← Back to team overview

mahara-contributors team mailing list archive

  1. mahara-contributors team
  2. Mailing list archive
  3. Message #09157

[Bug 1003980] Re: Authentication plugin user autocreation can become impossible

  Thread PreviousDate PreviousThread Next 
Yes, that's right - the code there was copied out of the xmlrpc plugin,
but it's only when usersuniquebyusername is on that it's necessary to
forbid the login in this way.

If usersuniquebyusername is off, and registration is on, someone *can*
create a user with the same username as a SAML authenticated user who
comes along later, but that SAML authenticated user will get a fresh
Mahara username (e.g. when SAML user bob comes along, he'll get bob1 in
Mahara if we already have a bob).

The way I read your patch, it will stop the 99% of sites with
usersuniquebyusername off from setting up SAML auth with auto-creation,
even though username clashes will be handled properly for them.

-- 
You received this bug notification because you are a member of Mahara
Contributors, which is subscribed to Mahara.
https://bugs.launchpad.net/bugs/1003980

Title:
  Authentication plugin user autocreation can become impossible

Status in Mahara ePortfolio:
  Triaged

Bug description:
  It is possible to put yourself in a situation where users having users
  auto-created by an authentication plugin is impossible.

  By design, for auto-creation to happen, all institutions must be
  registerallowed = 0 .

  By design, when an authentication plugin is added to an institution,
  registerallowed is set to 0. But it is not set for all institutions,
  if multiple exist.

  Once an authentication plugin is added to an institution, via the web
  interface the control to toggle registerallowed for an institution is
  hidden.

  To reproduce from a fresh installation of Mahara:
  Create an institution
  Set config item usersuniquebyusername = 1
  Add and configure an authentication plugin
  Attempt to login with with a new user that should autocreate, which will fail because the 'mahara' institution will still have registerallowed = 1

  To workaround:
  Connect to the database and set registerallowed = 0 for all institutions, eg 'UPDATE institution set registerallowed = 0 ;'.

To manage notifications about this bug go to:
https://bugs.launchpad.net/mahara/+bug/1003980/+subscriptions

References

  Thread PreviousDate PreviousThread Next