0029517: Login redirection to plugin credentials page for non-existent user - MantisBT - Signup temporarily disabled due to spam

ID	Project	Category	View Status	Date Submitted	Last Update

0029517	mantisbt	authentication	public	2022-01-27 13:41	2023-10-31 16:32

Reporter	jon5477	Assigned To	community
Priority	normal	Severity	major	Reproducibility	always
Status	closed	Resolution	fixed
Product Version	2.25.2
Target Version	2.26.0	Fixed in Version	2.26.0

Summary	0029517: Login redirection to plugin credentials page for non-existent user
Description	A login redirection to an authentication plugin's credential page does not happen if the user does not currently exist in the database. This issue happens due to the following line: https://github.com/mantisbt/mantisbt/blob/14f37a80ef7ae0ee948572389f57a7334634b7d8/login_password_page.php#L85 If the user does not exist in the DB, $t_user_id is false and auth_credential_page is never called. auth_credential_page should be called so any authentication plugin should have an opportunity to handle if the user does not exist in the DB (i.e. auto-provisioning of users)
Steps To Reproduce	Make sure you have an authentication plugin installed that hooks the EVENT_AUTH_USER_FLAGS event and sets the credentials page in the AuthFlags object it returns Go to the main mantis root page / Clear all browser cookies, make sure the current administrator password is not "root", make sure the admin directory does not exist Login with a user that does not exist in the database Verify URL is "/login_password_page.php" and not "/plugin.php?page=auth/login_password_page"
Additional Information	Make sure the authentication plugin sets the credential page (see example code) $t_flags = new AuthFlags(); $t_flags->setCredentialsPage(plugin_page('login_password_page', true));
Tags	No tags attached.

dregad 2022-01-28 16:17 developer ~0066205	PR https://github.com/mantisbt/mantisbt/pull/1792 @jon5477 I have not analyzed in detail, but this seems to be a duplicate of 0027836. Can you please confirm ?

jon5477 2022-01-28 16:36 reporter ~0066206	It could be considered a duplicate but this fixes it while maintaining compatibility for the fix made in 0025061. It also addresses another redirection flaw that was mentioned in the PR.

MantisBT: master 76f01f8d 2022-02-14 19:10 jon5477 Committer: community Details Diff	Auth plugin events not fired for non-existent users Handle auth_flags edge cases which break certain authentication plugins Fix login redirection for auth plugin. Fixes 0027836, 0029517, PR https://github.com/mantisbt/mantisbt/pull/1792		Affected Issues 0027836, 0029517
	mod - core/authentication_api.php		Diff File
	mod - login_password_page.php		Diff File