dolibarr icon indicating copy to clipboard operation
dolibarr copied to clipboard

Published 20 hours ago verified publisher icon Dolibarr

MAIN_AUTHENTICATION_MODE "forceuser" is broken (maybe it's a good thing)

Open atm-florianm opened this issue 9 months ago • 0 comments

Bug

I recently noticed a well-hidden feature in Dolibarr's conf.php file:

const MAIN_AUTHENTICATION_MODE = 'forceuser';
$dolibarr_auto_user = 'loginoftheuser';

It is supposed to skip authentication altogether: the user is automatically logged on as 'loginoftheuser'.

The feature doesn't work currently (it requires a bit of hocus pocus in conf.php to make it work). More specifically, it requires assigning the same session variables as main.inc.php sets when using classic authentication modes:

// Store value into session (values always stored)
$_SESSION["dol_login"] = $user->login;
$_SESSION["dol_logindate"] = dol_now('gmt');
$_SESSION["dol_authmode"] = isset($dol_authmode) ? $dol_authmode : '';
$_SESSION["dol_tz"] = isset($dol_tz) ? $dol_tz : '';
$_SESSION["dol_tz_string"] = isset($dol_tz_string) ? $dol_tz_string : '';
$_SESSION["dol_dst"] = isset($dol_dst) ? $dol_dst : '';
$_SESSION["dol_dst_observed"] = isset($dol_dst_observed) ? $dol_dst_observed : '';
[…]

I am reporting this because I think we should either remove the feature completely, or fix it.

Pros

  • On the one hand, the feature has been implemented in the past (I suppose it was functional back then).
  • It is convenient for local tests
  • It could be used for some public demo instances to ensure visitors get the demo (unprivileged) user and cannot even try to log on as admin.

Cons

On the other hand, if misused, this feature can be extremely dangerous. I can imagine someone naive setting up superadmin autologin on their production environment just because it is so convenient, without realizing how exposed this would make their business.

Even on a local environment, it is still a bit unsafe (you either have to trust your LAN, which isn't guaranteed to be trustworthy, or set up your firewall or server to block any incoming connections).

The only really safe use I can think of is to auto-login an unprivileged user on a public demo (with no sensitive data).

Dolibarr Version

Tested in 17.0

Environment PHP

php8, php7

Environment Database

No response

Steps to reproduce the behavior and expected behavior

Create a user loginoftheuser, then add this in conf.php:

const MAIN_AUTHENTICATION_MODE = 'forceuser';
$dolibarr_auto_user = 'loginoftheuser';

Expected: when connecting to Dolibarr's root URL, the browser show the home page instead of the login page regardless of whether the user has authenticated or not. The current user must be loginoftheuser.

Actual result: warnings, sometimes fatals regarding session variables.

Note: I tested this months ago, so the actual results might be different today.

Attached files

No response

atm-florianm avatar May 16 '24 09:05 atm-florianm