Demo Discussion
Forum Config Examples Contributions Vulnerabilities
  Discussion forum about ELOG  Not logged in ELOG logo
icon1.gif   "New User" option does not work when Authentication=Webserver, posted by Jan Just Keijser on Fri May 29 09:27:32 2020 
    icon2.gif   Re: "New User" option does not work when Authentication=Webserver, posted by Stefan Ritt on Tue Aug 4 13:29:23 2020 
Message ID: 69153     Entry time: Fri May 29 09:27:32 2020     Reply to this: 69192
Icon: Entry  Author: Jan Just Keijser  Author Email: janjust@nikhef.nl 
Category: Bug report  OS: Linux  ELOG Version: 3.1.4-2 
Subject: "New User" option does not work when Authentication=Webserver 

Our setup uses "Authentication=Webserver" + no automatic user registration. Thus, logbook admins should add a user by clicking "Config"  and then "New user". However, no matter what they fill in in the "new user " dialog, as soon as they hit "Save" an error pops up saying that their username (the admin one, not the new one) already exists. I found the following code:

int save_user_config(LOGBOOK * lbs, char *user, BOOL new_user)
{
   char file_name[256], str[256], *pl, user_enc[256], new_pwd[80], new_pwd2[80], smtp_host[256],
       email_addr[256], mail_from[256], mail_from_name[256], subject[256], mail_text[2000], str2[256],
       admin_user[80], url[256], error[2000], sid[32];
   int i, self_register, code, first_user;
   PMXML_NODE node, subnode, npwd; 

   /* if we outsourced the authentication, use external username */
   getcfg(lbs->name, "Authentication", str, sizeof(str));
   if (stristr(str, "Webserver")) {
      /* do not allow HTML in user name */
      strencode2(user_enc, http_user, sizeof(user_enc));
   } else {
      strencode2(user_enc, user, sizeof(user_enc));
   }

 

which seems to be the culprit:  the admin user is logged using his/her Webserver (http_user) credentials and this overrides anything that he/she might fill in.  If I remove the "Authentication" check then I can create a new user without problems.  So, how to fix this? should the "Authentication=Webserver" check be extended with a self/auto registration check?

 

ELOG V3.1.4-80633ba