[Fusionforge-general] User an Project with the same unix_name

Julien HEYMAN julien.heyman at atosorigin.com
Tue Jun 16 17:07:19 CEST 2009


Christian BAYLE a écrit :
> Hi,
>
> As I said this restriction is linked to system restriction
> system restriction should be in system code
> You may have install where the restriction don't apply and other with
> some specific restriction
> Why not just add the check in sysCheckUser and sysCheckGroup functions,
> or add sysValidateUser sysValidateGroup if necessary.
> you can even choose to implement differently depending on the class you
> choose
> LDAP, UNIX, pgsql, whatever
>
>
> Cheers
>
> Christian
>
>
> AlJeux a écrit :
>   
>> This is not exactly related to your patch but there is also a case which
>> has to be considered:
>>
>> When the forge is linked with an LDAP directory (for users), you can not
>> refuse a user to login the forge.
>>
>> So, all code adding restriction is quite problematic, that's why I would
>> prefer to keep this kind of code under the condition of the $sys_use_shell.
>>
>> Alain.
>>
>> Julien HEYMAN a écrit :
>>     
>>> Christian BAYLE a écrit :
>>>       
>>>> Hello,
>>>>
>>>> When you create a user, you have to test if a project exists
>>>> when you create a project you have to test if a user exists
>>>>
>>>> Every time it should probably be a call to the System class that check
>>>> if it's possible depending on the context, like if $sys_use_shell=false
>>>> always return OK, which can be a problem if you decide to change this
>>>> var, one extra solution could be to use a prefix in group name like
>>>> prj_<group_name>
>>>> Anyway I consider that system stuffs should be handled by system class,
>>>> this has for example a big advantage if the uid/gid provider is
>>>> external, like a ldap, or if you have problems like a max number of
>>>> group per user on some nfs filer.
>>>>
>>>> Christian
>>>>
>>>> AlJeux a écrit :
>>>>  
>>>>         
>>>>> Julien HEYMAN a écrit :
>>>>>   
>>>>>           
>>>>>> Julien HEYMAN a écrit :
>>>>>>     
>>>>>>             
>>>>>>> Actually, if you have a project with unix_name "toto" and if you
>>>>>>> create an user with unix_name "toto", fusionforge delete your unix
>>>>>>> goup "toto" (project) and create a new unix group called "toto" for
>>>>>>> your user...  and the "toto" members lost their unix group.
>>>>>>>
>>>>>>> So, to fixed it, I think to test in create function in User class, if
>>>>>>> the name is not used by a project, and reciprocally.
>>>>>>>
>>>>>>> Ok?
>>>>>>>
>>>>>>>         
>>>>>>>               
>>>>>> Maybe test in common/include/account.php with an getent group  in
>>>>>> account_namevalid and getent passwd in account_groupnamevalid ?
>>>>>>       
>>>>>>             
>>>>> Maybe test using getent() only if $sys_use_shell is true.
>>>>>
>>>>> Alain.
>>>>>
>>>>>
>>>>> _______________________________________________
>>>>> Fusionforge-general mailing list
>>>>> Fusionforge-general at lists.fusionforge.org
>>>>> http://lists.fusionforge.org/cgi-bin/mailman/listinfo/fusionforge-general
>>>>>
>>>>>
>>>>>
>>>>>     
>>>>>           
>>>> _______________________________________________
>>>> Fusionforge-general mailing list
>>>> Fusionforge-general at lists.fusionforge.org
>>>> http://lists.fusionforge.org/cgi-bin/mailman/listinfo/fusionforge-general
>>>>
>>>>
>>>>
>>>>   
>>>>         
>>> But, if you create the project "toto", and if administrator don't
>>> approve yet, and if you create the user "toto"... what's happen ?
>>>
>>> If shell not used, you haven't the problem. But if you have... or if
>>> you activate  shell after ?
>>>
>>> I think we test in createUser if it exists the group with the same
>>> name, and reciprocally.
>>>
>>> I attach the patch  for 4.8 :
>>>
>>>
>>>  From 4388c00eeb5fc8118f5d4b9b8168139b674151d5 Mon Sep 17 00:00:00 2001
>>> From: Julien Heyman <julien.heyman at atosorigin.com>
>>> Date: Thu, 11 Jun 2009 18:10:19 +0200
>>> Subject: [PATCH] Check if user/group name is not used by user/group
>>>
>>> ---
>>> gforge/common/include/Group.class.php |    4 ++++
>>> gforge/common/include/User.class.php  |    5 +++++
>>> 2 files changed, 9 insertions(+), 0 deletions(-)
>>>
>>> diff --git a/gforge/common/include/Group.class.php
>>> b/gforge/common/include/Group.class.php
>>> index fd8e368..9976a5f 100644
>>> --- a/gforge/common/include/Group.class.php
>>> +++ b/gforge/common/include/Group.class.php
>>> @@ -294,6 +294,10 @@ class Group extends Error {
>>>                               array ($unix_name))) > 0) {
>>>             $this->setError(_('Unix name already taken'));
>>>             return false;
>>> +        } else if (db_numrows(db_query_params('SELECT user_id FROM
>>> users WHERE user_name LIKE $1',
>>> +                           array ($unix_name))) > 0) {
>>> +            $this->setError(_('Unix name already taken'));
>>> +            return false;
>>>         } else if (strlen($purpose)<10) {
>>>             $this->setError(_('Please describe your Registration
>>> Purpose in a more comprehensive manner'));
>>>             return false;
>>> diff --git a/gforge/common/include/User.class.php
>>> b/gforge/common/include/User.class.php
>>> index a19ce4e..c5b5e60 100644
>>> --- a/gforge/common/include/User.class.php
>>> +++ b/gforge/common/include/User.class.php
>>> @@ -266,6 +266,11 @@ class GFUser extends Error {
>>>             $this->setError(_('That username already exists.'));
>>>             return false;
>>>         }
>>> +        if (db_numrows(db_query_params('SELECT group_id FROM groups
>>> WHERE unix_group_name=$1',
>>> +                              array ($unix_name))) > 0) {
>>> +            $this->setError(_('Unix name already taken'));
>>> +            return false;
>>> +        }
>>>         if ($GLOBALS['sys_require_unique_email']) {
>>>             if (db_numrows(db_query_params('SELECT user_id FROM users
>>> WHERE email ILIKE $1 OR email_new ILIKE $1',
>>>                                array ($email))) > 0) {
>>>
>>>
>>> ------------------------------------------------------------------------
>>>
>>> _______________________________________________
>>> Fusionforge-general mailing list
>>> Fusionforge-general at lists.fusionforge.org
>>> http://lists.fusionforge.org/cgi-bin/mailman/listinfo/fusionforge-general
>>>       
>> _______________________________________________
>> Fusionforge-general mailing list
>> Fusionforge-general at lists.fusionforge.org
>> http://lists.fusionforge.org/cgi-bin/mailman/listinfo/fusionforge-general
>>
>>
>>     
>
>
> _______________________________________________
> Fusionforge-general mailing list
> Fusionforge-general at lists.fusionforge.org
> http://lists.fusionforge.org/cgi-bin/mailman/listinfo/fusionforge-general
>
>
>   

Hi,

sysCheckUser and sysCheckGroup is used after user or group is created. So we test it before, before than the user or the group are added in users/groups tables.

and if I test with getent group, it works only after cron homedirs.php was run.

So, I can conditionated my patch by sys_use_shell, but when we active the shell, we can have many problems.

-- 

Julien HEYMAN
Open Source Center - Atos Origin
www.portaildulibre.fr

Les Miroirs - 18 avenue d'Alsace
92926 Paris La Défense CEDEX
Tél : +33 01 55 91 20 00
www.atosorigin.com





More information about the Fusionforge-general mailing list