View Issue Details

IDProjectCategoryView StatusLast Update
0010837mantisbtauthenticationpublic2017-10-23 06:09
Reporteryw84ever Assigned To 
PrioritynormalSeverityminorReproducibilityhave not tried
Status acknowledgedResolutionopen 
Product Version1.2.0rc1 
Target VersionFixed in Version 
Summary0010837: mantisbt username validation is case sensitive - undesired feature?
Description

had a user who reported he could not log in with a mantis 1.2.0rc1 installation (had previously logged in successfully)

turns out the user was using an all lowercase username when attempting to login but the username listed in the db (the one used when signing up) contained mix case;

not sure it makes sense for the username to be case sensitive or if it does maybe i am missing it and am interested in an option to disable case sensitivity with the username

Additional Information

Parts of discussion from:
https://github.com/mantisbt/mantisbt/pull/159#issuecomment-41000258

vboctor:
@atrol User names in MantisBT should be case insensitive.

atrol:
Have a look at function user_is_name_unique.
It seems we rely on database case insensitivity for string comparison and case insensitivity for unique key. This works with MySQL and collation utf8_general_ci, not sure if this works with other databases.

grangeway:
PGSQL is case sensitive at least
However, in an ideal world, should we not be adding all usernames in lower case and doing a strtolower on them before DB insert?

atrol:
IMO the best solution as WHERE lower(username) would require a function based index for good performance.
But function based indexing is not supported in all databases.

TagsNo tags attached.

Relationships

has duplicate 0016536 closedatrol user name is case sensitive, leading to multiple user entries 
has duplicate 0023515 closedatrol Same user name can be created with different case names 

Activities

yw84ever

yw84ever

2009-08-17 21:06

reporter   ~0022743

also attempted to assign a user to the monitor list

noticed username was shown in the drop down as all lowercase

selected, clicked add to monitor list

mantis reported back that the all lowercase username does not exist

rgomes1997

rgomes1997

2009-09-05 08:18

reporter   ~0022886

In our environment, we have external autentication via LDAP.

We are using Mediawiki as a user provisioning system. With the help of some Mediawiki plugins, we are able to maintain users in our LDAP repository, provide self-service user registration and password reset. So, it's a very convenient zero-administration thing.

The problem is that all wikis AFAIK employ capitalized identifiers. Being an username just another identifier, comes that user "jmsmith" is displayed as "Jsmith" and also stored as "Jsmith" internally, in the Mediawiki database I mean. It also implies that the username is stored as "JSmith" in LDAP.

We changed the Mediawiki LDAP plugin in order to force usernames to be stored as all lowercase, no matter the way it was entered by the user. So, no matter if it was typed "jsmith", "Jsmith", "JSmith", "JSMITH" or whatever, Mediawiki will store intenally as "Jsmith" (as usual) and it will be stored in LDAP as "jsmith".

As I said in the beginning, our Mantis installation is using and external LDAP repository. So, it would be extremally convenient to first convert to lowercase before doing anything else.

What I observed is that Mantis created 2 users in it's internal database because a certain user typed it in different ways. When Mantis queried LDAP, it performed a non-case sensitive query and matched both "John" and "john", which implies that 2 users were created in Mantis database.

Thanks a lot :)

rgomes1997

rgomes1997

2009-09-05 09:12

reporter   ~0022887

I've circunvented the problem.
Only the dev team can judge if it is really the desired solution or not.
Anyway, the fix I describe here is good enough for me at the moment.

  1. Edit ./core/authentication_api.php
  2. Look for function auth_prepare_username
  3. Insert the block below into the switch statement:

            case LDAP:
                    $f_username = utf8_strtolower( $p_username );
                    break;

Explanation: function auth_prepare_username is called just after the user fills in the login form and before the authentication request. Doing so, no matter what the user types, it will be considered all lowercase.

dhx

dhx

2009-12-16 21:22

reporter   ~0023923

I imagine this problem is going to require changes to a lot more than just the code dealing with user logins. We would need to go through the entirity of Mantis to ensure that every time we make a username comparison or lookup, we convert both strings being compared to either lowercase or uppercase.

vboctor

vboctor

2010-01-02 00:44

manager   ~0024019

Re-targeted for 1.3.x, this will require a lot of testing to make sure we don't break anything or have one use "John", login as another "john". I also don't consider it blocking in anyway for the 1.2.x release.

bodowenzel

bodowenzel

2011-04-08 10:01

reporter   ~0028571

Well, I have all users with usernames in upper case, just because these are their company mnemonics (nicknames, abbreviations, whatever) and read so much better in upper case.

But many of them forget to type it upper case at login. So I'd like to support this request for an option to ignore the case of usernames.

atrol

atrol

2014-04-28 01:25

developer   ~0040179

Added parts of Github PR discussion in additional information.
https://github.com/mantisbt/mantisbt/pull/159#issuecomment-41000258

Issue History

Date Modified Username Field Change
2009-08-14 18:20 yw84ever New Issue
2009-08-17 21:06 yw84ever Note Added: 0022743
2009-08-18 02:15 vboctor Status new => acknowledged
2009-08-18 02:15 vboctor Target Version => 1.2.2
2009-09-05 08:18 rgomes1997 Note Added: 0022886
2009-09-05 09:12 rgomes1997 Note Added: 0022887
2009-10-06 16:49 jreese Target Version 1.2.0 RC2 => 1.2.2
2009-12-16 21:22 dhx Note Added: 0023923
2010-01-02 00:44 vboctor Note Added: 0024019
2010-01-02 00:44 vboctor Target Version 1.2.2 => 1.3.0-beta.1
2011-04-08 10:01 bodowenzel Note Added: 0028571
2013-10-25 16:30 atrol Relationship added has duplicate 0016536
2014-01-21 17:00 atrol Target Version 1.3.0-beta.1 =>
2014-04-28 01:25 atrol Note Added: 0040179
2014-04-28 01:25 atrol Additional Information Updated View Revisions
2017-10-23 06:09 atrol Relationship added has duplicate 0023515