Modify

Opened 11 years ago

Closed 11 years ago

Last modified 11 years ago

#10999 closed defect (fixed)

Able to login with any username password

Reported by: anonymous Owned by: Steffen Hoffmann
Priority: normal Component: AccountManagerPlugin
Severity: normal Keywords: login configuration support
Cc: tarundixitravi@… Trac Release: 0.12

Description

Hi

I am using i am able to use any username password that never created.

pls help me in this anyone can login with any word.

Attachments (0)

Change History (10)

comment:1 Changed 11 years ago by Ryan J Ollos

Summary: able to logine with any username passwordAble to login with any username password

We should start handing out awards for worst bug report.

comment:2 Changed 11 years ago by Ryan J Ollos

Please post some configuration info:

  • Trac version, including minor version number (e.g. 0.12.3)
  • AccountManagerPlugin version
  • account-manager and components sections from trac.ini

comment:3 Changed 11 years ago by anonymous

trac version 0.12.2 TracAccounManager 0.4.2

My trac.ini conf are

[account-manager]
account_changes_notify_addresses = <snip (4 email addresses)>
acct_mgr.htfile.htpasswdstore = enabled
authentication_url =
db_htdigest_realm =
force_passwd_change = true
hash_method = HtDigestHashMethod
htdigest_file = /opt/trac-0.12.2-0/projects/cardekho/htpasswd
htdigest_realm =
htpasswd_file = /opt/trac-0.12.2-0/projects/cardekho/htpasswd
htpasswd_hash_type = crypt
login_attempt_max_count = 3
notify_actions = new,change,delete
password_file = /opt/trac-0.12.2-0/projects/cardekho/htpasswdd
password_format = htpasswd
password_store = SvnServePasswordStore,HtPasswdStore,HttpAuthStore,HtDigestStore,SessionStore
persistent_sessions = False
refresh_passwd = False
verify_email = true


[components]
acct_mgr.admin.accountguardadminpage = enabled
acct_mgr.admin.accountmanageradminpage = enabled
acct_mgr.admin.accountmanageradminpanel = enabled
acct_mgr.api.accountmanager = enabled
acct_mgr.db.sessionstore = enabled
acct_mgr.guard.accountguard = enabled
acct_mgr.htfile.abstractpasswordfilestore = enabled
acct_mgr.htfile.htdigeststore = enabled
acct_mgr.htfile.htpasswdstore = enabled
acct_mgr.http.httpauthstore = enabled
acct_mgr.notification.accountchangelistener = enabled
acct_mgr.notification.accountchangenotificationadminpanel = enabled
acct_mgr.pwhash.htdigesthashmethod = enabled
acct_mgr.pwhash.htpasswdhashmethod = enabled
acct_mgr.register.basiccheck = enabled
acct_mgr.register.usernamepermcheck = enabled
acct_mgr.svnserve.svnservepasswordstore = enabled
acct_mgr.web_ui.accountmodule = enabled
acct_mgr.web_ui.emailverificationmodule = enabled
acct_mgr.web_ui.loginmodule = enabled
acct_mgr.web_ui.registrationmodule = enabled
trac.web.auth.loginmodule = disabled

comment:4 Changed 11 years ago by Steffen Hoffmann

Keywords: login added

I've just beautified your configuration and removed unneeded personal details like email.

Another thought before going into details on the matter: I agree to rjollos' initial comment. You should have asked to the mailing list first. The ticket system is for development issues, and it is not quite polite to stumble in here and drop thin assertion about yet-to-proof software issues. Developers here tend to still handle that graceful, because there's always a chance of error on developers side, but maybe we shouldn't, because it encourages bad habits too. You're definitely in debt of proofing your 'defect' assertion here.

Now on the matter: You're running acct_mgr-0.4.2, that has been actively discourages by me weeks ago. Please run and upgrade to 0.4.3 now. You're in risk of corrupting your trac.ini, because you enabled the AccountGuard (acct_mgr.guard.accountguard = enabled), that is heavily flawed in that version. Talk more afterwards.

Additional thoughts:

  • acct_mgr.htfile.htpasswdstore = enabled doesn't belong into [account-manager] section
  • htdigest and htpasswd are different formats, that can't live mixed in one file. Therefore I've been separating options for respective password stores. You direct both to the same file (/opt/trac-0.12.2-0/projects/cardekho/htpasswd), by mistake? That won't work.
  • htpasswd_hash_type = crypt is as worse as not setting it. Provide a stronger hash type, if you can, 'md5' at minimum, better 'sha512'.
  • password_file = /opt/trac-0.12.2-0/projects/cardekho/htpasswdd, password_format - how about that? Where did you got that from? Configuration is not all-I-can-eat, but just-what-I-need! For now we provide the configuration cookbook for starters, later on we'll have a rather sophisticated configuration wizard, that is currently tested in trunk development branch.
  • password_store = SvnServePasswordStore,HtPasswdStore,HttpAuthStore,HtDigestStore,SessionStore - Hey, are you seriously in need (using) all these stores concurrently? Never seen that before. Btw, order matters, so most probably you'll see new users only in HtPasswdStore, if any.
  • [components]
    acct_mgr.admin.accountguardadminpage = enabled
    acct_mgr.admin.accountmanageradminpage = enabled
    acct_mgr.admin.accountmanageradminpanel = enabled
    
    stopping here

This is a mix of current, old and invalid component names. You should really clean-up according to hints given before.

comment:5 in reply to:  1 Changed 11 years ago by Steffen Hoffmann

Replying to rjollos:

We should start handing out awards for worst bug report.

Sorry, but this IS definitely the worst report for months, and I'm very curious to see its outcome. Its in high-risk for getting awarded 'invalid' anyway.

comment:6 Changed 11 years ago by anonymous

Resolution: fixed
Status: newclosed

Thanks for your reply.Problem in not in account manger plugin accounts section has more than password modules due to bug solving

Issue is in component sections. something has to be disabled

btw this not worst report anyway documention and are not clear enough to be understand.

where is the mailing list how to use this,

Thaks for support help to find the way to solve the problem

comment:7 in reply to:  6 Changed 11 years ago by Steffen Hoffmann

Keywords: configuration support added

Replying to anonymous:

Thanks for your reply.Problem in not in account manger plugin accounts section has more than password modules due to bug solving

Thank you for reporting back on the issue. We don't see that regularly, especially not with 'anonymous' reports. This was probably part of my assertions regarding the report quality too.

Issue is in component sections. something has to be disabled

Given the number of hints given above this sounds a bit vague. Care to share some details?

btw this not worst report anyway documention and are not clear enough to be understand.

And will never be. Sorry, but we cannot discuss that topic seriously here. There is always room for improvements, but you clearly missed some of the hints for starters, like the aforementioned cookbook page, right?

where is the mailing list how to use this,

(Nice question after defending your report by complaining about unclear docs. Smile. Nevermind.) It is linked i.e. from trac-hacks.org and from /newticket, that you visited to create the report. There is a big fat STOP and explanation pointing towards t:wiki:MailingList while mentioning, that "Support and installation questions should be asked on the mailing list or IRC channel, not filed as tickets."

Thaks for support help to find the way to solve the problem

Very much appreciated you positive feedback.

comment:8 in reply to:  6 Changed 11 years ago by Ryan J Ollos

Replying to anonymous:

btw this not worst report ...

You basically said "it's not working, what's wrong?". Please always at least include the following information:

  • Steps you took to configure the plugin
  • Relevant sections from trac.ini
  • Trac version number
  • Plugin version number

Please always upgrade to the latest stable version before reporting an issue, and search the issue tracker first for similar issues.

How can you expect anyone to help you when you state a problem without giving any details?

comment:9 Changed 11 years ago by anonymous

Please always upgrade to the latest stable version before reporting an issue, and >>search the issue tracker first for similar issues.

i was using stable version that suppose to works for year when one don't want new features or old bug removed(when they never appeared).Even i am facing same problem with upgraded plugins.

How can you expect anyone to help you when you state a problem without giving any >>details?

Everyone is not tech enough that why one need to create ticket if tech enough he/she cabable enough to solve the issue. when suggested by Hasienda then i have provided required info (Thank you very u saved my life and your help is appreciated.)

btw The problem in component sections

i have removed these line as suggested by Hasienda(Angel for me)

acct_mgr.db.sessionstore = enabled acct_mgr.guard.accountguard = enabled acct_mgr.htfile.abstractpasswordfilestore = enabled acct_mgr.htfile.htdigeststore = enabled acct_mgr.http.httpauthstore = enabled acct_mgr.notification.accountchangelistener = enabled acct_mgr.notification.accountchangenotificationadminpanel = enabled acct_mgr.pwhash.htdigesthashmethod = enabled

more than one password methods were creating problem

comment:10 Changed 11 years ago by Ryan J Ollos

My point is, please learn from this experience about what information developers need, and what developers consider to be a "bad defect report", and now you know what information to provide in order to write a "good defect report" next time, and what steps you should take before writing that report.

Modify Ticket

Change Properties
Set your email in Preferences
Action
as closed The owner will remain Steffen Hoffmann.
The resolution will be deleted. Next status will be 'reopened'.

Add Comment


E-mail address and name can be saved in the Preferences.

 
Note: See TracTickets for help on using tickets.