View Issue Details

IDProjectCategoryView StatusLast Update
0029517mantisbtauthenticationpublic2023-10-31 16:32
Reporterjon5477 Assigned Tocommunity  
Status closedResolutionfixed 
Product Version2.25.2 
Target Version2.26.0Fixed in Version2.26.0 
Summary0029517: Login redirection to plugin credentials page for non-existent user

A login redirection to an authentication plugin's credential page does not happen if the user does not currently exist in the database.

This issue happens due to the following line:

If the user does not exist in the DB, $t_user_id is false and auth_credential_page is never called. auth_credential_page should be called so any authentication plugin should have an opportunity to handle if the user does not exist in the DB (i.e. auto-provisioning of users)

Steps To Reproduce

Make sure you have an authentication plugin installed that hooks the EVENT_AUTH_USER_FLAGS event and sets the credentials page in the AuthFlags object it returns

Go to the main mantis root page /
Clear all browser cookies, make sure the current administrator password is not "root", make sure the admin directory does not exist
Login with a user that does not exist in the database
Verify URL is "/login_password_page.php" and not "/plugin.php?page=auth/login_password_page"

Additional Information

Make sure the authentication plugin sets the credential page (see example code)

$t_flags = new AuthFlags();
$t_flags->setCredentialsPage(plugin_page('login_password_page', true));

TagsNo tags attached.


has duplicate 0027836 closeddregad The EVENT_AUTH_USER_FLAGS event does not fire if the user does not exist in the DB 




2022-01-28 16:17

developer   ~0066205


@jon5477 I have not analyzed in detail, but this seems to be a duplicate of 0027836. Can you please confirm ?



2022-01-28 16:36

reporter   ~0066206

It could be considered a duplicate but this fixes it while maintaining compatibility for the fix made in 0025061. It also addresses another redirection flaw that was mentioned in the PR.

Related Changesets

MantisBT: master 76f01f8d

2022-02-14 19:10


Committer: community

Details Diff
Auth plugin events not fired for non-existent users

Handle auth_flags edge cases which break certain authentication plugins
Fix login redirection for auth plugin.

Fixes 0027836, 0029517, PR
Affected Issues
0027836, 0029517
mod - core/authentication_api.php Diff File
mod - login_password_page.php Diff File