• Do not register here on develop.twiki.org, login with your twiki.org account.
• Use View topic Item7848 for generic doc work for TWiki-6.1.1. Use View topic Item7851 for doc work on extensions that are not part of a release. More... Close
• Anything you create or change in standard webs (Main, TWiki, Sandbox etc) will be automatically reverted on every SVN update.
Does this site look broken?. Use the LitterTray web for test cases.

Item4605: User shown as Unknown User (Login ID) when author is not in TWikiUsers. Bad feature

Item Form Data

AppliesTo: Component: Priority: CurrentState: WaitingFor: TargetRelease ReleasedIn
Engine   Normal Closed   minor 4.2.0

Edit Form Data

Summary:
Reported By:
Codebase:
Applies To:
Component:
Priority:
Current State:
Waiting For:
Target Release:
Released In:
 

Detail

Look at a bug item here on Bugs like Item4604

Look at the breadcrumb: TWiki> Bugs Web>Item4604 (10 Sep 2007, UnknownUser (RichardDonkin))

Why is that? That is bad.

I know that on d.t.o we have only the htpasswd file and users are not in TWikiUsers or have topic in Main.

But I need to make sure that when I have users that are LDAP authenticated - but not registered - their contributions are shown by their login ID and not shown as UnknownUser. They may be not registered but they are known and the UnknownUser is a really bad signal to send.

-- TWiki:Main/KennethLavrsen - 10 Sep 2007

For some reason my name does not end up here as UnknownUser.

-- TWiki:Main.KennethLavrsen - 10 Sep 2007

Breadcrumb looks OK to me - could it be that you catched dto in a time where TWikiUserContrib was partly missing / being resynced?

I looked at Bugs.Item4604 - the link above gives a 404.

-- TWiki:Main.SteffenPoulsen - 11 Sep 2007

Looks good to me too, and on my local system as well.

Setting "Waiting for Feedback" until someone can reproduce the problem.

-- TWiki:Main.CrawfordCurrie - 13 Sep 2007

It is easy to reproduce at home.

I have a TWiki MAIN which is Apache authenticated.

I take a topic and edit the file so the author is called c12179. Just hack the file.

I view the topic.

And I see this

unknownuser.png

It is very bad to show Unknown User in a corporate installation where people have access via simple LDAP authentication and do not need to register. They can register - and need to if they need access to access restricted content. But they are not required to and many do not. It is important for TWiki deployment that people have access without registration - also for editing. And showing them as unknown user will for sure create noise. In 4.1.2 you just saw the login ID instead and that worked very fine.

It is also shown as UnknownUser in WebChanges and anywhere else. And it is bad everywhere.

-- TWiki:Main.KennethLavrsen - 14 Sep 2007

The image shown above the visible image is the image bug which is back again.

-- TWiki:Main.KennethLavrsen - 14 Sep 2007

Its actually a very simple thing to change, and is only added at render time. Its added if you're mapping logins to UserNames, and TWiki does not have that mapping.

ie. this is a not correct situation if you are mapping, and you require registration.

I'll either make it optional via cfg (so there can be debugging) or conditional on mapusernames and requireregistration (i'm not sure that exists atm - might be a 4.2.5 feature i'm dreaming)

-- TWiki:Main.SvenDowideit - 14 Sep 2007

Be careful not to make the logic so it becomes hard to guess the connection. It is better to create a {DisplayUnknownUserLink} configure parameter than link it to something that may be less obvious and require a lot of docs.

For info for others: It is the %REVINFO{format="$date, $wikiusername"}% that shows the UnknownUser (login ID) text

Sven - you should make such a configure setting an EXPERT setting and turn it off by default.

But before you create a new configure setting. Is it really needed for anything else than developer debugging? Then it may be better to enable the UnknownUser feature when enabling debugging instead instead of adding yet another configure setting. If you feel it is needed then I will not whine if you add the configure setting.

-- TWiki:Main.KennethLavrsen - 15 Sep 2007

mmm, hard to say - security wise, if you set up the system to require mapping, and a mapping does not exist, you want to know as quickly and as obviously as possible

and if any user is in that situation, and edits a topic, everyone will see it in the webchanges....

basically, you and I are arguing between obvious issue highlighting (why i did it) and not scaring users un-nesecarily.

mmm, back to needing an admin interface that brings all the warnigns, errors and management stuff into one place :/

Originally, I returned the more correct 'UnknownUser' - As in this situation, the use may be authenticated, but is unknown to TWiki. This being a rather cruel thing to say, I settled on this compromise.

Your 'hack the topic' eg is exactly that, it is an unknown user - TWiki has no idea who it is, and in many ways its an invalid user.

The LDAP case on the other hand is the legitimate side of that same coin - the Admin really should be making the intentional decision to require registration - ie the user is unknown to the mapping but able to log in. (Note that this is more to do with using self managed login and password systems in apache_auth - as the LDAPUserManager would be able to return a valid cUID, and thus avoid the UnknownUser label)

Security is something that is inconvenient, but must be intentional, and in your face.

So, in conclusion, you (and I) believe we need a way for a TWiki to be set up to

  1. require a mapper to convert from logins to display names
  2. enable the admin to choose if twiki creates logins, or just uses externally defined ones
  3. enable the admin to choose if registration is required, or optional
The last should be done via a setting that defaults to require an entry in TWikiUsers (similar to the 'UnknownUser' we have now), and suggests adding redirect to registration if a user logs in, but has no mapping.

95% of the problem is that I'm revealing insecurities/inconsistencies in the way TWiki has worked, and the safest solution is to highlight that its a mis-configuration, and provide tools (or settings) for legacy installations to decide to continue as it was, while preventing new installations from falling into the same traps.

-- TWiki:Main.SvenDowideit - 15 Sep 2007

I have not misconfigured by LDAP authenticated TWiki and I do not want to force registration.

Can we have the 4.1.2 function back for the %REVINFO now? I need this for my beta testing at Motorola.

-- TWiki:Main.KennethLavrsen - 17 Sep 2007

thanks for the discussion, and the well reasoned out conclusion frown .

-- TWiki:Main.SvenDowideit - 17 Sep 2007

That was not meant as a conclusion. I just asked if we could have the old function back now so we beta testers will not have this problem to fight with.

There is still a problem. It seems "Main." is a hardcoded prefix which is added so I get Main.c12179 instead of just c12179.

-- TWiki:Main.KennethLavrsen - 17 Sep 2007

WAIT. It is probably me.

I have not received the email from SVN yet so I had not seen that Sven had done the perfect solution instead of just my suggested hack.

Ignore for now. I will confirm with the configure setting and close again if it works.

-- TWiki:Main.KennethLavrsen - 17 Sep 2007

No. I have the configure settings right. it is a bug that we see Main. when the user name is a login ID instead of a wikiname.

It is only when it is a wiki name we should see the Main. in front.

-- TWiki:Main.KennethLavrsen - 17 Sep 2007

I just checked in 4.1.2.

It also had the problem with the Main.Login

So we are back at same functionality as we had on 4.1.2 with respect to the Main. problem.

This should be fixed in the REVINFO code then.

Lowering to Normal since if I lived with this until now - I can live with it again.

-- TWiki:Main.KennethLavrsen - 17 Sep 2007

Kenneth - please, don't re-use bugs for totally seperate issues - Open a new one, as an Enhancement for next release for this, as there are quite a lot of things that should change to do this - There are alot of places where TWiki assumes that what it gets back from getWikiName() is an existing topic.

as you say, you, and everyone else ahs lived with this since, well Athens.

-- SvenDowideit - 18 Sep 2007

ItemTemplate
Summary User shown as Unknown User (Login ID) when author is not in TWikiUsers. Bad feature
ReportedBy TWiki:Main.KennethLavrsen
Codebase ~twiki4
SVN Range TWiki-4.2.0, Sat, 08 Sep 2007, build 14780
AppliesTo Engine
Component

Priority Normal
CurrentState Closed
WaitingFor

Checkins TWikirev:14902 TWikirev:14927
TargetRelease minor
ReleasedIn 4.2.0
Topic attachments
I Attachment History Action Size Date Who Comment
PNGpng unknownuser.png r1 manage 52.0 K 2007-09-14 - 22:55 UnknownUser  
Edit | Attach | Watch | Print version | History: r20 < r19 < r18 < r17 < r16 | Backlinks | Raw View |  Raw edit | More topic actions
Topic revision: r20 - 2008-01-22 - KennethLavrsen
 
This site is powered by the TWiki collaboration platform Powered by PerlCopyright © 2008-2024 by the contributing authors. All material on this collaboration platform is the property of the contributing authors.
Ideas, requests, problems regarding TWiki? Send feedback