Open Bug 478748 Opened 17 years ago Updated 17 years ago

Prevent user account creation from editusers.cgi if DB is set as inactive in user_verify_class

Categories

(Bugzilla :: Administration, task)

Product:
Bugzilla
Component:
Administration
Version:
3.2.2
Type:
task
Priority:
Not set
Severity:
minor

Tracking

()

People

(Reporter: Eric.Olson, Unassigned)

Details

User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.0.6) Gecko/2009011913 Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1) Build Identifier: 3.2.2 If DB is set to "inactive" in the user_verify_class parameter, the editusers.cgi page does not display the Password field when creating a new user. Submitting the form displays the "The password must be at least 3 characters long." error. Since the Bugzilla DB is not being used for authentication in this case, it should be possible to create users with null passwords. Reproducible: Always Steps to Reproduce: 1. Disable DB in user_verify_class in Administration : Parameters : User Authentication. 2. From Administration : Users : Add a new user, try to create a user.
So what is user_verify_class set to? LDAP or RADIUS?
Version: unspecified → 3.2.2
For me, LDAP. I don't use RADIUS, so I can't test to see if it happens then, too.
If DB is inactive, this means user accounts can only be imported from an external authentication server, such as LDAP. In that case, editusers.cgi should not let administrators create new user accounts, as specified by the admin_can_create_account constant in Auth::Verify::LDAP (or ::RADIUS). So morphing the bug summary to reflect this. While fixing this bug, we should also create admin/users/footer.html.tmpl to avoid code replication in templates. Links to createaccount.cgi should indeed be enclosed in [% IF user.authorizer.admin_can_create_account %] [% END %] to only be displayed when appropriate, and the "add" and "new" actions in editusers.cgi should throw an error if this test is false. The tricky part is to create the new admin_can_create_account() subroutine in Bugzilla::Auth.
Assignee: user-accounts → administration
Severity: major → minor
Status: UNCONFIRMED → NEW
Component: User Accounts → Administration
Ever confirmed: true
OS: Windows XP → All
Hardware: x86 → All
Summary: Can not create user if DB inactive in user_verify_class → Prevent user account creation from editusers.cgi if DB is set as inactive in user_verify_class
For the record, this bug is not a dupe of bug 387056. That one is about "LDAP,DB", not "LDAP" alone.
You need to log in before you can comment on or make changes to this bug.