Closed
Bug 136770
Opened 23 years ago
Closed 21 years ago
unreachable code in DBNameToIdAndCheck()
Categories
(Bugzilla :: Bugzilla-General, defect, P2)
Tracking
()
RESOLVED
WORKSFORME
People
(Reporter: jayvdb, Assigned: justdave)
Details
Attachments
(2 obsolete files)
DBNameToIdAndCheck can be forced to create a new user if one does not exist,
however this functionality is no longer used.
|
Assignee | |
Comment 1•23 years ago
|
||
Isn't that used by the LDAP code to create the user if they exist in LDAP but
aren't in Bugzilla yet?
|
Reporter | |
Comment 2•23 years ago
|
||
confirm_login calls PasswordForLogin($enteredlogin). If no password is
returned, InsertNewUser is called. As a result, this now bypasses the
ValidateNewUser in DBNameToIdAndCheck, which could result in addresses in the
process of an email change being hijacked when using LDAP.
Due to the way LDAP users are added now, ValidateNewUser should be called from
within confirm_login before InsertNewUser.
|
||
Updated•23 years ago
|
Priority: -- → P2
Target Milestone: --- → Bugzilla 2.18
|
|
Reporter | |
Comment 3•23 years ago
|
||
The consistency check for adding new users under LDAP (the block in CGI.pl) has
not been tested.
|
||
Comment 4•23 years ago
|
||
Comment on attachment 79229 [details] [diff] [review]
removes unreachable code; adds consistency check
Change the first line of DBNameToIDAndCheck to not refer to/declare $forceok.
Attachment #79229 -
Flags: review-
|
|
Reporter | |
Comment 5•23 years ago
|
||
Attachment #79229 -
Attachment is obsolete: true
|
|
||
Comment 6•23 years ago
|
||
Comment on attachment 79231 [details] [diff] [review]
v.2
r=bbaetz
I'll claim ignorance on the ldap stuff, though, although it wasn't using a
second param to start with, so this won't affect that, at least.
(BTW, should email change stuff be disabled for ldap?)
Attachment #79231 -
Flags: review+
|
|
Reporter | |
Comment 7•23 years ago
|
||
I dont know and could not find a LDAP expert on
http://www.bugzilla.org/who_we_are.html. Would be good to fix this, as I am
sure an administrator of an LDAP installation would prefer to be asked now
rather than have us blitz their setup.
I can see why 'email change' in specific should be disabled, as there is no
other means to sync. with the LDAP directory. I can also see the benefit of
adding a param to lock all account details down to their LDAP values, but that
is another issue.
|
|
Assignee | |
Comment 8•23 years ago
|
||
CCing the guy who wrote the original LDAP stuff...
|
|
Reporter | |
Comment 9•23 years ago
|
||
Comment on attachment 79231 [details] [diff] [review]
v.2
The majority of this issue has been resolved in bug 138456. All that remains
is the LDAP issues.
Attachment #79231 -
Attachment is obsolete: true
|
||
Comment 10•21 years ago
|
||
These unloved bugs have been sitting untouched since June 2002 or longer. If
nobody does anything else to them, they certainly won't make 2.18
Retargetting to 2.20. If you really plan to push them right now, you might pull
them back in.
Target Milestone: Bugzilla 2.18 → Bugzilla 2.20
|
||
Comment 11•21 years ago
|
||
We totally re-wrote LDAP, so um, this bug should probably be closed. FIXED, or
WORKSFORME, or...?
|
|
||
Comment 12•21 years ago
|
||
Yeah, this is no longer an issue with the modern LDAP code.
Status: NEW → RESOLVED
Closed: 21 years ago
Resolution: --- → WORKSFORME
|
|
Assignee | |
Comment 13•20 years ago
|
||
clearing target of DUPLICATE/WONTFIX/INVALID/WORKSFORME so they'll show up as
untriaged if they get reopened.
Target Milestone: Bugzilla 2.20 → ---
|
||
Updated•13 years ago
|
QA Contact: matty_is_a_geek → default-qa
You need to log in
before you can comment on or make changes to this bug.
Description
•