Look at a bug item here on Bugs like
Item4604
Look at the breadcrumb:
TWiki> Bugs Web>Item4604 (10 Sep 2007, UnknownUser (RichardDonkin))
Why is that? That is bad.
I know that on d.t.o we have only the htpasswd file and users are not in TWikiUsers or have topic in Main.
But I need to make sure that when I have users that are LDAP authenticated - but not registered - their contributions are shown by their login ID and not shown as UnknownUser. They may be not registered but they are known and the UnknownUser is a really bad signal to send.
--
TWiki:Main/KennethLavrsen - 10 Sep 2007
For some reason my name does not end up here as
UnknownUser.
--
TWiki:Main.KennethLavrsen - 10 Sep 2007
Breadcrumb looks OK to me - could it be that you catched dto in a time where
TWikiUserContrib was partly missing / being resynced?
I looked at
Bugs.Item4604 - the link above gives a 404.
--
TWiki:Main.SteffenPoulsen - 11 Sep 2007
Looks good to me too, and on my local system as well.
Setting "Waiting for Feedback" until someone can reproduce the problem.
--
TWiki:Main.CrawfordCurrie - 13 Sep 2007
It is easy to reproduce at home.
I have a TWiki MAIN which is Apache authenticated.
I take a topic and edit the file so the author is called c12179. Just hack the file.
I view the topic.
And I see this
It is very bad to show Unknown User in a corporate installation where people have access via simple LDAP authentication and do not need to register. They can register - and need to if they need access to access restricted content. But they are not required to and many do not. It is important for TWiki deployment that people have access without registration - also for editing. And showing them as unknown user will for sure create noise. In 4.1.2 you just saw the login ID instead and that worked very fine.
It is also shown as
UnknownUser in
WebChanges and anywhere else. And it is bad everywhere.
--
TWiki:Main.KennethLavrsen - 14 Sep 2007
The image shown above the visible image is the image bug which is back again.
--
TWiki:Main.KennethLavrsen - 14 Sep 2007
Its actually a very simple thing to change, and is only added at render time. Its added
if you're mapping logins to
UserNames, and TWiki does not have that mapping.
ie. this is a not correct situation
if you are mapping, and you require registration.
I'll either make it optional via cfg (so there can be debugging) or conditional on mapusernames and requireregistration (i'm not sure that exists atm - might be a 4.2.5 feature i'm dreaming)
--
TWiki:Main.SvenDowideit - 14 Sep 2007
Be careful not to make the logic so it becomes hard to guess the connection. It is better to create a {DisplayUnknownUserLink} configure parameter than link it to something that may be less obvious and require a lot of docs.
For info for others: It is the
%REVINFO{format="$date, $wikiusername"}%
that shows the
UnknownUser (login ID) text
Sven - you should make such a configure setting an EXPERT setting and turn it off by default.
But before you create a new configure setting. Is it really needed for anything else than developer debugging? Then it may be better to enable the
UnknownUser feature when enabling debugging instead instead of adding yet another configure setting. If you feel it is needed then I will not whine if you add the configure setting.
--
TWiki:Main.KennethLavrsen - 15 Sep 2007
mmm, hard to say - security wise, if you set up the system to require mapping, and a mapping does not exist, you want to know as quickly and as obviously as possible
and if any user is in that situation, and edits a topic, everyone will see it in the webchanges....
basically, you and I are arguing between obvious issue highlighting (why i did it) and not scaring users un-nesecarily.
mmm, back to needing an admin interface that brings all the warnigns, errors and management stuff into one place :/
Originally, I returned the more correct 'UnknownUser' - As in this situation, the use may be authenticated, but
is unknown to TWiki. This being a rather cruel thing to say, I settled on this compromise.
Your 'hack the topic' eg is exactly that, it
is an unknown user - TWiki has no idea who it is, and in many ways its an invalid user.
The LDAP case on the other hand is the legitimate side of that same coin - the Admin really should be making the intentional decision to require registration - ie the user is unknown to the mapping but able to log in. (Note that this is more to do with using self managed login and password systems in apache_auth - as the
LDAPUserManager would be able to return a valid cUID, and thus avoid the
UnknownUser label)
Security
is something that is inconvenient, but must be intentional, and in your face.
So, in conclusion, you (and I) believe we need a way for a TWiki to be set up to
- require a mapper to convert from logins to display names
- enable the admin to choose if twiki creates logins, or just uses externally defined ones
- enable the admin to choose if registration is required, or optional
The last should be done via a setting that defaults to require an entry in
TWikiUsers (similar to the 'UnknownUser' we have now), and suggests adding redirect to registration if a user logs in, but has no mapping.
95% of the problem is that I'm revealing insecurities/inconsistencies in the way TWiki has worked, and the safest solution is to highlight that its a mis-configuration, and provide tools (or settings) for legacy installations to decide to continue as it was, while preventing new installations from falling into the same traps.
--
TWiki:Main.SvenDowideit - 15 Sep 2007
I have not misconfigured by LDAP authenticated TWiki and I do not want to force registration.
Can we have the 4.1.2 function back for the %REVINFO now? I need this for my beta testing at Motorola.
--
TWiki:Main.KennethLavrsen - 17 Sep 2007
thanks for the discussion, and the well reasoned out conclusion
.
--
TWiki:Main.SvenDowideit - 17 Sep 2007
That was not meant as a conclusion. I just asked if we could have the old function back now so we beta testers will not have this problem to fight with.
There is still a problem. It seems "Main." is a hardcoded prefix which is added so I get Main.c12179 instead of just c12179.
--
TWiki:Main.KennethLavrsen - 17 Sep 2007
WAIT. It is probably me.
I have not received the email from SVN yet so I had not seen that Sven had done the perfect solution instead of just my suggested hack.
Ignore for now. I will confirm with the configure setting and close again if it works.
--
TWiki:Main.KennethLavrsen - 17 Sep 2007
No. I have the configure settings right. it is a bug that we see Main. when the user name is a login ID instead of a wikiname.
It is only when it is a wiki name we should see the Main. in front.
--
TWiki:Main.KennethLavrsen - 17 Sep 2007
I just checked in 4.1.2.
It also had the problem with the Main.Login
So we are back at same functionality as we had on 4.1.2 with respect to the Main. problem.
This should be fixed in the REVINFO code then.
Lowering to Normal since if I lived with this until now - I can live with it again.
--
TWiki:Main.KennethLavrsen - 17 Sep 2007
Kenneth - please, don't re-use bugs for totally seperate issues - Open a new one, as an Enhancement for next release for this, as there are quite a lot of things that should change to do this - There are alot of places where TWiki assumes that what it gets back from getWikiName()
is an existing topic.
as you say, you, and everyone else ahs lived with this since, well Athens.
--
SvenDowideit - 18 Sep 2007