[rt-users] unprivileged users need to log in twice
Kevin Falcone
falcone at bestpractical.com
Mon Dec 14 15:46:52 EST 2009
On Wed, Dec 09, 2009 at 04:49:14PM -0500, Kevin Falcone wrote:
> On Wed, Dec 09, 2009 at 12:26:53PM -0800, David Griffith wrote:
> > On Wed, 9 Dec 2009, Kevin Falcone wrote:
> >
> > > On Wed, Dec 09, 2009 at 11:40:32AM -0800, David Griffith wrote:
> > >> Go to http://foobar.com/rt and you see the RT login screen. Login as an
> > >> unprivileged user (Alice). The username and password field will blank
> > >> out. Type in Alice's username and password again, and you'll be logged in
> > >> as Alice. That's the first part of the bug.
> > >
> > > What happens at http://foobar.com/rt/ vs /rt
> > > Also, what is your URL after the initial failed login?
> >
> > Trailing slash makes no difference. The URL after initial failed login is
> > http://foobar.com/rt/SelfService/
> >
> > >> The second part is when you type in the username-password the second
> > >> time. If at that point you attempt to log in as a privileged user,
> > >> you'll log in, but your permissions are that of an unprivileged user.
> > >
> > > This sounds like the initial login worked enough to get you redirected
> > > to /rt/SelfService/ which would certainly make it appear that you're
> > > an unprivileged user when you then log in as Bob (the privileged user)
> >
> > I see. Any ideas of what's going on?
>
> Not without further digging, but at least we've explained the
> unprivileged rights issue.
I'd be interested to know if the following patch fixes this on debian
stable. You should be able to apply it with
cd /usr/share/request-tracker3.6; patch < ErrHeadersOut.patch
and a restart of apache
-kevin
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 195 bytes
Desc: not available
URL: <http://lists.bestpractical.com/pipermail/rt-users/attachments/20091214/9ffd1386/attachment.sig>
More information about the rt-users
mailing list