View Issue Details
ID | Project | Category | View Status | Date Submitted | Last Update |
---|---|---|---|---|---|
0011351 | mantisbt | administration | public | 2010-01-06 13:15 | 2014-12-22 08:24 |
Reporter | wgodin | Assigned To | dhx | ||
Priority | normal | Severity | major | Reproducibility | always |
Status | closed | Resolution | fixed | ||
Product Version | git trunk | ||||
Target Version | 1.2.4 | Fixed in Version | 1.2.4 | ||
Summary | 0011351: User Real Name and E-Mail values deleted | ||||
Description | Having set authentication to LDAP, updating any user which "Real Name" and "Email" values have been pulled from LDAP server deletes those values. | ||||
Steps To Reproduce | Set LDAP login method in config_inc.php : $g_login_method = LDAP; Previously set "Real Name" and "Email" fields are lost. | ||||
Tags | patch | ||||
Attached Files | Fix-11351.patch (4,545 bytes)
From ff0dc92f1810612680db88aa2156a3b5922e2958 Mon Sep 17 00:00:00 2001 From: Damien Regad <damien.regad@merckserono.net> Date: Wed, 20 Oct 2010 18:07:45 +0200 Subject: [PATCH] Fix #11351: Do not delete email or realname when editing user with LDAP When connecting to Mantis with LDAP and either use_ldap_email or use_ldap_realname = ON, that field is set to blank when the user edits their profile (account_page.php). The same happens when either or both of the above options are ON and the administrator updates a user from manage_user_edit_page.php. --- account_page.php | 53 +++++++++++++++++++++++--------------------- manage_user_edit_page.php | 26 ++++++++++++++++------ 2 files changed, 47 insertions(+), 32 deletions(-) diff --git a/account_page.php b/account_page.php index 2c9790e..bc9058b 100644 --- a/account_page.php +++ b/account_page.php @@ -176,20 +176,6 @@ <?php } // End LDAP conditional -if ( $t_ldap && ON == config_get( 'use_ldap_email' ) ) { ?> <!-- With LDAP Email--> - - <!-- Email --> - <tr <?php echo helper_alternate_class() ?>> - <td class="category"> - <?php echo lang_get( 'email' ) ?> - </td> - <td> - <?php echo $u_email ?> - </td> - </tr> - -<?php } else { ?> <!-- Without LDAP Email --> - <!-- Email --> <tr <?php echo helper_alternate_class() ?>> <td class="category"> @@ -197,13 +183,22 @@ if ( $t_ldap && ON == config_get( 'use_ldap_email' ) ) { ?> <!-- With LDAP Email </td> <td> <?php - $t_show_update_button = true; - print_email_input( 'email', $u_email ); + // With LDAP + if ( $t_ldap && ON == config_get( 'use_ldap_email' ) ) { + echo $u_email + ?> + <input type="hidden" name="email" value="<?php echo string_attribute( $u_email ) ?>" /> + <?php + } + // Without LDAP + else { + $t_show_update_button = true; + print_email_input( 'email', $u_email ); + } ?> </td> </tr> -<?php } ?> <!-- End LDAP Email conditional --> <!-- Realname --> <tr <?php echo helper_alternate_class() ?> valign="top"> @@ -211,14 +206,22 @@ if ( $t_ldap && ON == config_get( 'use_ldap_email' ) ) { ?> <!-- With LDAP Email <?php echo lang_get( 'realname' ) ?> </td> <td> -<?php -if ( $t_ldap && ON == config_get( 'use_ldap_realname' ) ) { - echo string_display( ldap_realname_from_username( $u_username ) ); -} else { - $t_show_update_button = true; -?> - <input type="text" size="32" maxlength="<?php echo REALLEN;?>" name="realname" value="<?php echo string_attribute( $u_realname ) ?>" /> -<?php } ?> + <?php + // With LDAP + if ( $t_ldap && ON == config_get( 'use_ldap_realname' ) ) { + echo string_display( ldap_realname_from_username( $u_username ) ); + ?> + <input type="hidden" name="realname" value="<?php echo string_attribute( ldap_realname_from_username( $u_username ) ) ?>" /> + <?php + } + // Without LDAP + else { + $t_show_update_button = true; + ?> + <input type="text" size="32" maxlength="<?php echo REALLEN;?>" name="realname" value="<?php echo string_attribute( $u_realname ) ?>" /> + <?php + } + ?> </td> </tr> diff --git a/manage_user_edit_page.php b/manage_user_edit_page.php index 4ac18d4..2c66b72 100644 --- a/manage_user_edit_page.php +++ b/manage_user_edit_page.php @@ -88,12 +88,18 @@ </td> <td width="70%"> <?php - if ( !$t_ldap || config_get( 'use_ldap_realname' ) == OFF ) { + // With LDAP + if ( $t_ldap && ON == config_get( 'use_ldap_realname' ) ) { + echo string_display( user_get_realname( $f_user_id ) ); + ?> + <input type="hidden" name="realname" value="<?php echo string_attribute( user_get_realname( $f_user_id ) ) ?>" /> + <?php + } + // Without LDAP + else { ?> <input type="text" size="16" maxlength="<?php echo REALLEN;?>" name="realname" value="<?php echo string_attribute( $t_user['realname'] ) ?>" /> <?php - } else { - echo string_display( user_get_realname( $f_user_id ) ); } ?> </td> @@ -106,11 +112,17 @@ </td> <td> <?php - if ( !$t_ldap || config_get( 'use_ldap_email' ) == OFF ) { - print_email_input( 'email', $t_user['email'] ); - } else { + // With LDAP + if ( $t_ldap && ON == config_get( 'use_ldap_email' ) ) { echo string_display( user_get_email( $f_user_id ) ); - } + ?> + <input type="hidden" name="email" value="<?php echo user_get_email( $f_user_id ) ?>" /> + <?php + } + // Without LDAP + else { + print_email_input( 'email', $t_user['email'] ); + } ?> </td> </tr> -- 1.7.1 | ||||
Following patch maintains email and realname fields if LDAP authentication is used:
|
|
As part of my testing for 0012402, I noticed similar behavior with the user's "My Account" page. To reproduce:
==> Mantis displays: The realname is now blank, until the user's next login (when it is reset to its LDAP value) This is with 1.2.1. Following gordon1986's logic in the previous note, I added hidden fields for LDAP-maintained values in account_page.php, which seem to resolve the problem for me. --- ../1.2.1/mantisbt/account_page.php 2010-08-25 18:28:22.000000000 +0200
@@ -214,6 +215,9 @@
|
|
Related to 0005175 |
|
Yaaay !! My first "official" code contribution to Mantis :-) Thanks David |
|
Thanks Damien, good work with the patch! It's great to have patches from new contributors. I have supplied some feedback on your patch and the changes I've made to the developer mailing list. Hopefully there is some assistance there to help you with any future patches you contribute to MantisBT. I haven't tested these commits with LDAP enabled (only without it enabled). I would therefore appreciate it if someone could run some tests to see if things work as expected with LDAP enabled. Just reopen this bug if the problem isn't fixed. Thanks! |
|
I confirm successful completion of following tests, with $g_login_method = LDAP :
Damien |
|
MantisBT: master 1aa11780 2010-10-20 12:07 Damien Regad Committer: dhx Details Diff |
Fix 0011351: Do not delete email or realname when editing user with LDAP When connecting to Mantis with LDAP and either use_ldap_email or use_ldap_realname = ON, that field is set to blank when the user edits their profile (account_page.php). The same happens when either or both of the above options are ON and the administrator updates a user from manage_user_edit_page.php. The original patch from Damien was updated to fix a few minor bugs and more importantly, to resolve a number of potential XSS vulnerabilities. Co-contributed-by: David Hicks <hickseydr@optusnet.com.au> Signed-off-by: David Hicks <hickseydr@optusnet.com.au> |
Affected Issues 0011351 |
|
mod - core/print_api.php | Diff File | ||
mod - account_page.php | Diff File | ||
mod - manage_user_edit_page.php | Diff File | ||
MantisBT: master-1.2.x 99e7eedc 2010-10-20 12:07 Damien Regad Committer: dhx Details Diff |
Fix 0011351: Do not delete email or realname when editing user with LDAP When connecting to Mantis with LDAP and either use_ldap_email or use_ldap_realname = ON, that field is set to blank when the user edits their profile (account_page.php). The same happens when either or both of the above options are ON and the administrator updates a user from manage_user_edit_page.php. The original patch from Damien was updated to fix a few minor bugs and more importantly, to resolve a number of potential XSS vulnerabilities. Co-contributed-by: David Hicks <hickseydr@optusnet.com.au> Signed-off-by: David Hicks <hickseydr@optusnet.com.au> |
Affected Issues 0011351 |
|
mod - manage_user_edit_page.php | Diff File | ||
mod - core/print_api.php | Diff File | ||
mod - account_page.php | Diff File | ||
MantisBT: master-1.2.x 7672ca3d 2010-10-22 06:59 Details Diff |
Fix 0011351: Real name and email should not be updated via GPC (LDAP) When LDAP is being used for retrieving the user real name and/or email address we should not provide any way for MantisBT forms to update these fields manually via GPC parameters to account_update and manage_user_update. Thus we don't need (and never wanted to) send hidden fields with forms containing the current LDAP details. A user could maliciously change these values by crafting their own HTTP POST queries to the server. |
Affected Issues 0011351 |
|
mod - manage_user_update.php | Diff File | ||
mod - account_page.php | Diff File | ||
mod - manage_user_edit_page.php | Diff File | ||
mod - account_update.php | Diff File | ||
MantisBT: master 71ad8c6f 2010-10-22 06:59 Details Diff |
Fix 0011351: Real name and email should not be updated via GPC (LDAP) When LDAP is being used for retrieving the user real name and/or email address we should not provide any way for MantisBT forms to update these fields manually via GPC parameters to account_update and manage_user_update. Thus we don't need (and never wanted to) send hidden fields with forms containing the current LDAP details. A user could maliciously change these values by crafting their own HTTP POST queries to the server. |
Affected Issues 0011351 |
|
mod - manage_user_edit_page.php | Diff File | ||
mod - account_page.php | Diff File | ||
mod - account_update.php | Diff File | ||
mod - manage_user_update.php | Diff File | ||
MantisBT: master-1.2.x 5f24068e 2010-10-22 07:19 Details Diff |
Issue 0011351: Fix variable names for $t_email Fixes commit 7672ca3d7f00 whereby some old variable names were not updated correctly. We're now using $t_email for comparisons instead of the direct user-supplied $f_email. |
Affected Issues 0011351 |
|
mod - manage_user_update.php | Diff File |