View Issue Details

This bug affects 1 person(s).
 6
IDProjectCategoryView StatusLast Update
17798Bug reportsAuthenticationpublic2022-01-15 10:55
ReporterDenisChenu Assigned Togalads  
PrioritynoneSeverityminor 
Status confirmedResolutionopen 
Product Version5.2.x 
Summary17798: Set authwebserver as default didn't deactivate AuthDB usage
DescriptionUser can still log in with AuthDB if Authwebserver is default
Steps To ReproduceSteps to reproduce
------------------------------
Set Authwebserver settings as ANOTHERKEY for server key
check "Check to make default authentication method (This disable Default LimeSurvey authentification by database)"
Unlog

Expected result
-------------------------
No way to login : 401 error.

Actual result
-----------------
See form and can log in.

TagsNo tags attached.
Bug heat6
Complete LimeSurvey version number (& build)5.2.5
I will donate to the project if issue is resolvedNo
Browsernot relevant
Database type & versionnot relevant
Server OS (if known)not relevant
Webserver software & version (if known)not relevant
PHP Versionnot relevant

Users monitoring this issue

User List There are no users monitoring this issue.

Activities

DenisChenu

DenisChenu

2021-12-12 13:52

developer  

gabrieljenik

gabrieljenik

2022-01-12 22:14

manager   ~67987

The issue here is that the key is not found on the server.
When that happens, the plugin is not used, so it uses authDb.

If key is not found, and default is checked, should not show the form but throw some kind of error?
DenisChenu

DenisChenu

2022-01-13 08:36

developer   ~67988

> When that happens, the plugin is not used, so it uses authDb.

It's the issue i think :)
It show "This disable …"

maybe do like AuthCas : https://github.com/univlorraine/limesurvey-cas

> When you're done, click on activate. Once done, it won't be possible to authenticate by another mechanism unless you use the specific url ls_url/index.php/admin/authentication/sa/login?noAuthCAS=true.
c_schmitz

c_schmitz

2022-01-13 13:12

administrator   ~67994

IMHO authwebserver is in general broken.
The main reason is that some admin URLs are not under /admin anymore, right now
This needs to be fixed first.
gabrieljenik

gabrieljenik

2022-01-13 15:13

manager   ~67996

I will fix this issue honoring "This disable …" checkbox, even if the key doesn't match.
ThenI will review the paths issue mentioned by c_schmitz

Thanks!
DenisChenu

DenisChenu

2022-01-13 16:03

developer   ~67997

Maybe it's more an "sentence help" issue ;)
gabrieljenik

gabrieljenik

2022-01-14 14:07

manager   ~68008

PR: https://github.com/LimeSurvey/LimeSurvey/pull/2210

@c_schmitz Can you tell me an example of this urls not covered by the authwebserver?
I will open a new ticket later
c_schmitz

c_schmitz

2022-01-14 16:55

administrator   ~68028

Last edited: 2022-01-14 16:56

View 2 revisions

QuestionAdministrationController.php
QuestionGroupsAdministrationController.php
ResponsesController.php
SurveyAdministrationController.php
SurveysGroupsPermissionController.php
ThemeOptionsController.php
UserGroupController.php
UserManagementController.php
UserRoleController.php

any maybe a couple more

IMHO they cannot co-exist in the /admin subdirectory because the routing is different.
gabrieljenik

gabrieljenik

2022-01-14 20:27

manager   ~68030

All:
I would suggest a general config setting on the config files for swhitching on emergnecy to regular login, just in case someone gets locked out. Ex: Set the AithWebserver but the webserver is not properly setup, how do I login again to deactivate the plugin?

@c_schmitz Will review the list. Thanks
DenisChenu

DenisChenu

2022-01-15 10:55

developer   ~68031

@gabrieljenik : see my comment on pull request. Maybe adding in plugin settings : "Default if not set too" to false by default ?
Or «And , maybe a config['authwebserver_checkserverkey'] to true by default, not updatable via GUI (or updatable via GUI)»

About other controller : need to extend another controller ? And check access in run action ?

Issue History

Date Modified Username Field Change
2021-12-12 13:52 DenisChenu New Issue
2021-12-12 13:52 DenisChenu File Added: Capture d’écran du 2021-12-12 13-49-10.png
2021-12-13 13:16 galads Assigned To => galads
2021-12-13 13:16 galads Status new => acknowledged
2021-12-16 13:02 galads Status acknowledged => confirmed
2022-01-12 22:14 gabrieljenik Note Added: 67987
2022-01-12 22:14 gabrieljenik Bug heat 0 => 2
2022-01-13 08:36 DenisChenu Note Added: 67988
2022-01-13 08:36 DenisChenu Bug heat 2 => 4
2022-01-13 13:12 c_schmitz Note Added: 67994
2022-01-13 13:12 c_schmitz Bug heat 4 => 6
2022-01-13 15:13 gabrieljenik Note Added: 67996
2022-01-13 16:03 DenisChenu Note Added: 67997
2022-01-14 14:07 gabrieljenik Note Added: 68008
2022-01-14 16:55 c_schmitz Note Added: 68028
2022-01-14 16:56 c_schmitz Note Edited: 68028 View Revisions
2022-01-14 20:27 gabrieljenik Note Added: 68030
2022-01-15 10:55 DenisChenu Note Added: 68031