599: Unable to modify user information when NIS credentials used

manny.r********@gmai***** (Google Code) (Is this you? Claim this profile.)
david
 david
Sept. 28, 2008 
What's the URL of the page containing the problem?

http://rb/admin/db/auth/user/10/

What steps will reproduce the problem?
1. Configure review board to authenticate accounts using NIS
2. Open the admin interface and select manage [users]
3. Select a user to change
4. Change a setting for the user and try to save

What is the expected output? What do you see instead?

I would expect to be able to modify the user. 
Instead I receive an error saying the password field must be set.

What operating system are you using? What browser?

Review Board is running on Ubuntu

Please provide any additional information below.
david
#1 david 
This is an artifact of how the django admin site works. You can use the "change
password form" on there to set any password you like without it impacting
authentication, which should allow you to save.

We probably should set a dummy password when we create the account.
  • +Component-Accounts
#2 manny.r********@gmai***** (Google Code) (Is this you? Claim this profile.) 
Setting the password presents a problem as when you do that, the user can be logged
in using either the NIS password or the review board password.
#3 arena******@gmai***** (Google Code) (Is this you? Claim this profile.) 
Setting "BUILTIN_AUTH = False" in settings_local.py should prevent logging on using
both mechanisms.
david
#4 david 
BUILTIN_AUTH won't do that, but you can turn off the django-stored passwords by only
including NIS in AUTHENTICATION_BACKENDS
#5 manny.r********@gmai***** (Google Code) (Is this you? Claim this profile.) 
Sorry for being a bit ignorant here, but how do I only include NIS for authentication?
david
#6 david 
AUTHENTICATION_BACKENDS is a list of methods to use for authentication. If you leave
django.contrib.auth.backends.ModelBackend out of this list, it won't check the
passwords stored in the database.
chipx86
#7 chipx86 
We need to figure out how this will affect the new site configuration code.

I think what we may need to do is create our own version of ModelBackend and force
that to be added. It should only validate local passwords for admin/superuser
accounts, or something. Or never validate if it's some certain string.

The new siteconfig code is going to force ModelBackend (or something) to be on, since
otherwise you can run into major problems as soon as you change the auth type for the
server.

Another option is to just provide our own admin page for users and not require that a
password be set. That might be best.
  • +Milestone-Release1.0
david
#8 david
  • +Started
  • +david
david
#9 david 
Fixed in SVN r1514.

Note that this fix will only apply to new users. You may want to use the django shell
to call set_unusable_password() on all your existing users.
  • -Started
    +Fixed
chipx86
#10 chipx86 
We may want to provide a script or a command extension for doing so.