Project

General

Profile

Actions

Bug #6450

closed

Deleting yourself in User Manager results in an empty user tag in the config

Added by Phillip Davis almost 8 years ago. Updated over 7 years ago.

Status:
Resolved
Priority:
Normal
Assignee:
Category:
User Manager / Privileges
Target version:
Start date:
06/05/2016
Due date:
% Done:

0%

Estimated time:
Plus Target Version:
Release Notes:
Affected Version:
2.3.x
Affected Architecture:

Description

1) System->User Manager, create an account and give it membership of admins
2) Login to that account, go to System->User Manager and delete that account ("yourself")
3) Delete success message is display, click on logo to go to dashboard - you are told you do not exist - god, expected.
4) Log back in as the another (or the real) admin user.
5) Go to System->User Manager
6) There is an "empty" row displayed for a "blank" user - problem.

Look in config.xml - you will find an empty "user" tag.


Files

DeletedMyself.png (39.7 KB) DeletedMyself.png Phillip Davis, 06/05/2016 06:25 AM
Actions #1

Updated by Phillip Davis almost 8 years ago

Screen shot attached.

Actions #2

Updated by Phillip Davis almost 8 years ago

To me, it seems dangerous to let users delete their own user name. Because if they (or others) do not know the password to some other admin account on the system then they are locked out until they can get console access to reset the master admin password - which can be difficult at a remote installation, or if you don't have a serial cable handy, or...

So my suggestion is to prevent a user from deleting their own account - pull request:
https://github.com/pfsense/pfsense/pull/2993

That saves bothering to work out why the "blank" user is being left in the config.

I can't think of real-world situation where someone needs to delete their own account. e.g. If a staff member is leaving then it is not normally up to them to delete their own account (locking themself out) as they walk out at 5pm Friday. Someone else would be required to delete the account and verify that access is really removed.

Actions #3

Updated by Phillip Davis over 7 years ago

This was committed to master, RELENG_2_3 and RELENG_2_3_1 around 23 June 2016.
That looks like it is later than the 2.3.1_5 release, so it never got released to the 2.3.1_* series.
Thus its first official release will be in 2.3.2

I suggest update target version to 2.3.2 and set to Feedback, or if someone has already given it a test then set it to Resolved.

Actions #4

Updated by Chris Buechler over 7 years ago

  • Status changed from New to Resolved
  • Target version set to 2.3.2

Thanks Phil, setting the target was overlooked after the merge. Just double checked 2.3.2 and it's good.

Actions

Also available in: Atom PDF