Uploaded image for project: 'FishEye'
  1. FishEye
  2. FE-5557

Crowd with SSO authenticates user without password

XMLWordPrintable

    • Icon: Bug Bug
    • Resolution: Duplicate
    • Icon: Low Low
    • 3.10.2, 4.0.0
    • 3.6.2, 3.7.0
    • None

      When FishEye is connected to Crowd and SSO is on it is possible to authenticate with a user in FishEye if this user is removed from the group being synchronized in Crowd. This is done by basically clicking in the Unable to access your account? link, which refreshes the page and shows FishEye as authenticated with this user (maybe this is because of some cache in the browser).

      Background configuration
      Crowd:

      • User admin, member of the group fecru-users.

      FishEye:

      • Connected to Crowd with SSO, synchronizing the group fecru-users.

      Steps to reproduce:

      1. In Crowd, remove fecru-users from admin's groups list.
      2. In FishEye, try to login with admin. It will fail (Unknown user or password).
      3. In FishEye, click in Unable to access your account?. You are now logged in as admin.

      Some points to note:

      • At some point I authenticated as this admin user in FishEye, but this was before trying to reproduce the issue. I don't know the details of how SSO works, and if there is a cookie that lives there for some time.
      • By the moment I was reproducing this I didn't log in with the admin user at any time. I was actually logged as my own user in Crowd, and not logged in FishEye.

              Unassigned Unassigned
              grefosco Gustavo Refosco (Inactive)
              Votes:
              0 Vote for this issue
              Watchers:
              2 Start watching this issue

                Created:
                Updated:
                Resolved: