PacketFence
Bug Tracking System

View Issue Details Jump to Notes ] Issue History ] Print ]
IDProjectCategoryView StatusDate SubmittedLast Update
0000761PacketFencecorepublic2009-08-11 09:262012-02-29 10:58
Reporterobilodeau 
Assigned Toobilodeau 
PrioritynormalSeverityminorReproducibilityalways
StatusclosedResolutionfixed 
PlatformOSOS Version
Product Version 
Target VersionFixed in Version 
Summary0000761: Registration credentials stored in session allow user to re-register without entering username / password
DescriptionAffects local auth module.


Steps to reproduce:

1. Connect to a packetfence managed switch with an unregistered device
2. Register using local auth (username / password in web captive portal)
3. De-register the node using web interface or SQL query
4. Re-open captive portal page, when you click to register you get registered right away without inputing user / pass.

Its most likely a session issue, the credentials should be wiped from the session.

Need to test:
- Is the session persistent or not? If I close the browser, do I need to enter user/pass again to re-register, if so this bug is not really important since it'll mostly happen during devel/testing.
TagsNo tags attached.
fixed in git revision
fixed in mtn revision
Attached Files

- Relationships

-  Notes
(0001438)
obilodeau (reporter)
2009-12-10 10:35

The session is not persistent so closing / re-opening the browser seems to remove stored credentials but its still pissing off Regis enough that he wrote a little patch:

--- web.pm.old	2009-12-08 14:20:47.000000000 -0800
+++ web.pm	2009-12-08 14:22:20.000000000 -0800
@@ -484,9 +484,9 @@
 
     my ( $cgi, $session ) = @_;
     my $logger = Log::Log4perl::get_logger('pf::web');
-    if ( $session->param("login") ) {
-        return ( 1, 0 );    # if logged in, don't bother going further
-    }
+#    if ( $session->param("login") ) {
+#        return ( 1, 0 );    # if logged in, don't bother going further
+#    }
     if (   $cgi->param("login")
         && $cgi->param("password")
         && $cgi->param("auth") )


I'll now investigate if this was a real "feature" or if its just something that was done like that for no reason. If its the latter, then I'll apply the patch to mtn.
(0001439)
obilodeau (reporter)
2009-12-10 11:21

Was introduced before monotone history.

Read the code and aside from having to re-login when viewing status page or to deregister, I see no change from current behavior.

Searched mailing list archive without any findings related to that behavior.

I'll consider this a bug and fix it.
(0001440)
obilodeau (reporter)
2009-12-10 11:38

fixed in 1.8 branch at montone rev: 7a8b920c5ac95d7b830c45af80832f0b358744e3
will be ported to 1.9 branch
(0001441)
obilodeau (reporter)
2009-12-10 11:40

Reminder sent to: rbalzard

Fix applied to prevent the annoying automatic re-registration.

- Issue History
Date Modified Username Field Change
2009-08-11 09:26 obilodeau New Issue
2009-08-19 15:55 obilodeau Status new => assigned
2009-08-19 15:55 obilodeau Assigned To => obilodeau
2009-12-10 10:35 obilodeau Note Added: 0001438
2009-12-10 11:21 obilodeau Note Added: 0001439
2009-12-10 11:38 obilodeau Note Added: 0001440
2009-12-10 11:38 obilodeau Status assigned => resolved
2009-12-10 11:38 obilodeau Resolution open => fixed
2009-12-10 11:40 obilodeau Note Added: 0001441
2011-01-26 15:43 obilodeau Status resolved => closed
2011-06-17 17:24 obilodeau Relationship added related to 0001227
2011-06-17 17:24 obilodeau Relationship deleted related to 0001227
2012-02-29 10:58 obilodeau Category future => core


Copyright © 2000 - 2012 MantisBT Group
Powered by Mantis Bugtracker