Bug #6450
closed
Deleting yourself in User Manager results in an empty user tag in the config
Added by Phillip Davis over 8 years ago.
Updated over 8 years ago.
Category:
User Manager / Privileges
Description
1) System->User Manager, create an account and give it membership of admins
2) Login to that account, go to System->User Manager and delete that account ("yourself")
3) Delete success message is display, click on logo to go to dashboard - you are told you do not exist - god, expected.
4) Log back in as the another (or the real) admin user.
5) Go to System->User Manager
6) There is an "empty" row displayed for a "blank" user - problem.
Look in config.xml - you will find an empty "user" tag.
Files
To me, it seems dangerous to let users delete their own user name. Because if they (or others) do not know the password to some other admin account on the system then they are locked out until they can get console access to reset the master admin password - which can be difficult at a remote installation, or if you don't have a serial cable handy, or...
So my suggestion is to prevent a user from deleting their own account - pull request:
https://github.com/pfsense/pfsense/pull/2993
That saves bothering to work out why the "blank" user is being left in the config.
I can't think of real-world situation where someone needs to delete their own account. e.g. If a staff member is leaving then it is not normally up to them to delete their own account (locking themself out) as they walk out at 5pm Friday. Someone else would be required to delete the account and verify that access is really removed.
This was committed to master, RELENG_2_3 and RELENG_2_3_1 around 23 June 2016.
That looks like it is later than the 2.3.1_5 release, so it never got released to the 2.3.1_* series.
Thus its first official release will be in 2.3.2
I suggest update target version to 2.3.2 and set to Feedback, or if someone has already given it a test then set it to Resolved.
- Status changed from New to Resolved
- Target version set to 2.3.2
Thanks Phil, setting the target was overlooked after the merge. Just double checked 2.3.2 and it's good.
Also available in: Atom
PDF