Priority: Normal
Current State: Closed
Released In: 2.1.3
Target Release: patch
Condition: Authentication using Kerberos with "MyWikiUser -- unixuser"
First case: {FeatureAccess}{Configure} is set to 'MyWikiUser'.
Result: The user can access configure. But an error message is written: "Current user not in this list, and is locked out, If you save the configuration, you'll lose access to configure!"
Second case: {FeatureAccess}{Configure} is set to 'unixuser'.
Result: The user cannot access configure, but no error message is written.
--
StefanH - 05 Sep 2016
Problem in the checker:
lib/Foswiki/Configure/Checkers/FeatureAccess/Configure.pm
in line 56: $curuser equals to the unixuser not the
WikiUser
--
TestUser333 - 05 Sep 2016
Adding this second line did not help:
my $curuser = Foswiki::Func::getCanonicalUserID();
$curuser = Foswiki::Func::getWikiName($curuser);
--
TestUser333 - 05 Sep 2016
Further note: When setting {FeatureAccess}{Configure} to 'AdminGroup' while 'MyWikiUser' was a member of
AdminGroup, this did not work, i.e.
MyWikiUser could not access configure anymore!
When setting it to '' (empty)
MyWikiUser could access configure again.
--
TestUser333 - 05 Sep 2016
I've got a possible fix, but I'm concerned that it is incomplete. The issue is that it assumes that users always have wiki names, which may not be true when using external authentication.
diff --git a/core/lib/Foswiki/Configure/Checkers/FeatureAccess/Configure.pm b/core/lib/Foswiki/Configure/Checkers/FeatureAccess/Configure.pm
index 7eb04ef..dc46bab 100644
--- a/core/lib/Foswiki/Configure/Checkers/FeatureAccess/Configure.pm
+++ b/core/lib/Foswiki/Configure/Checkers/FeatureAccess/Configure.pm
@@ -50,20 +50,21 @@ You should either set the _internal admin_ password, or add users to this list w
my $passed = ''; # Set to true if current user is allowed to use configure
my $curuser = Foswiki::Func::getCanonicalUserID();
+ $curuser = Foswiki::Func::getWikiName($curuser);
unless ( $Foswiki::cfg{isBOOTSTRAPPING}
|| !$Foswiki::cfg{FeatureAccess}{Configure}
|| ( $curuser eq 'BaseUserMapping_333' ) )
{
foreach my $user (@Authorized) {
- if ( $user eq Foswiki::Func::getCanonicalUserID() ) {
+ if ( $user eq $curuser ) {
$passed = 1;
last;
}
}
$reporter->ERROR(
-"Current user not in this list, and is locked out, If you save the configuration, you'll lose access to configure!"
- ) unless ( $passed || $curuser eq 'BaseUserMapping_333' );
+"Current user $curuser not in this list, and is locked out, If you save the configuration, you'll lose access to configure!"
+ ) unless ( $passed || $curuser eq $Foswiki::cfg{AdminUserWikiName} );
}
}
--
GeorgeClark - 05 Sep 2016