to do a manual message catalog compilation with the extra -f argument before packaging:

cd accountmanagerplugin/
python ./setup.py compile_catalog -f
python ./setup.py bdist_egg

Complaints about missing locale directory are often a side-effect of failure to compile any message catalog for inclusion into Python egg, hence the whole path is missing. Due to a know Trac issue Babel has to be installed prior to Trac, to get it all working as expected.
Again, for more details see the l10n cookbook page for Trac plugins.

Setup

Components

In order to use the features of the AccountManager you will need to enable some or all of its components. The available components are mentioned below, but described in greater details on a separate page.

ComponentDescription/PurposeRecommendation
AccountManager This holds core code of this plugin. This component must be enabled to use any of the other components. See details.
AccountManagerAdminPages1 This component adds new pages to the trac:WebAdmin section.The admin part for managing related parts of Trac's configuration2 should be an important part of what you're expecting. See details.
AccountModule Allows users to manage their account3 via tab “Account” in users “Preferences”. The user accessible part, might be required or even forbidden depending on your use case. See details.
LoginModule Allows users to login via a HTML form instead of using HTTP authentication. Replace Trac's own login module for an alternative to Simple HTTP Authentication, but only one can be enable at a time. See details.
AccountGuard This component adds login failure tracking and administrative account locking. Use it as part of your security policy to protect against brute-force attacks on user passwords. See details.
RegistrationModule It adds a “Register” link on metanav4. Enable users to register a new account with a configurable procedure. See details.
EmailVerificationModule An new email address will trigger an email with a verification code to enter, to approve it is really users own email address, and user account privileges cut down until successful verification. Implement a verification process for added or changed email addresses, if required. See details.

1 name in acct_mgr-0.3, old name has been AccountManagerAdminPage
2 found in trac.ini
3 change their password, or even delete their account, if permission granted by appropriate configuration
4 same menu bar as the “Login” link

The easiest way to learn about available components and enable them is via Trac's plugin admin page (before Trac 0.11 this has been a separate trac:WebAdmin plugin). Users logged in with the TRAC_ADMIN permission will be able to manage the enabled components:

No image "components-admin_v0.3.png" attached to AccountManagerPlugin

Components can also be enabled or disabled in the trac.ini file under the [components] section. For example to enable the login form and disable user registration:

[components]
trac.web.auth.LoginModule = disabled
acct_mgr.web_ui.LoginModule = enabled
acct_mgr.web_ui.RegistrationModule = disabled

Hint: Option names are written in CamelCase style notation, but will get (re-)written all-lowercase, if added/updated via the Trac admin web-UI. Anyway, case doesn't really matter here.

Note: To make it to replace the traditional trac login feature with a webform, also add:

[components]
trac.web.auth.loginmodule = disabled

Configuration

See configuration cookbook page for hints on proper configuration.

Post Setup/Configuration

In order to use the AccountManager plugin, while logged in as a user owning TRAC_ADMIN rights, use the “Admin” link on the menubar.

You might want to change some permission assignments. For instance, if you remove TICKET_MODIFY and WIKI_MODIFY permission from the “anonymous“ group and add it to the “authenticated” group instead, only authenticated, logged-in (registered) users can perform ticket modifications and wiki editing.

TRAC_ADMIN is not strictly required for access to account administration pages provided by AccountManager. The ACCTMGR_* permissions are sufficient, and should even be preferred where appropriate, i.e. to limit delegation of administrative tasks to just account administration by granting ACCTMGR_USER_ADMIN.

Recent Changes

[13806] by hasienda on 2014-04-03 01:20:36
AccountManagerPlugin: Publish maintenance release 0.4.4.

Spread fixed code after a reported XSS vulnerability researched and kindly
reported by 'ayoub nait lamine' - thank you very much for your effort.

[13805] by hasienda on 2014-04-03 00:45:29
AccountManagerPlugin: Escape email for notification message.

It has been demonstrated, that by typing a carefully crafted email address on
registration time a malicious user could trigger arbitrary JavaScript code
right after logging-in for the first time.

A successful exploit, like the one demonstrated by security researcher
'ayoub nait lamine', requires the email verification process to be configured
and enabled, but standard registration verification check for email input
(part of acct_mgr.register.RegExpCheck) disabled or configured to
non-default, rather permissive values at the same time.

Please note, that the default recommended configuration for the registration
procedure includes the aforementioned check on registration time, and will
prevent unsane user input in the first place.

[13756] by hasienda on 2014-03-16 21:46:44
AccountManagerPlugin: Prevent skipping creation of a new authenticated session ID, refs #11622.

Research done for resolving another issue suddenly revealed this issue.

Author/Contributors

Author: mgood
Maintainer: hasienda
Contributors: coderanger, crocea, janakj, jun66j5, manski, mrelbe, otaku42, pacopablo, riggs, s0undt3ch

Attachments (9)

Download all attachments as: .zip