Mahara

auth/saml default remoteuser

Bug #932909 reported by PiersHarding on 2012-02-15

256

This bug affects 1 person

Affects

Status

Importance

Assigned to

Milestone

Mahara

Fix Released

High

PiersHarding

Mahara 1.3.8

You need to log in to change this bug's status.

Affecting:	Mahara
Filed here by:	PiersHarding
When:	2012-02-15
Confirmed:	2012-02-15
Assigned:	2012-02-15
Started work:	2012-02-15
Completed:	2012-03-06

Target

Distribution
Package	(Find…)
Project	(Find…)

Status	Importance	Milestone
	High	Mahara 1.3.8

Assigned to

	Me
	PiersHarding (piersharding)

Comment on this change (optional)

Email me about changes to this bug report

1.4

Fix Released

High

PiersHarding

Mahara 1.4.2

You need to log in to change this bug's status.

Affecting:	Mahara 1.4
Filed here by:	François Marier
When:	2012-02-15
Confirmed:	2012-02-15
Assigned:	2012-02-20
Started work:	2012-02-20
Completed:	2012-03-06

Status	Importance	Milestone
	High	Mahara 1.4.2

Assigned to

	Me
	PiersHarding (piersharding)

Comment on this change (optional)

Email me about changes to this bug report

(?)

Bug Description

The auth/saml plugin should have the option "Match username attribute to Remote username" defaulted to true, as this presents a risk in multi-tenanted Mahara instances (different institutions may clash on usernames so the default behaviour should be to match on the external one).

Tags: Edit Tag help

PiersHarding (piersharding) on 2012-02-15

Changed in mahara:
status:	New → In Progress
assignee:	nobody → PiersHarding (piersharding)

PiersHarding (piersharding) on 2012-02-15

Changed in mahara:
status:	In Progress → Fix Committed

François Marier (fmarier) wrote on 2012-02-15:

BTW Piers, we use "fix committed" only when the fix has been merged onto the final branch. While it's in review, we use "in progress".

Changed in mahara:
status:	Fix Committed → In Progress
importance:	Undecided → Critical
milestone:	none → 1.3.8
security vulnerability:	no → yes
Changed in mahara:
importance:	Critical → High
tags:	added: saml

Mahara Bot (dev-mahara) wrote on 2012-02-16: A change has been merged

Reviewed: https://reviews.mahara.org/1053
Committed: http://gitorious.org/mahara/mahara/commit/f07be6020e70fa8f53cd77fdcd63e7fd7ff8aaea
Submitter: Francois Marier (<email address hidden>)
Branch: master

commit f07be6020e70fa8f53cd77fdcd63e7fd7ff8aaea
Author: Piers Harding <email address hidden>
Date: Thu Feb 16 06:19:41 2012 +1300

auth/saml default remoteuser (bug #932909)

Ensure that default behaviour is to match user
to remote user name

Change-Id: Iadabb5c47004786af6fb6e2e6ac0590fb4a887d8
Signed-off-by: Piers Harding <email address hidden>

François Marier (fmarier) wrote on 2012-02-20:

Piers: would you be able to quickly test the 1.3 and 1.4 cherry-picks I just pushed to gerrit?

https://reviews.mahara.org/#change,1061
https://reviews.mahara.org/#change,1062

(I've tested that the setting is turned on by default, but I don't feel confident enough to test the other changes in that patch.)

Richard: given I was the one to do the cherry-pick can you quickly double-check to make sure everything looks fine and give your +2?

Mahara Bot (dev-mahara) wrote on 2012-02-20:

Reviewed: https://reviews.mahara.org/1061
Committed: http://gitorious.org/mahara/mahara/commit/46dfa1bcc5bafda7f8aadf6fae33d77e4ce6190f
Submitter: Francois Marier (<email address hidden>)
Branch: 1.3_STABLE

commit 46dfa1bcc5bafda7f8aadf6fae33d77e4ce6190f
Author: Francois Marier <email address hidden>
Date: Mon Feb 20 14:40:05 2012 +1300

auth/saml default remoteuser (bug #932909)

Ensure that default behaviour is to match user
to remote user name

(cherry picked from commit f07be6020e70fa8f53cd77fdcd63e7fd7ff8aaea)

Conflicts:

htdocs/auth/saml/lang/en.utf8/auth.saml.php
htdocs/auth/saml/lib.php

Change-Id: Ieda14dc11692f3f703aa0d5b4e87761107196356
Signed-off-by: Francois Marier <email address hidden>

Mahara Bot (dev-mahara) wrote on 2012-02-20:

Reviewed: https://reviews.mahara.org/1062
Committed: http://gitorious.org/mahara/mahara/commit/d642724b4e6016df988c2fe25aad0543927af072
Submitter: Francois Marier (<email address hidden>)
Branch: 1.4_STABLE

commit d642724b4e6016df988c2fe25aad0543927af072
Author: Francois Marier <email address hidden>
Date: Mon Feb 20 14:50:32 2012 +1300

auth/saml default remoteuser (bug #932909)

Ensure that default behaviour is to match user
to remote user name

(cherry picked from commit f07be6020e70fa8f53cd77fdcd63e7fd7ff8aaea)

Conflicts:

htdocs/auth/saml/lib.php

Change-Id: I4db156b2e0023315a2bcf09f47c4fbf7b23ce348
Signed-off-by: Francois Marier <email address hidden>

François Marier (fmarier) on 2012-02-20

Changed in mahara:
status:	In Progress → Fix Committed

Melissa Draper (melissa) on 2012-03-06

Changed in mahara:
status:	Fix Committed → Fix Released

Report a bug

This report contains Public Security information Edit

Everyone can see this security related information.

You are

Subscribing...

Edit bug mail

Other bug subscribers