Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

MAIN_AUTHENTICATION_MODE "forceuser" is broken (maybe it's a good thing) #29702

Open
atm-florianm opened this issue May 16, 2024 · 0 comments
Open

MAIN_AUTHENTICATION_MODE "forceuser" is broken (maybe it's a good thing) #29702

atm-florianm opened this issue May 16, 2024 · 0 comments
Labels
Bug This is a bug (something does not work as expected)

Comments

@atm-florianm
Copy link
Contributor

atm-florianm commented May 16, 2024
edited

Bug

I recently noticed a well-hidden feature in Dolibarr's conf.php file:

const MAIN_AUTHENTICATION_MODE = 'forceuser';
$dolibarr_auto_user = 'loginoftheuser';

It is supposed to skip authentication altogether: the user is automatically logged on as 'loginoftheuser'.

The feature doesn't work currently (it requires a bit of hocus pocus in conf.php to make it work). More specifically, it requires assigning the same session variables as main.inc.php sets when using classic authentication modes:

// Store value into session (values always stored)
$_SESSION["dol_login"] = $user->login;
$_SESSION["dol_logindate"] = dol_now('gmt');
$_SESSION["dol_authmode"] = isset($dol_authmode) ? $dol_authmode : '';
$_SESSION["dol_tz"] = isset($dol_tz) ? $dol_tz : '';
$_SESSION["dol_tz_string"] = isset($dol_tz_string) ? $dol_tz_string : '';
$_SESSION["dol_dst"] = isset($dol_dst) ? $dol_dst : '';
$_SESSION["dol_dst_observed"] = isset($dol_dst_observed) ? $dol_dst_observed : '';
[…]

I am reporting this because I think we should either remove the feature completely, or fix it.

Pros

  • On the one hand, the feature has been implemented in the past (I suppose it was functional back then).
  • It is convenient for local tests
  • It could be used for some public demo instances to ensure visitors get the demo (unprivileged) user and cannot even try to log on as admin.

Cons

On the other hand, if misused, this feature can be extremely dangerous. I can imagine someone naive setting up superadmin autologin on their production environment just because it is so convenient, without realizing how exposed this would make their business.

Even on a local environment, it is still a bit unsafe (you either have to trust your LAN, which isn't guaranteed to be trustworthy, or set up your firewall or server to block any incoming connections).

The only really safe use I can think of is to auto-login an unprivileged user on a public demo (with no sensitive data).

Dolibarr Version

Tested in 17.0

Environment PHP

php8, php7

Environment Database

No response

Steps to reproduce the behavior and expected behavior

Create a user loginoftheuser, then add this in conf.php:

const MAIN_AUTHENTICATION_MODE = 'forceuser';
$dolibarr_auto_user = 'loginoftheuser';

Expected: when connecting to Dolibarr's root URL, the browser show the home page instead of the login page regardless of whether the user has authenticated or not. The current user must be loginoftheuser.

Actual result: warnings, sometimes fatals regarding session variables.

Note: I tested this months ago, so the actual results might be different today.

Attached files

No response
@atm-florianm atm-florianm added the Bug This is a bug (something does not work as expected) label May 16, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
Bug This is a bug (something does not work as expected)
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@atm-florianm