320265 - Env.pm should be able to use auth_env_id instead of auth_env_email

Status: NEW

(Bugzilla :: User Accounts, defect)

Description

[Artur Kedzierski]

User-Agent:       Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:1.8) Gecko/20051111 Firefox/1.5
Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:1.8) Gecko/20051111 Firefox/1.5

Currently Env.pm requires auth_env_email variable to be set. However, it should be able to lookup the email address when auth_env_id is set.

This would be great for users who don't use their email address as a login name. They could just set auth_env_id to REMOTE_USER and leave auth_env_email blank.


Reproducible: Always

Steps to Reproduce:
1. Set auth_env_id to REMOTE_USER
2. Leave auth_env_email blank


Actual Results:  
Login is denied. The email address is not passed nor it is looked up so it doesn't pass $emailregexp test.

Expected Results:  
Login is accepted. The email address is looked up from the database so it passes $emailregexp test.

Comment 1

[A. Karl Kornel]

Reporter, just for our records, please update the version field of the bug to match the version of Bugzilla you are using.  Thanks!

This is an interesting issue.  The code behind environment variable authentication is Bugzilla::Auth::Login::WWW::Env, and examining the comments it seems that this was done intentionally (line 69-70 of the .pm file on tip).  Until the original author of the code responds, I'd provide this justification:

> The auth_env_email should contain the most up-to-date email of the person who is being logged in.  Given that, an empty/undefined email is not valid, as the email is the main form of identification in Bugzilla, so one must be provided.

Given that justification, I would not be against saying "If auth_env_id is provided, and matches an already-existing user, but auth_env_email is empty or undefined, then assume that the email address already on file is correct.  If auth_env_id is provided, but does not match any existing user, throw an error unless auth_env_email contains a non-empty value."

Comment 2

[Artur Kedzierski]

Attachment: Patch to Env.pm that fixes the problem

I've created a patch that address this problem.

Comment 3

[Frédéric Buclin]

Comment on attachment 206656 [details] [diff] [review]
Patch to Env.pm that fixes the problem

This patch no longer applies cleanly due to the rewrite of the Auth stuff, see bug 300410. Please update your patch accordingly.

Comment 4

[JT Moree]

Attachment: patch to add another environment variable to fix the case of missing auth_env_email

I am using apache authentication against Active Directory through a mod_auth_pam (yes, it's no longer supported).  No, ldap authentication against AD is not working from bugzilla but does work for mod_auth_pam.
    When the user authenticates to apache he uses the username without an email address.  The environment never contains the full email address--nor can it.  Bugzilla cannot work without an email address.
    My patch does 2 things:
* add auth_env_suffix parameter
* IF auth_env_email is empty but auth_env_id AND auth_env_suffix are set create email from id and suffix
    This allows the auth_env_id parameter to be fetched from apache and only used when bugzilla needs it.  Since this only activates when the email is empty there should not be any breakage with current code.  If the user does not set the suffix it will never be used.

Comment 5

[Frédéric Buclin]

JT, please request review to put your patch in reviewers' radar. Or is your patch incomplete?

Comment 6

[JT Moree]

Bug 503372 solves this problem in a different way which I think is more elegant.  I haven't touch this patch in a while and am not using it since we still have not setup bug tracking here.  It needs review but in light of the other bug I don't think it's worthwhile.