View Issue Details
|ID||Project||Category||View Status||Date Submitted||Last Update|
|0029517||mantisbt||authentication||public||2022-01-27 13:41||2023-10-31 16:32|
|Target Version||2.26.0||Fixed in Version||2.26.0|
|Summary||0029517: Login redirection to plugin credentials page for non-existent user|
A login redirection to an authentication plugin's credential page does not happen if the user does not currently exist in the database.
This issue happens due to the following line:
If the user does not exist in the DB, $t_user_id is false and auth_credential_page is never called. auth_credential_page should be called so any authentication plugin should have an opportunity to handle if the user does not exist in the DB (i.e. auto-provisioning of users)
|Steps To Reproduce|
Make sure you have an authentication plugin installed that hooks the EVENT_AUTH_USER_FLAGS event and sets the credentials page in the AuthFlags object it returns
Go to the main mantis root page /
Make sure the authentication plugin sets the credential page (see example code)
$t_flags = new AuthFlags();
|Tags||No tags attached.|
It could be considered a duplicate but this fixes it while maintaining compatibility for the fix made in 0025061. It also addresses another redirection flaw that was mentioned in the PR.
MantisBT: master 76f01f8d
|Auth plugin events not fired for non-existent users
Handle auth_flags edge cases which break certain authentication plugins
Fix login redirection for auth plugin.
Fixes 0027836, 0029517, PR https://github.com/mantisbt/mantisbt/pull/1792
|mod - core/authentication_api.php||Diff File|
|mod - login_password_page.php||Diff File|