View Issue Details

IDProjectCategoryView StatusLast Update
0010837mantisbtauthenticationpublic2017-10-23 06:09
Reporteryw84ever Assigned To 
PrioritynormalSeverityminorReproducibilityhave not tried
Status acknowledgedResolutionopen 
Product Version1.2.0rc1 
Summary0010837: mantisbt username validation is case sensitive - undesired feature?

had a user who reported he could not log in with a mantis 1.2.0rc1 installation (had previously logged in successfully)

turns out the user was using an all lowercase username when attempting to login but the username listed in the db (the one used when signing up) contained mix case;

not sure it makes sense for the username to be case sensitive or if it does maybe i am missing it and am interested in an option to disable case sensitivity with the username

Additional Information

Parts of discussion from:

@atrol User names in MantisBT should be case insensitive.

Have a look at function user_is_name_unique.
It seems we rely on database case insensitivity for string comparison and case insensitivity for unique key. This works with MySQL and collation utf8_general_ci, not sure if this works with other databases.

PGSQL is case sensitive at least
However, in an ideal world, should we not be adding all usernames in lower case and doing a strtolower on them before DB insert?

IMO the best solution as WHERE lower(username) would require a function based index for good performance.
But function based indexing is not supported in all databases.

TagsNo tags attached.


has duplicate 0016536 closedatrol user name is case sensitive, leading to multiple user entries 
has duplicate 0023515 closedatrol Same user name can be created with different case names 




2009-08-17 21:06

reporter   ~0022743

also attempted to assign a user to the monitor list

noticed username was shown in the drop down as all lowercase

selected, clicked add to monitor list

mantis reported back that the all lowercase username does not exist



2009-09-05 08:18

reporter   ~0022886

In our environment, we have external autentication via LDAP.

We are using Mediawiki as a user provisioning system. With the help of some Mediawiki plugins, we are able to maintain users in our LDAP repository, provide self-service user registration and password reset. So, it's a very convenient zero-administration thing.

The problem is that all wikis AFAIK employ capitalized identifiers. Being an username just another identifier, comes that user "jmsmith" is displayed as "Jsmith" and also stored as "Jsmith" internally, in the Mediawiki database I mean. It also implies that the username is stored as "JSmith" in LDAP.

We changed the Mediawiki LDAP plugin in order to force usernames to be stored as all lowercase, no matter the way it was entered by the user. So, no matter if it was typed "jsmith", "Jsmith", "JSmith", "JSMITH" or whatever, Mediawiki will store intenally as "Jsmith" (as usual) and it will be stored in LDAP as "jsmith".

As I said in the beginning, our Mantis installation is using and external LDAP repository. So, it would be extremally convenient to first convert to lowercase before doing anything else.

What I observed is that Mantis created 2 users in it's internal database because a certain user typed it in different ways. When Mantis queried LDAP, it performed a non-case sensitive query and matched both "John" and "john", which implies that 2 users were created in Mantis database.

Thanks a lot :)



2009-09-05 09:12

reporter   ~0022887

I've circunvented the problem.
Only the dev team can judge if it is really the desired solution or not.
Anyway, the fix I describe here is good enough for me at the moment.

  1. Edit ./core/authentication_api.php
  2. Look for function auth_prepare_username
  3. Insert the block below into the switch statement:

            case LDAP:
                    $f_username = utf8_strtolower( $p_username );

Explanation: function auth_prepare_username is called just after the user fills in the login form and before the authentication request. Doing so, no matter what the user types, it will be considered all lowercase.



2009-12-16 21:22

reporter   ~0023923

I imagine this problem is going to require changes to a lot more than just the code dealing with user logins. We would need to go through the entirity of Mantis to ensure that every time we make a username comparison or lookup, we convert both strings being compared to either lowercase or uppercase.



2010-01-02 00:44

manager   ~0024019

Re-targeted for 1.3.x, this will require a lot of testing to make sure we don't break anything or have one use "John", login as another "john". I also don't consider it blocking in anyway for the 1.2.x release.



2011-04-08 10:01

reporter   ~0028571

Well, I have all users with usernames in upper case, just because these are their company mnemonics (nicknames, abbreviations, whatever) and read so much better in upper case.

But many of them forget to type it upper case at login. So I'd like to support this request for an option to ignore the case of usernames.



2014-04-28 01:25

developer   ~0040179

Added parts of Github PR discussion in additional information.