Opened 12 years ago
Closed 11 years ago
#10028 closed defect (fixed)
Account delete does not purge user's auth cookie
| Reported by: | Owned by: | Steffen Hoffmann | |
|---|---|---|---|
| Priority: | normal | Component: | AccountManagerPlugin |
| Severity: | normal | Keywords: | user delete authentication cookie |
| Cc: | Ryan J Ollos | Trac Release: | 0.12 |
Description
I would expect that if a specific user is logged at the point just prior to their account being deleted, they should lose the authenticated status in future requests. This does not appear to be the case (0.11 branch of AccountManagerPlugin and Trac 0.13dev).
Attachments (1)
Change History (8)
Changed 12 years ago by
| Attachment: | delete_user_delete_auth.diff added |
|---|
comment:1 Changed 12 years ago by
comment:2 Changed 12 years ago by
| Cc: | Ryan J Ollos added; anonymous removed |
|---|
comment:3 Changed 12 years ago by
| Keywords: | user delete authentication cookie added |
|---|
Thank you for the hint and inspiration. I'm testing a modified version of your patch right now. Please allow some comments on your patch:
Invalidation of authentication cookie data is not done in trunk development branch as well. This is the more appropriate place to discuss, since all ongoing development is happening there and that code is subsequently merged back into the stable branch(es), currently 0.11 that you referred to. For this reason I prefer patches against trunk too.
env.db_transaction is top, but I defer adoption of the latest Trac db API until I did a final 0.11 release. Switching towards a 0.13 branch means maintenance of significant diverging code or leaving 0.11 backwards-compatibility behind, that I personally still value very high these days. I know of Trac applications, that even can't go beyond Python2.4 for various reasons, that I don't feel authorized to argue with.
The additional DELETE statement will interrupt any of possibly multiple parallel authenticated sessions for the deleted user, but of course this is rightful table cleanup anyway.
comment:4 Changed 12 years ago by
(In [11554]) AccountManagerPlugin: Improve db cleanup on user deletion, refs #10028.
Thanks to Gary Martin from WanDisco for pointing out this weak spot.
comment:5 follow-up: 6 Changed 12 years ago by
Fantastic.. the trunk development branch code now works well against my test 0.13 based system.
Thanks for making time to look at this so quickly.
comment:6 Changed 12 years ago by
| Status: | new → assigned |
|---|
Replying to anonymous:
Fantastic.. the trunk development branch code now works well against my test 0.13 based system.
Good new. Thank you for reporting back.
Thanks for making time to look at this so quickly.
You're welcome. I've been lucky to use some free time last night, more than within the last ten week together. And code rules: With a plausible description and a patch everything is much easier. If you happen to get more observations, fixes and improvements, I'd be eager to have a look too.
comment:7 Changed 11 years ago by
| Resolution: | → fixed |
|---|---|
| Status: | assigned → closed |
(In [12398]) AccountManagerPlugin: Releasing version 0.4, pushing development to acct_mgr-0.5dev.
Availability of that code as stable release closes #874, #3459, #4677, #5295, #5691, #6616, #7577, #8076, #8685, #8770, #8791, #8990, #9052, #9079, #9090, #9139, #9246, #9252, #9547, #9618, #9676, #9843, #9852, #9940, #10023, #10028, #10123, #10142, #10204, #10276, #10397, #10412, #10594, #10625 and #10644.
Some more issues have been worked-on, yet without confirmed resolution,
refs #5464 (for JiraToTracIntegration), #8927 and #10134.
And finally there are some issues and enhancement requests showing progress, but known to require more work to resolve them satisfactorily, refs #843, #1600, #5964, #8217, #8933.
Thanks to all contributors and followers, that enabled and encouraged a good portion of this development work.
The attached patch is just part of what I found that might just contribute to a possible fix that seems to work for me. I hope it is of some use.