script-server icon indicating copy to clipboard operation
script-server copied to clipboard

Published 20 hours ago verified publisher icon bugy

User case sensitive showing history

Open hamsterbacke opened this issue 4 years ago • 7 comments

Hi there, i filed a bug about case sensitveness of authentication. Today I saw, that showing the task history seems also be case sensitive. If user foobar executes something he can see history for user foobar but not Foobar or FOOBAR. I used a current clone of the master branch.

hamsterbacke avatar May 25 '21 11:05 hamsterbacke

Hi @hamsterbacke thanks for reporting

bugy avatar May 25 '21 11:05 bugy

Fixed, could you try again, please?

bugy avatar May 25 '21 19:05 bugy

Hi there, today I had time to install the new version (version.txt says 1.17.0-master@45b68ce). Now the user get's an empty history with the loading circle displayed. In the log one can se:

2021-07-08 13:57:03,980 [script_server.execution_service.WARNING] Prohibited access to not owned execution #459 (user=FOOBAR)
2021-07-08 13:57:03,981 [tornado.application.ERROR] Uncaught exception GET /history/execution_log/short (127.0.0.1)
HTTPServerRequest(protocol='https', host='script.intern.kzvb.de:443', method='GET', uri='/history/execution_log/short', version='HTTP/1.1', remote_ip='127.0.0.1')
Traceback (most recent call last):
  File "/usr/lib/python3/dist-packages/tornado/web.py", line 1590, in _execute
    result = method(*self.path_args, **self.path_kwargs)
  File "src/web/web_auth_utils.py", line 46, in wrapper
    return func(self, *args, **kwargs)
  File "src/web/web_utils.py", line 29, in wrapper
    return func(self, *new_args, **kwargs)
  File "src/web/server.py", line 666, in get
    if self.application.execution_service.is_running(entry.id, user):
  File "src/execution/execution_service.py", line 88, in is_running
    self.validate_execution_id(execution_id, user, only_active=False, allow_when_history_access=True)
  File "src/execution/execution_service.py", line 139, in validate_execution_id
    raise AccessProhibitedException('Prohibited access to not owned execution')
model.model_helper.AccessProhibitedException: Prohibited access to not owned execution
2021-07-08 13:57:03,982 [tornado.access.WARNING] 403 GET /history/execution_log/short (127.0.0.1) 150.28ms

History file 21-02-09_06-59-459.log has user_id and user_name foobar.

hamsterbacke avatar Jul 08 '21 12:07 hamsterbacke

Thanks, it seems I forgot it in some place

bugy avatar Jul 08 '21 12:07 bugy

Nice catch, I broke it in #387, when implemented better access checking. Actually this issues wasn't case relevant and was happening for all non-admin users, when opening history after server restart.

bugy avatar Jul 09 '21 17:07 bugy

I made a fix, could you try again, please?

bugy avatar Jul 09 '21 18:07 bugy

It works now, thanks :)

hamsterbacke avatar Jul 13 '21 07:07 hamsterbacke