Modify

Opened 3 years ago

Closed 5 months ago

#11798 closed enhancement (fixed)

Display message to users with revoked account access

Reported by: Ryan J Ollos Owned by: Steffen Hoffmann
Priority: normal Component: AccountManagerPlugin
Severity: normal Keywords:
Cc: Trac Release:

Description (last modified by Ryan J Ollos)

I'll describe an issue I encountered today in one of my Trac instances.

A user has several permissions including WIKI_VIEW, however on login only the Preferences and About navigation items were displayed. Navigating to the base url showed: WIKI_VIEW privileges are required to perform this operation on WikiStart. You don't have the required permissions.

The issue was revealed on setting the LOG_LEVEL to debug:

2014-05-28 17:51:02,128 Trac[main] DEBUG: Dispatching <RequestWithSession "GET '/'">
2014-05-28 17:51:02,142 Trac[api] INFO: Synchronized '(default)' repository in 0.01 seconds
2014-05-28 17:51:02,143 Trac[session] DEBUG: Retrieving session for ID 'jenkins'
2014-05-28 17:51:02,151 Trac[authz_policy] DEBUG: Checking ACCTMGR_USER_ADMIN on 
2014-05-28 17:51:02,156 Trac[perm] DEBUG: No policy allowed jenkins performing ACCTMGR_USER_ADMIN on None
2014-05-28 17:51:02,156 Trac[api] DEBUG: AccountManager.pre_process_request: Permissions for 'jenkins' stripped (account approval revoked)
2014-05-28 17:51:02,157 Trac[GroupBasedRedirection] INFO: Redirecting jenkins to /wiki
2014-05-28 17:51:02,358 Trac[main] DEBUG: Dispatching <RequestWithSession "GET '/wiki'">
2014-05-28 17:51:02,372 Trac[api] INFO: Synchronized '(default)' repository in 0.01 seconds
2014-05-28 17:51:02,373 Trac[session] DEBUG: Retrieving session for ID 'jenkins'
2014-05-28 17:51:02,382 Trac[authz_policy] DEBUG: Checking ACCTMGR_USER_ADMIN on 
2014-05-28 17:51:02,383 Trac[perm] DEBUG: No policy allowed jenkins performing ACCTMGR_USER_ADMIN on None
2014-05-28 17:51:02,384 Trac[api] DEBUG: AccountManager.pre_process_request: Permissions for 'jenkins' stripped (account approval revoked)
2014-05-28 17:51:02,399 Trac[authz_policy] DEBUG: Checking WIKI_VIEW on wiki:WikiStart@*
2014-05-28 17:51:02,403 Trac[perm] DEBUG: No policy allowed anonymous performing WIKI_VIEW on <Resource u'wiki:WikiStart'>

I had been careless when revoking account access for a large number of users and accidentally revoked permissions for this user.

Here are some sanitized details on my AccountManagerPlugin 0.5dev-r13806 configuration:

[account-manager]
account_changes_notify_addresses = <redacted>
allow_delete_account = false
force_passwd_change = true
group_file = <redacted>
hash_method = HtPasswdHashMethod
htpasswd_file = <redacted>
htpasswd_hash_type = crypt
login_attempt_max_count = 0
notify_actions = new,change,delete
password_file = <redacted>
password_store = HtPasswdStore
persistent_sessions = False
refresh_passwd = False
verify_email = true

How about displaying a message to a user after login?: Account access has been revoked. Please contact your administrator.

Attachments (2)

Warning.png (23.9 KB) - added by Ryan J Ollos 3 years ago.
t11798.patch (1.1 KB) - added by Ryan J Ollos 3 years ago.

Download all attachments as: .zip

Change History (6)

comment:1 Changed 3 years ago by Ryan J Ollos

Description: modified (diff)

Changed 3 years ago by Ryan J Ollos

Attachment: Warning.png added

Changed 3 years ago by Ryan J Ollos

Attachment: t11798.patch added

comment:2 Changed 3 years ago by Ryan J Ollos

I changed the proposed warning message to be more generally applicable to an account that has not been approved: t11798.patch.

comment:3 Changed 18 months ago by Ryan J Ollos

In 15037:

0.5dev: Display message when account is pending approval

Refs #11798.

comment:4 Changed 5 months ago by Ryan J Ollos

Resolution: fixed
Status: newclosed

Modify Ticket

Change Properties
Set your email in Preferences
Action
as closed The owner will remain Steffen Hoffmann.
The resolution will be deleted. Next status will be 'reopened'.

Add Comment


E-mail address and name can be saved in the Preferences.

 
Note: See TracTickets for help on using tickets.