#10999 closed defect (fixed)
Able to login with any username password
Reported by: | anonymous | Owned by: | Steffen Hoffmann |
---|---|---|---|
Priority: | normal | Component: | AccountManagerPlugin |
Severity: | normal | Keywords: | login configuration support |
Cc: | tarundixitravi@… | Trac Release: | 0.12 |
Description
Hi
I am using i am able to use any username password that never created.
pls help me in this anyone can login with any word.
Attachments (0)
Change History (10)
comment:1 follow-up: 5 Changed 12 years ago by
Summary: | able to logine with any username password → Able to login with any username password |
---|
comment:2 Changed 12 years ago by
Please post some configuration info:
- Trac version, including minor version number (e.g. 0.12.3)
- AccountManagerPlugin version
account-manager
andcomponents
sections fromtrac.ini
comment:3 Changed 12 years ago by
trac version 0.12.2 TracAccounManager 0.4.2
My trac.ini conf are
[account-manager] account_changes_notify_addresses = <snip (4 email addresses)> acct_mgr.htfile.htpasswdstore = enabled authentication_url = db_htdigest_realm = force_passwd_change = true hash_method = HtDigestHashMethod htdigest_file = /opt/trac-0.12.2-0/projects/cardekho/htpasswd htdigest_realm = htpasswd_file = /opt/trac-0.12.2-0/projects/cardekho/htpasswd htpasswd_hash_type = crypt login_attempt_max_count = 3 notify_actions = new,change,delete password_file = /opt/trac-0.12.2-0/projects/cardekho/htpasswdd password_format = htpasswd password_store = SvnServePasswordStore,HtPasswdStore,HttpAuthStore,HtDigestStore,SessionStore persistent_sessions = False refresh_passwd = False verify_email = true [components] acct_mgr.admin.accountguardadminpage = enabled acct_mgr.admin.accountmanageradminpage = enabled acct_mgr.admin.accountmanageradminpanel = enabled acct_mgr.api.accountmanager = enabled acct_mgr.db.sessionstore = enabled acct_mgr.guard.accountguard = enabled acct_mgr.htfile.abstractpasswordfilestore = enabled acct_mgr.htfile.htdigeststore = enabled acct_mgr.htfile.htpasswdstore = enabled acct_mgr.http.httpauthstore = enabled acct_mgr.notification.accountchangelistener = enabled acct_mgr.notification.accountchangenotificationadminpanel = enabled acct_mgr.pwhash.htdigesthashmethod = enabled acct_mgr.pwhash.htpasswdhashmethod = enabled acct_mgr.register.basiccheck = enabled acct_mgr.register.usernamepermcheck = enabled acct_mgr.svnserve.svnservepasswordstore = enabled acct_mgr.web_ui.accountmodule = enabled acct_mgr.web_ui.emailverificationmodule = enabled acct_mgr.web_ui.loginmodule = enabled acct_mgr.web_ui.registrationmodule = enabled trac.web.auth.loginmodule = disabled
comment:4 Changed 12 years ago by
Keywords: | login added |
---|
I've just beautified your configuration and removed unneeded personal details like email.
Another thought before going into details on the matter: I agree to rjollos' initial comment. You should have asked to the mailing list first. The ticket system is for development issues, and it is not quite polite to stumble in here and drop thin assertion about yet-to-proof software issues. Developers here tend to still handle that graceful, because there's always a chance of error on developers side, but maybe we shouldn't, because it encourages bad habits too. You're definitely in debt of proofing your 'defect' assertion here.
Now on the matter: You're running acct_mgr-0.4.2, that has been actively discourages by me weeks ago. Please run and upgrade to 0.4.3 now. You're in risk of corrupting your trac.ini
, because you enabled the AccountGuard (acct_mgr.guard.accountguard = enabled
), that is heavily flawed in that version. Talk more afterwards.
Additional thoughts:
acct_mgr.htfile.htpasswdstore = enabled
doesn't belong into[account-manager]
section- htdigest and htpasswd are different formats, that can't live mixed in one file. Therefore I've been separating options for respective password stores. You direct both to the same file (/opt/trac-0.12.2-0/projects/cardekho/htpasswd), by mistake? That won't work.
htpasswd_hash_type = crypt
is as worse as not setting it. Provide a stronger hash type, if you can, 'md5' at minimum, better 'sha512'.password_file = /opt/trac-0.12.2-0/projects/cardekho/htpasswdd
, password_format - how about that? Where did you got that from? Configuration is not all-I-can-eat, but just-what-I-need! For now we provide the configuration cookbook for starters, later on we'll have a rather sophisticated configuration wizard, that is currently tested intrunk
development branch.password_store = SvnServePasswordStore,HtPasswdStore,HttpAuthStore,HtDigestStore,SessionStore
- Hey, are you seriously in need (using) all these stores concurrently? Never seen that before. Btw, order matters, so most probably you'll see new users only inHtPasswdStore
, if any.-
stopping here
[components] acct_mgr.admin.accountguardadminpage = enabled acct_mgr.admin.accountmanageradminpage = enabled acct_mgr.admin.accountmanageradminpanel = enabled
This is a mix of current, old and invalid component names. You should really clean-up according to hints given before.
comment:5 Changed 12 years ago by
Replying to rjollos:
We should start handing out awards for worst bug report.
Sorry, but this IS definitely the worst report for months, and I'm very curious to see its outcome. Its in high-risk for getting awarded 'invalid' anyway.
comment:6 follow-ups: 7 8 Changed 12 years ago by
Resolution: | → fixed |
---|---|
Status: | new → closed |
Thanks for your reply.Problem in not in account manger plugin accounts section has more than password modules due to bug solving
Issue is in component sections. something has to be disabled
btw this not worst report anyway documention and are not clear enough to be understand.
where is the mailing list how to use this,
Thaks for support help to find the way to solve the problem
comment:7 Changed 12 years ago by
Keywords: | configuration support added |
---|
Replying to anonymous:
Thanks for your reply.Problem in not in account manger plugin accounts section has more than password modules due to bug solving
Thank you for reporting back on the issue. We don't see that regularly, especially not with 'anonymous' reports. This was probably part of my assertions regarding the report quality too.
Issue is in component sections. something has to be disabled
Given the number of hints given above this sounds a bit vague. Care to share some details?
btw this not worst report anyway documention and are not clear enough to be understand.
And will never be. Sorry, but we cannot discuss that topic seriously here. There is always room for improvements, but you clearly missed some of the hints for starters, like the aforementioned cookbook page, right?
where is the mailing list how to use this,
(Nice question after defending your report by complaining about unclear docs. Smile. Nevermind.) It is linked i.e. from trac-hacks.org and from /newticket
, that you visited to create the report. There is a big fat STOP and explanation pointing towards t:wiki:MailingList while mentioning, that "Support and installation questions should be asked on the mailing list or IRC channel, not filed as tickets."
Thaks for support help to find the way to solve the problem
Very much appreciated you positive feedback.
comment:8 Changed 12 years ago by
Replying to anonymous:
btw this not worst report ...
You basically said "it's not working, what's wrong?". Please always at least include the following information:
- Steps you took to configure the plugin
- Relevant sections from trac.ini
- Trac version number
- Plugin version number
Please always upgrade to the latest stable version before reporting an issue, and search the issue tracker first for similar issues.
How can you expect anyone to help you when you state a problem without giving any details?
comment:9 Changed 12 years ago by
Please always upgrade to the latest stable version before reporting an issue, and >>search the issue tracker first for similar issues.
i was using stable version that suppose to works for year when one don't want new features or old bug removed(when they never appeared).Even i am facing same problem with upgraded plugins.
How can you expect anyone to help you when you state a problem without giving any >>details?
Everyone is not tech enough that why one need to create ticket if tech enough he/she cabable enough to solve the issue. when suggested by Hasienda then i have provided required info (Thank you very u saved my life and your help is appreciated.)
btw The problem in component sections
i have removed these line as suggested by Hasienda(Angel for me)
acct_mgr.db.sessionstore = enabled acct_mgr.guard.accountguard = enabled acct_mgr.htfile.abstractpasswordfilestore = enabled acct_mgr.htfile.htdigeststore = enabled acct_mgr.http.httpauthstore = enabled acct_mgr.notification.accountchangelistener = enabled acct_mgr.notification.accountchangenotificationadminpanel = enabled acct_mgr.pwhash.htdigesthashmethod = enabled
more than one password methods were creating problem
comment:10 Changed 12 years ago by
My point is, please learn from this experience about what information developers need, and what developers consider to be a "bad defect report", and now you know what information to provide in order to write a "good defect report" next time, and what steps you should take before writing that report.
We should start handing out awards for worst bug report.