[MAGNOLIA-1731] Properly prevent creation of duplicate users Created: 07/Sep/07  Updated: 04/Nov/15  Resolved: 04/Nov/15

Status: Closed
Project: Magnolia
Component/s: core, security
Affects Version/s: None
Fix Version/s: None

Type: Improvement Priority: Major
Reporter: Magnolia International Assignee: Sameer Charles
Resolution: Won't Do Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified

Issue Links:
relation
is related to MGNLPUR-9 Prevent duplicates Closed
Template:
Acceptance criteria:
Empty
Task DoD:
[ ]* Doc/release notes changes? Comment present?
[ ]* Downstream builds green?
[ ]* Solution information and context easily available?
[ ]* Tests
[ ]* FixVersion filled and not yet released
[ ]  Architecture Decision Record (ADR)
Date of First Response:

 Description   

To discuss / confirm :

  • Users tree should use UserManager to create / query users
  • UserManager should force-lowercase on username when creating and querying (thus making the username case-insensitive) - this could be optional
  • UserManager should throw an explicit exception when attempting to create a user with an existing username (maybe this is a good moment to also review the exception handling and semantics of UserManager methods)


 Comments   
Comment by Magnolia International [ 15/Jun/11 ]

info.magnolia.cms.security.DelegatingUserManager#createUser could also check with its delegate if the user already exists.

Not covered by this issue's description or the above comment: creating a user via admincentral,or the public-user-registration module or the openid module: they tap directly into a "sub" user manager. This is usually not a huge deal, except for login-related issues: since the jaas config is currently independant from the user managers configuration, we have no guarantee they are in the same order (meaning a user logging in with name "johndoe" might be a different account than that returned by SecuritySupport.getUserManager().getUser("johndoe"))

Possible API changes:

  • UserManager implementation become aware of their "parent" (DelegatingUserManager or null) and check with the parent if the user can be created. +: no visible api change. Downside: implementations are not forced to do this check, so using an older version of a module will show the symptom.
  • or, we remove getUserManager(String realm) from SecuritySupport; createUser methods take a "realm" parameter. Essentially, the client code would not access a specific UserManager anymore, only the "delegating" one. (preferred solution, since it is cleaner, simpler, safer.)
Comment by Michael Mühlebach [ 04/Nov/15 ]

Given the thousands of other issues we have open that are more highly requested, we won't be able to address this issue in the foreseeable future. Instead we will focus on issues with a higher impact, and more votes.
Thanks for taking the time to raise this issue. As you are no doubt aware this issue has been on our backlog for some time now with very little movement.
I'm going to close this to set expectations so the issue doesn't stay open for years with few updates. If the issue is still relevant please feel free to reopen it or create a new issue.

Generated at Mon Feb 12 03:29:46 CET 2024 using Jira 9.4.2#940002-sha1:46d1a51de284217efdcb32434eab47a99af2938b.