On Tue, Jan 31, 2023 at 12:12 AM Jun Omae <[email protected]> wrote: > > On Tue, Jan 31, 2023 at 8:53 AM Dima Pasechnik <[email protected]> wrote: > > > > On Mon, Jan 30, 2023 at 11:23 PM Jun Omae <[email protected]> wrote: > > > > > > On Tue, Jan 31, 2023 at 1:54 AM Dima Pasechnik <[email protected]> wrote: > > > > Question: how does one log out all the users from the server side? > > > > (i.e., expire their access tokens) ? > > > > > > Try to delete records in auth_cookie table. > > > > Where is this table? I only see > > I said "table". Table is typically stored in database.... > See [trac] database option in your Trac environment.
Yes, I see now, thanks. Looking at the code in `web/auth.py`, I see a search for a cookie for the user. And there are functions (in LoginModule) for getting the user name from a cookie: _cookie_to_name() and _get_name_for_cookie() - which don't seem to make any attempt to verify that the user name they get from the DB record is a valid user (this is in Trac 1.2, as well as in the latest Trac 1.5.3) Then _get_name_for_cookie() gets called in authenticate(), and again, no attempt to validate the user is done. >From what we observe in Trac 1.2, users granted TRAC_ADMIN still have their auth cookies in the DB, and are able to modify comments in tickets, despite being removed as TRAC_ADMINS, through the web admin, and removed from the list of users in the file pointed to by htdigest_file= in trac.ini's [account-manager] section. (and with their sessions removed via "trac-admin <> session delete <user>") So it seems that such removals don't trigger the purge of their auth cookies from the database, even after full restart of trac. Shouldn't there a startup check being done on users and cookies for users no longer present be invalidated? Was this ever reported as a bug? Anyhow, assuming all the authenticated access to tickets going via authenticate() in LoginModule, it should be trivial to make tickets read-only by making the latter return None all the time... Thanks, Dima > > See also: > > - https://trac.edgewall.org/wiki/1.2/TracInstall#MandatoryDependencies > - https://trac.edgewall.org/wiki/DatabaseBackend > > -- > Jun Omae <[email protected]> (大前 潤) > > -- > You received this message because you are subscribed to a topic in the Google > Groups "Trac Users" group. > To unsubscribe from this topic, visit > https://groups.google.com/d/topic/trac-users/9BrEiSNmxQ8/unsubscribe. > To unsubscribe from this group and all its topics, send an email to > [email protected]. > To view this discussion on the web visit > https://groups.google.com/d/msgid/trac-users/CAEVLMagU9u-8u2q90xV%2Bndzf9LY3Md2%2BBp-rk_yBjfL9P-xb7w%40mail.gmail.com. -- You received this message because you are subscribed to the Google Groups "Trac Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/trac-users/CAAWYfq3sDHJ-OCVR2V11E-2d03rTpdJ3QsQAf9Cmu2b-fsC1tQ%40mail.gmail.com.
