997830 – login name could be changed to whitespace

Bug 997830 - login name could be changed to whitespace

Summary: login name could be changed to whitespace

Keywords:
Status:	CLOSED CURRENTRELEASE
Alias:	None
Product:	Beaker
Classification:	Retired
Component:	web UI
Sub Component:
Version:	0.14
Hardware:	Unspecified
OS:	Unspecified
Priority:	low
Severity:	medium
Target Milestone:	0.17
Assignee:	Dan Callaghan
QA Contact:	tools-bugs
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2013-08-16 09:21 UTC by wangjing
Modified:	2018-02-06 00:41 UTC (History)
CC List:	8 users (show)
Fixed In Version:
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:	2014-06-10 23:28:04 UTC
Embargoed:

Attachments	(Terms of Use)

Description wangjing 2013-08-16 09:21:19 UTC

Description of problem:
login name could be changed to whitespace, then I could not change it back.

Version-Release number of selected component (if applicable):
0.14.1 beaker-devel env

How reproducible:
always

Steps to Reproduce:
1. Admin->Accounts->clicking my account name.
2. change my login name to one whitespace.
3. save changes.

Actual results:
my account login name was changed to whitespace, then I can't change it back.

Expected results:
it's better to avoid changing login name due to our accounts are actually controlled by kerbros.

Additional info:

Comment 1 wangjing 2013-08-16 09:23:26 UTC

display name also could be changed to whitespace.

Comment 3 Dan Callaghan 2013-08-19 01:42:56 UTC

I think it's fine that you can change your username, even though it was populated through LDAP. Beaker supports accounts outside of LDAP/Kerberos even when it's being used (not to mention sites which don't use LDAP/Kerberos at all).

I'm not sure about allowing whitespace in usernames. It would be invalid in many authentication mechanisms, but not necessarily in *every* one, so I don't think Beaker should necessarily forbid it unless there is a good reason.

But yes, changing it to *only* whitespace characters is a problem because when it's rendered in HTML on the accounts page you can no longer click it. So we definitely need a stricter validator for the username.

(In reply to wangjing from comment #1)
> display name also could be changed to whitespace.

I don't think Beaker should enforce any restrictions on display names, so I'm fine with this as it is.

Comment 4 wangjing 2013-08-19 03:30:44 UTC

(In reply to Dan Callaghan from comment #3)
> (In reply to wangjing from comment #1)
> > display name also could be changed to whitespace.
> 
> I don't think Beaker should enforce any restrictions on display names, so
> I'm fine with this as it is.

on webUI, user display name appears at some places, such as submission delegates list on prefs page, so it's better to restrict displayname not to be  *only* whitespace characters either(same way as login name), or else the blank display may be confused.
if need, I could file this issue as an RFE.

Comment 5 Nick Coghlan 2013-08-26 02:43:06 UTC

I'm pretty sure we do Python "if" checks against display name to decide whether or not to fall back to showing the username instead, so +1 on banning whitespace-only display names in addition to whitespace-only usernames.

Comment 6 Dan Callaghan 2014-05-05 06:33:26 UTC

On Gerrit: http://gerrit.beaker-project.org/3060

Comment 9 Dan Callaghan 2014-05-06 23:06:40 UTC

(In reply to luliu from comment #8)
> Suggestion:Beaker should supports accounts on both LDAP and local user
> db,for example, if I change my username to a name which is not a Kerberos
> name,Beaker should check the account via local db

Beaker does allow that currently.

The problem here is that there is now a Beaker account "a" with your e-mail address, and so when you log in using your LDAP account "luliu" Beaker fails to create a new account for you because the e-mail address is duplicate.

It's really a separate, existing issue so I have filed bug 1095010 for it.

Comment 10 Dan Callaghan 2014-05-06 23:40:44 UTC

(In reply to Dan Callaghan from comment #9)
> The problem here is that there is now a Beaker account "a" with your e-mail
> address, and so when you log in using your LDAP account "luliu" Beaker fails
> to create a new account for you because the e-mail address is duplicate.
> 
> It's really a separate, existing issue so I have filed bug 1095010 for it.

If you work around this by changing the e-mail address of "a" to something different, then you will be able to log in.

This bug is just about preventing usernames and display names that only contain whitespace, so I think it should be VERIFIED.

Comment 11 xuezhi ma 2014-05-07 02:12:12 UTC

(In reply to Dan Callaghan from comment #10)
> (In reply to Dan Callaghan from comment #9)
> > The problem here is that there is now a Beaker account "a" with your e-mail
> > address, and so when you log in using your LDAP account "luliu" Beaker fails
> > to create a new account for you because the e-mail address is duplicate.
> > 
> > It's really a separate, existing issue so I have filed bug 1095010 for it.
> 
> If you work around this by changing the e-mail address of "a" to something
> different, then you will be able to log in.
>
Yes, I have helped to change "a"'s email to something different, and the original account can login now. 
> This bug is just about preventing usernames and display names that only
> contain whitespace, so I think it should be VERIFIED.
Change it to verified.

Comment 12 Dan Callaghan 2014-06-02 04:39:53 UTC

This bug fix has been applied to the release-0.16 branch, however we have elected not to do another maintenance release of the 0.16.x series. This fix will be included in 0.17.0 instead.

Comment 13 Dan Callaghan 2014-06-10 23:28:04 UTC

Beaker 0.17.0 has been released.

Note You need to log in before you can comment on or make changes to this bug.