On Tue, Jan 31, 2023 at 12:12 AM Jun Omae <
jun...@gmail.com> wrote:
>
> On Tue, Jan 31, 2023 at 8:53 AM Dima Pasechnik <
dim...@gmail.com> wrote:
> >
> > On Mon, Jan 30, 2023 at 11:23 PM Jun Omae <
jun...@gmail.com> wrote:
> > >
> > > On Tue, Jan 31, 2023 at 1:54 AM Dima Pasechnik <
dim...@gmail.com> wrote:
> > > > Question: how does one log out all the users from the server side?
> > > > (i.e., expire their access tokens) ?
> > >
> > > Try to delete records in auth_cookie table.
> >
> > Where is this table? I only see
>
> I said "table". Table is typically stored in database....
> See [trac] database option in your Trac environment.
Yes, I see now, thanks. Looking at the code in `web/auth.py`, I see a
search for a
cookie for the user. And there are functions (in LoginModule) for
getting the user name from a cookie:
_cookie_to_name() and _get_name_for_cookie()
- which don't seem to make any attempt to verify that the user name
they get from the DB
record is a valid user (this is in Trac 1.2, as well as in the latest
Trac 1.5.3)
Then _get_name_for_cookie() gets called in authenticate(), and again,
no attempt to validate the user
is done.
From what we observe in Trac 1.2, users granted TRAC_ADMIN still have
their auth cookies
in the DB, and are able to modify comments in tickets, despite being
removed as TRAC_ADMINS, through the web admin,
and removed from the list of users in the file pointed to by htdigest_file=
in trac.ini's [account-manager] section.
(and with their sessions removed via "trac-admin <> session delete <user>")
So it seems that such removals don't trigger the purge of their auth
cookies from the database,
even after full restart of trac. Shouldn't there a startup check being
done on users and cookies for
users no longer present be invalidated?
Was this ever reported as a bug?
Anyhow, assuming all the authenticated access to tickets going via
authenticate() in LoginModule, it should
be trivial to make tickets read-only by making the latter return None
all the time...
Thanks,
Dima
> To view this discussion on the web visit
https://groups.google.com/d/msgid/trac-users/CAEVLMagU9u-8u2q90xV%2Bndzf9LY3Md2%2BBp-rk_yBjfL9P-xb7w%40mail.gmail.com.