View Issue Details
ID | Project | Category | View Status | Date Submitted | Last Update |
---|---|---|---|---|---|
0003465 | mantisbt | authentication | public | 2003-12-16 14:46 | 2009-08-12 15:22 |
Reporter | wic | Assigned To | |||
Priority | normal | Severity | major | Reproducibility | always |
Status | confirmed | Resolution | open | ||
Summary | 0003465: BASIC_AUTH login failure if user change password | ||||
Description | First-time login works ok, but if the user changes his password and tries to log in again -- mantis will refuse since basic auth password != database pwd. This simple patch bypasses that check. Btw, changing mantis password is irrelevant when using BASIC_AUTH and should probably be disabled. | ||||
Additional Information | Index.php (login form) is not needed at all with BASIC_AUTH. In fact, the user just have to click LOGIN with nothing entered in uid/pwd fields since mantis will use credentials from basic auth anyway. I suggest redirecting from index.php to login.php if BASIC_AUTH to make login completely transparent. | ||||
Tags | patch, regex, usability | ||||
Attached Files | auth.diff (482 bytes)
--- authentication_api.php~ Mon Dec 15 17:40:51 2003 +++ authentication_api.php Tue Dec 16 11:18:24 2003 @@ -107,7 +107,7 @@ if ( ! ( ON == $t_anon_allowed && $t_anon_account == $p_username ) ) { # anonymous login didn't work, so check the password - if ( ! auth_does_password_match( $t_user_id, $p_password ) ) { + if ( BASIC_AUTH != $t_login_method && ! auth_does_password_match( $t_user_id, $p_password ) ) { return false; } } | ||||
still valid for mantisbt 1.2.0rc1: I followed http://ardvaark.net/making-mantis-with-basic-authentication-not-suck to make BASIc_AUTH work. Additionally I changed auth_automatic_logon_bypass_form() in core/authentication_api.php to: function auth_automatic_logon_bypass_form() { To prevent an error saying the username doesn't match the regex i had to add the following to config_inc.php: # mantis relies on REMOTE_USER but this is not always set |
|