Incorrect parsing of OpenID team ACL
| Affects | Status | Importance | Assigned to | Milestone | |
|---|---|---|---|---|---|
| moin (Ubuntu) |
Triaged
|
Medium
|
Unassigned | ||
Bug Description
MoinMoin incorrectly parses team ACLs when using the openid_teams auth option.
The regular expression that parses the ACL is not anchored correctly, causing the parser to return false positives or false negatives.
The fix is rather trivial. See the attached patch which should apply cleanly to MoinMoin 1.9.2 and 1.9.3
Example scenario:
- user 'foobar' already exists in the team ACL page.
- user 'foo' does not exist in the team ACL page.
- user 'foo' needs to be added to the team ACL page on login.
Example team ACL:
#acl Known:read All:
* bar
* baz
* foobar
What happens:
- Upon successful authentication of user 'foo' the parser mistakenly matches user 'foo' as user 'foobar' and the team ACL is not updated.
- User 'foo' is denied access to the resource he is expected to access.
What should happen:
- Upon successful authentication of user 'foo', given that 'foo' is in the correct team, the team ACL should be updated with his username.
Additional details:
Ubuntu release: Lucid Lynx
Package version: python-
| Andrew Glen-Young (aglenyoung) wrote | #1 |
| tags: | added: patch |
| James Page (james-page) wrote | #2 |
| Changed in moin (Ubuntu): | |
| status: | New → Triaged |
| importance: | Undecided → Medium |
Still and issue in the latest package in utopic - marking as Medium/Triaged.