You are here: Foswiki>Tasks Web>Configure>Item14169 (28 Mar 2018, GeorgeClark)Edit Attach

Item14169: Verification for {FeatureAccess}{Configure} in configure fails to handle login names.

Priority: Normal
Current State: Closed
Released In: 2.1.3
Target Release: patch

Applies To: Extension
Component: Configure
Branches: Release02x01 master Item13897 Item14152 Item14380 Item14537

Reported By: StefanH
Waiting For:
Last Change By: GeorgeClark

Condition: Authentication using Kerberos with "MyWikiUser -- unixuser"

First case: {FeatureAccess}{Configure} is set to 'MyWikiUser'.

Result: The user can access configure. But an error message is written: "Current user not in this list, and is locked out, If you save the configuration, you'll lose access to configure!"

Second case: {FeatureAccess}{Configure} is set to 'unixuser'.

Result: The user cannot access configure, but no error message is written.

-- StefanH - 05 Sep 2016

Problem in the checker: lib/Foswiki/Configure/Checkers/FeatureAccess/Configure.pm

in line 56: $curuser equals to the unixuser not the WikiUser

-- TestUser333 - 05 Sep 2016

Adding this second line did not help: my $curuser = Foswiki::Func::getCanonicalUserID(); $curuser = Foswiki::Func::getWikiName($curuser);

-- TestUser333 - 05 Sep 2016

Further note: When setting {FeatureAccess}{Configure} to 'AdminGroup' while 'MyWikiUser' was a member of AdminGroup, this did not work, i.e. MyWikiUser could not access configure anymore! When setting it to '' (empty) MyWikiUser could access configure again.

-- TestUser333 - 05 Sep 2016

I've got a possible fix, but I'm concerned that it is incomplete. The issue is that it assumes that users always have wiki names, which may not be true when using external authentication.

diff --git a/core/lib/Foswiki/Configure/Checkers/FeatureAccess/Configure.pm b/core/lib/Foswiki/Configure/Checkers/FeatureAccess/Configure.pm
index 7eb04ef..dc46bab 100644
--- a/core/lib/Foswiki/Configure/Checkers/FeatureAccess/Configure.pm
+++ b/core/lib/Foswiki/Configure/Checkers/FeatureAccess/Configure.pm
@@ -50,20 +50,21 @@ You should either set the _internal admin_ password, or add users to this list w
     my $passed = '';   # Set to true if current user is allowed to use configure
 
     my $curuser = Foswiki::Func::getCanonicalUserID();
+    $curuser = Foswiki::Func::getWikiName($curuser);
 
     unless ( $Foswiki::cfg{isBOOTSTRAPPING}
         || !$Foswiki::cfg{FeatureAccess}{Configure}
         || ( $curuser eq 'BaseUserMapping_333' ) )
     {
         foreach my $user (@Authorized) {
-            if ( $user eq Foswiki::Func::getCanonicalUserID() ) {
+            if ( $user eq $curuser ) {
                 $passed = 1;
                 last;
             }
         }
         $reporter->ERROR(
-"Current user not in this list, and is locked out, If you save the configuration, you'll lose access to configure!"
-        ) unless ( $passed || $curuser eq 'BaseUserMapping_333' );
+"Current user $curuser  not in this list, and is locked out, If you save the configuration, you'll lose access to configure!"
+        ) unless ( $passed || $curuser eq $Foswiki::cfg{AdminUserWikiName} );
     }
 
 }

-- GeorgeClark - 05 Sep 2016

ItemTemplate edit

Summary	Verification for {FeatureAccess}{Configure} in configure fails to handle login names.
ReportedBy	StefanH
Codebase	2.1.2
SVN Range
AppliesTo	Extension
Component	Configure
Priority	Normal
CurrentState	Closed
WaitingFor
Checkins	distro:6f724c6d7f55 distro:b225bf79e21c
TargetRelease	patch
ReleasedIn	2.1.3
CheckinsOnBranches	Release02x01 master Item13897 Item14152 Item14380 Item14537
trunkCheckins
masterCheckins	distro:6f724c6d7f55 distro:b225bf79e21c
ItemBranchCheckins	distro:6f724c6d7f55 distro:b225bf79e21c
Release02x01Checkins	distro:6f724c6d7f55
Release02x00Checkins
Release01x01Checkins