Item10131: TopicUserMapping loses creation date when updating existing user

pencil
Priority: Urgent
Current State: Closed
Released In: 1.1.3
Target Release: patch
Applies To: Extension
Component: TopicUserMappingContrib
Branches:
Reported By: KerstinPuschke
Waiting For:
Last Change By: KennethLavrsen
When registering a user whose wikiname already has an entry in WikiUsers, TopicUserMapping updates the entry (that is, updates the login name) but keeps the original creation date of the user. This is broken if foswiki is configured to have $Foswiki::cfg{DefaultDateFormat} different from the foswiki default, the date is replaced by the empty string. lib/Foswiki/Users/TopicUserMappping.pm (line 381) uses a hardcoded regexp for the date format which matches dd Mmm yyyy but does not match, for example, dd.mm.yyyy.

-- KerstinPuschke - 06 Dec 2010

This is goofy.

You are not supposed to be able to register a user if he is already in the WikiUsers topic.

So the bug is actually to make your such action is rejected.

Maybe the reporter removes the Main topic first before a re-register. But in any case, the code needs to be independent of date format and also reject re-registration even if the person is only in the WikiUsers but his topic is removed.

-- KennethLavrsen - 11 Dec 2010

I have confirmed that on an out-of-box Foswiki you cannot register again with the same WikiName but new login name.

So how did you do this Kerstin?

I can also see that the code suggests that with some right feature in core it is possible to change a user and there the hardcoded timestamp regex will fail. That needs to change and I will do that.

But I still want to understand how the user was changed. It would be a security issue if a new person can register taking over another persons WikiName and I have confirmed that this is not possible.

-- KennethLavrsen - 11 Dec 2010

That's how it works: Set Passwordmanager to none. Register a user with a WikiName and a LoginName. Remove the user's personal topic. Now register another user with the same WikiName and a different LoginName. The entry in WikiUsers is updated to map the WikiName to the new LoginName.

I agree that this is something you hardly want to do in production, and if you want to map an existing WikiName to a new LoginName, you can still do it in WikiUsers. I stumbled upon it while playing around with the registration procedure in order to customize it (I know that we can subclass from TopicUserMapping and have our own PasswordManager, but this may or may not be sufficient for our purposes.)

-- KerstinPuschke - 13 Dec 2010

OK. So you removed the users topic first before the re-registration. Good. So no security issue.

But still - why did someone write the code so that you can replace an already added entry in WikiUsers? That seems like a potential security issue in another context where someone writes their own external password code and do not have user topics.

I would feel better if the code refuses registration of anyone already in the WikiUsers except if that someone is an admin.

-- KennethLavrsen - 20 Dec 2010

I have fixed the broken code. But the fix is a quick hack which will break again IF someone some day adds additional {DefaultDateFormat} formats.

But I would like to question the validity that you should be able to add a user who's entry is already in WikiUsers.

-- KennethLavrsen - 06 Mar 2011

 

ItemTemplate edit

Summary TopicUserMapping loses creation date when updating existing user
ReportedBy KerstinPuschke
Codebase 1.1.2
SVN Range
AppliesTo Extension
Component TopicUserMappingContrib
Priority Urgent
CurrentState Closed
WaitingFor
Checkins distro:5ff1833e735d distro:fdc3cd0f514c
TargetRelease patch
ReleasedIn 1.1.3
Topic revision: r11 - 16 Apr 2011, KennethLavrsen
The copyright of the content on this website is held by the contributing authors, except where stated elsewhere. See Copyright Statement. Creative Commons License    Legal Imprint    Privacy Policy