Opened 10 years ago
Last modified 7 years ago
#11798 closed enhancement
Display message to users with revoked account access — at Initial Version
| Reported by: | Ryan J Ollos | Owned by: | Steffen Hoffmann |
|---|---|---|---|
| Priority: | normal | Component: | AccountManagerPlugin |
| Severity: | normal | Keywords: | |
| Cc: | Trac Release: |
Description
I'll describe an issue I encountered today in one of my Trac instances.
A user has several permissions including WIKI_VIEW, however on login only the Preferences and About navigation items were displayed. Navigating to the base url showed: WIKI_VIEW privileges are required to perform this operation on WikiStart. You don't have the required permissions.
The issue was revealed on setting the LOG_LEVEL to debug:
2014-05-28 17:51:02,128 Trac[main] DEBUG: Dispatching <RequestWithSession "GET '/'"> 2014-05-28 17:51:02,142 Trac[api] INFO: Synchronized '(default)' repository in 0.01 seconds 2014-05-28 17:51:02,143 Trac[session] DEBUG: Retrieving session for ID 'jenkins' 2014-05-28 17:51:02,151 Trac[authz_policy] DEBUG: Checking ACCTMGR_USER_ADMIN on 2014-05-28 17:51:02,156 Trac[perm] DEBUG: No policy allowed jenkins performing ACCTMGR_USER_ADMIN on None 2014-05-28 17:51:02,156 Trac[api] DEBUG: AccountManager.pre_process_request: Permissions for 'jenkins' stripped (account approval revoked) 2014-05-28 17:51:02,157 Trac[GroupBasedRedirection] INFO: Redirecting jenkins to /wiki 2014-05-28 17:51:02,358 Trac[main] DEBUG: Dispatching <RequestWithSession "GET '/wiki'"> 2014-05-28 17:51:02,372 Trac[api] INFO: Synchronized '(default)' repository in 0.01 seconds 2014-05-28 17:51:02,373 Trac[session] DEBUG: Retrieving session for ID 'jenkins' 2014-05-28 17:51:02,382 Trac[authz_policy] DEBUG: Checking ACCTMGR_USER_ADMIN on 2014-05-28 17:51:02,383 Trac[perm] DEBUG: No policy allowed jenkins performing ACCTMGR_USER_ADMIN on None 2014-05-28 17:51:02,384 Trac[api] DEBUG: AccountManager.pre_process_request: Permissions for 'jenkins' stripped (account approval revoked) 2014-05-28 17:51:02,399 Trac[authz_policy] DEBUG: Checking WIKI_VIEW on wiki:WikiStart@* 2014-05-28 17:51:02,403 Trac[perm] DEBUG: No policy allowed anonymous performing WIKI_VIEW on <Resource u'wiki:WikiStart'>
I had been careless when revoking account access for a large number of users and accidentally revoked permissions for this user.
Here are some sanitized details on my AccountManagerPlugin 0.5dev-r13806 configuration:
[account-manager] account_changes_notify_addresses = <redacted> allow_delete_account = false force_passwd_change = true group_file = <redacted> hash_method = HtPasswdHashMethod htpasswd_file = <redacted> htpasswd_hash_type = crypt login_attempt_max_count = 0 notify_actions = new,change,delete password_file = <redacted> password_store = HtPasswdStore persistent_sessions = False refresh_passwd = False verify_email = true
How about displaying a message to a user after login?: Account access has been revoked. Please contact your adminstrator.
