View Issue Details

WikiJump to Notes
IDProjectCategoryView StatusDate SubmittedLast Update
0003465mantisbtauthenticationpublic2003-12-16 14:462009-08-12 15:22
Reporterwic Assigned To 
PrioritynormalSeveritymajorReproducibilityalways
Status confirmedResolutionopen 
Summary0003465: BASIC_AUTH login failure if user change password
Description

First-time login works ok, but if the user changes his password and tries to log in again -- mantis will refuse since basic auth password != database pwd. This simple patch bypasses that check. Btw, changing mantis password is irrelevant when using BASIC_AUTH and should probably be disabled.

Additional Information

Index.php (login form) is not needed at all with BASIC_AUTH. In fact, the user just have to click LOGIN with nothing entered in uid/pwd fields since mantis will use credentials from basic auth anyway. I suggest redirecting from index.php to login.php if BASIC_AUTH to make login completely transparent.

Tagspatch, regex, usability
Attached Files
auth.diff (482 bytes)    
--- authentication_api.php~	Mon Dec 15 17:40:51 2003
+++ authentication_api.php	Tue Dec 16 11:18:24 2003
@@ -107,7 +107,7 @@
 		if ( ! ( ON == $t_anon_allowed && $t_anon_account == $p_username ) ) {

 			# anonymous login didn't work, so check the password

 

-			if ( ! auth_does_password_match( $t_user_id, $p_password ) ) {

+			if ( BASIC_AUTH != $t_login_method && ! auth_does_password_match( $t_user_id, $p_password ) ) {

 				return false;

 			}

 		}
auth.diff (482 bytes)   

Relationships

child of 0005460 closedvboctor Critical Issues to Fix for Mantis 1.0.0 Release 

Activities

Buster

Buster

2009-07-05 16:56

reporter   ~0022398

Last edited: 2009-07-06 17:17

still valid for mantisbt 1.2.0rc1:

I followed http://ardvaark.net/making-mantis-with-basic-authentication-not-suck to make BASIc_AUTH work. Additionally I changed auth_automatic_logon_bypass_form() in core/authentication_api.php to:

function auth_automatic_logon_bypass_form() {

switch( config_get( 'login_method' ) ) {

case HTTP_AUTH:

case BASIC_AUTH:

return true;

}

return false;

}

To prevent an error saying the username doesn't match the regex i had to add the following to config_inc.php:

# mantis relies on REMOTE_USER but this is not always set

if (!empty($_SERVER["PHP_AUTH_USER"]) && empty($_SERVER["REMOTE_USER"]))

{

$_SERVER["REMOTE_USER"] = $_SERVER["PHP_AUTH_USER"];

}

if (empty($_SERVER["PHP_AUTH_USER"]) && !empty($_SERVER["REMOTE_USER"]))

{

$_SERVER["PHP_AUTH_USER"] = $_SERVER["REMOTE_USER"];

}

if (empty($_SERVER["PHP_AUTH_USER"]) && empty($_SERVER["REMOTE_USER"]))

{

$$_SERVER["REMOTE_USER"] = $_SERVER["PHP_AUTH_USER"] = 'anonymous';

}