savannah-hackers
[Top][All Lists]
Advanced
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Savannah-hackers] Re: Active pending users?

From: Sylvain Beucler
Subject: Re: [Savannah-hackers] Re: Active pending users?
Date: Thu, 21 Oct 2004 00:28:30 +0200
User-agent: Mutt/1.4.2.1i 
On Thu, Oct 21, 2004 at 12:28:26AM +0200, Mathieu Roy wrote:
> Sylvain Beucler <address@hidden> tapota :
> 
> > On Wed, Oct 20, 2004 at 11:21:16PM +0200, Mathieu Roy wrote:
> >> Sylvain Beucler <address@hidden> tapota :
> >> 
> >> > Hmm, at least I get the time to work on this issue:
> >> >
> >> > On Fri, Oct 01, 2004 at 01:31:33PM +0200, Mathieu Roy wrote:
> >> >> Sylvain Beucler <address@hidden> tapota :
> >> >> 
> >> >> > Hi,
> >> >> >
> >> >> > In our database at savannah, there are about ten users who are both
> >> >> > pending and member of a project. They have no registered SSH keys and
> >> >> > thus are quite useless. For example, user 'sevy'.
> >> >> >
> >> >> > Do you know how such accounts could have been created?
> >> >> 
> >> >> No clue.
> >> >> 
> >> >> How old are these accounts?
> >> >
> >> > It ranges from Wed Nov 14 20:39:07 2001 to Tue Nov 25 12:41:45 2003.
> >> >
> >> >> Who added these users to projets (should be
> >> >> printed in these projects history)? Was it a site admin or a project
> >> >> admin?
> >> >
> >> > Project admins.
> >> >
> >> > However, I tried to add a pending user myself, and the system did not
> >> > returned it in the "Adding User(s) to Group" search box. Maybe this
> >> > situation is checked since when you installed Savannah?
> >> 
> >> The search is made only of users that are not already member of a
> >> group.
> >
> > ?
> >
> > Here's the query (useradmin.php):
> >
> > $result = db_query("SELECT user_id, user_name, realname "
> >                    . "FROM user "
> >                    . "WHERE ((user_name LIKE '%$words1%') OR (realname LIKE 
> > '%$words2%'))
> >                     AND (status='A') ORDER BY user_name LIMIT 0,26");
> 
> 
> What really needs to be checked is in fact member_add().
> The useradmin form apparently do not make checks on group membership
> (maybe forgotten, maybe avoiding for perfs). But member_add() test
> group membership.
> 
> The problem could come from member_approve() also, but this function
> make no insert, only update.
> 
> It would be interesting to know what the user exactly did about his
> account? Do you have user input?
> 
> > Since this script only exists since the CERN branch from 2003/09, I
> > guess there was a bug in the previous member management code...
> 
> Were these dupes created before 2004?

I am not sure I was clear enough. The problem is not that users were
added twice. The problem is that pending users, ie never logged on the
system (not group pending) were added to a group.

So these people never updated their SSH key, but still, being member
of an account, have a system account created.

We discovered them because they make the backend output Perl warnings.

-- 
Sylvain
reply via email to
[Prev in Thread] Current Thread [Next in Thread]