View Issue Details

This bug affects 1 person(s).
 28
IDProjectCategoryView StatusLast Update
17542Bug reportsAuthenticationpublic2023-02-08 13:27
Reporterc_schmitz Assigned Toc_schmitz  
PrioritylowSeverityblock 
Status acknowledgedResolutionopen 
Product Version5.x 
Target Version5.0.0dev 
Summary17542: Authwebserver plugin not working anymore
Description

The Authwebserver does not work anymore and is not protecting the administration anymore properly.

This is because some administrative URLs don't use the /admin prefix anymore after refactoring some controllers.
For example when creating a survey the URL is currently

/index.php/surveyAdministration/newSurvey

A webserver authentication applied to /admin would not work here.

TagsNo tags attached.
Bug heat28
Complete LimeSurvey version number (& build).
I will donate to the project if issue is resolvedNo
Browser
Database type & version.
Server OS (if known).
Webserver software & version (if known)
PHP Version.

Relationships

has duplicate 17860 closedgabrieljenik Some controllers don't honor authwebserver plugin 

Users monitoring this issue

Activities

c_schmitz

c_schmitz

2021-08-26 10:27

administrator   ~66149

Last edited: 2021-08-26 11:24

Some considerations:

  • The Authwebserver plugin is rarely used so the issue is considered to be low priority
  • We cannot just move the refactored controllers to /admin because the old and new way to call controllers would collide.
  • It makes sense to have path-wise the controllers in a directory to have a clear separation between survey-taking and administration

How to fix this:

  • Establish a differently named subdirectory in /controllers , for example /administration
  • Move the refactored controllers there, correct paths/views etc.
  • Keep refactoring old controllers

This would allow webauth to be used if applied on /admin and /administration directory.

This should happen in the dev branch because moving the controllers is quite extensive

nohcho82

nohcho82

2021-08-27 12:10

reporter   ~66155

Hello,
Many thanks for your response. Is there any another options?
Self user registration?
We are Univercity College and we have obout 15K potentials users. It was easy to login with SSO with college account.
Any other sugestions?

thanks for any help

galads

galads

2021-08-30 14:06

reporter   ~66183

@nohcho82

I think the Authwebserver plugin is different from SSO (LimeSAML plugin). If you want to use SSO, this will work.

ollehar

ollehar

2021-09-17 16:14

administrator   ~66521

Authwebserver plugin could be extended to check for "Administration" in the controller URL, perhaps?

nohcho82

nohcho82

2021-09-20 15:05

reporter   ~66529

@galads
We used Authwebserver already 10 years with Shibboleth login. Can I use another alternative? Where can I download LimeSAML plugin? How to install it?
thanks

2BITS_PL

2BITS_PL

2022-01-11 10:13

reporter   ~67949

We are also interested in troubleshooting this plugin. Because without it, we cannot switch to LS5 in an organization with almost 14,000 potential users.

We would also like to know the details of the problem, because we have a dedicated plugin based on the same solution, but for the frontend in terms of identifying survey participants (automatic token assignment) in the intranet environment.

ollehar

ollehar

2022-01-11 11:41

administrator   ~67951

The details of the problem are in the issue description above.

2BITS_PL

2BITS_PL

2023-02-07 13:15

reporter   ~73717

Has this issue been resolved after the patches have been deployed: 17654 and 18169 ?

I tried to simulate the problem (v5.4.12) when I go to the page /index.php/surveyAdministration/newSurvey, if I am not authenticated it returns 401 because it meets the condition
application\core\plugins\Authwebserver\Authwebserver.php(95)

After authentication, if I don't have permission, "Access Denied" is returned. So I take it the problem is solved?

DenisChenu

DenisChenu

2023-02-08 10:09

developer   ~73724

After authentication, if I don't have permission, "Access Denied" is returned. So I take it the problem is solved?

Access denied and redirect ?

Else : this issue is not directly related to the 2 other fix

More to this line : https://github.com/LimeSurvey/LimeSurvey/blob/a0a3fe63fc54072ac4f71a1cd6f70f3af466af96/application/controllers/SurveyAdministrationController.php#L51 (throw a 401)
and https://github.com/LimeSurvey/LimeSurvey/blob/a0a3fe63fc54072ac4f71a1cd6f70f3af466af96/application/controllers/SurveyAdministrationController.php#L369 for the Access Denied

nohcho82

nohcho82

2023-02-08 10:30

reporter   ~73725

Hello, is there any simple way to let authwebserver working on 5.x version? I think it is very important for many people. We still use the version 3.x and can't upgrade to 5.x because of this.
thanks

DenisChenu

DenisChenu

2023-02-08 10:37

developer   ~73726

@nohcho82 authwebserver work on 5.X

But issue can happen for some specific link

2BITS_PL

2BITS_PL

2023-02-08 10:52

reporter   ~73728

@DenisChenu and how to simulate this problematic place?

Because if I go to a controller (backend) action that has permission verification (and most actions do), it triggers a redirect
i.e. action newSurvey: https://github.com/LimeSurvey/LimeSurvey/blob/a0a3fe63fc54072ac4f71a1cd6f70f3af466af96/application/controllers/SurveyAdministrationController.php#L369

The authentication page in IIS is the Authwebserw plugin, and since the user is not authenticated, he enters here:
https://github.com/LimeSurvey/LimeSurvey/blob/a0a3fe63fc54072ac4f71a1cd6f70f3af466af96/application/core/plugins/Authwebserver/Authwebserver.php#L93

Result: 401, this means that the problem has been solved.
I know that not all backend controller actions have permission checking. And here may be a problem?

DenisChenu

DenisChenu

2023-02-08 13:27

developer   ~73729

I know that not all backend controller actions have permission checking. And here may be a problem?

Yes, seems OK in surveyAdministration, but some other can lack of this.

At worst : doing a redirect (because not loggued user didn't have any permission) and after only a 401.

But i think @c_schmitz want to have a public without Auth, and only admin directory have Auth part …

Some webserver can have WebAuth o some directory (apache for example). It's the needed case here.

On some other (IIS) : you need 2 different name or PORT. I have a IIS where you need to connect to example.or:8080 to go to admin part.

Issue History

Date Modified Username Field Change
2021-08-26 10:22 c_schmitz New Issue
2021-08-26 10:22 c_schmitz Status new => assigned
2021-08-26 10:22 c_schmitz Assigned To => c_schmitz
2021-08-26 10:22 c_schmitz Priority none => low
2021-08-26 10:22 c_schmitz Severity minor => block
2021-08-26 10:27 c_schmitz Note Added: 66149
2021-08-26 10:27 c_schmitz Bug heat 0 => 2
2021-08-26 10:29 c_schmitz Description Updated
2021-08-26 11:24 c_schmitz Note Edited: 66149
2021-08-27 12:10 nohcho82 Note Added: 66155
2021-08-27 12:10 nohcho82 Bug heat 2 => 4
2021-08-30 14:06 galads Note Added: 66183
2021-08-30 14:06 galads Bug heat 4 => 6
2021-08-30 14:06 galads Issue Monitored: galads
2021-08-30 14:06 galads Bug heat 6 => 8
2021-09-17 16:14 ollehar Note Added: 66521
2021-09-17 16:14 ollehar Bug heat 8 => 10
2021-09-17 16:16 ollehar Status assigned => acknowledged
2021-09-20 15:05 nohcho82 Note Added: 66529
2022-01-11 08:52 alorenc Issue Monitored: alorenc
2022-01-11 08:52 alorenc Bug heat 10 => 12
2022-01-11 08:54 2BITS_PL Issue Monitored: 2BITS_PL
2022-01-11 08:54 2BITS_PL Bug heat 12 => 14
2022-01-11 10:13 2BITS_PL Note Added: 67949
2022-01-11 10:13 2BITS_PL Bug heat 14 => 16
2022-01-11 11:16 DenisChenu Issue Monitored: DenisChenu
2022-01-11 11:16 DenisChenu Bug heat 16 => 18
2022-01-11 11:41 ollehar Note Added: 67951
2022-02-01 21:52 gabrieljenik Relationship added has duplicate 17860
2022-02-01 21:52 gabrieljenik Bug heat 18 => 26
2023-02-07 13:15 2BITS_PL Note Added: 73717
2023-02-08 10:09 DenisChenu Note Added: 73724
2023-02-08 10:09 DenisChenu Bug heat 26 => 28
2023-02-08 10:30 nohcho82 Note Added: 73725
2023-02-08 10:37 DenisChenu Note Added: 73726
2023-02-08 10:52 2BITS_PL Note Added: 73728
2023-02-08 13:27 DenisChenu Note Added: 73729