On Thu, Oct 21, 2004 at 12:28:26AM +0200, Mathieu Roy wrote:
> Sylvain Beucler <[EMAIL PROTECTED]> tapota :
>
> > On Wed, Oct 20, 2004 at 11:21:16PM +0200, Mathieu Roy wrote:
> >> Sylvain Beucler <[EMAIL PROTECTED]> tapota :
> >>
> >> > Hmm, at least I get the time to work on this issue:
> >> >
> >> > On Fri, Oct 01, 2004 at 01:31:33PM +0200, Mathieu Roy wrote:
> >> >> Sylvain Beucler <[EMAIL PROTECTED]> tapota :
> >> >>
> >> >> > Hi,
> >> >> >
> >> >> > In our database at savannah, there are about ten users who are both
> >> >> > pending and member of a project. They have no registered SSH keys and
> >> >> > thus are quite useless. For example, user 'sevy'.
> >> >> >
> >> >> > Do you know how such accounts could have been created?
> >> >>
> >> >> No clue.
> >> >>
> >> >> How old are these accounts?
> >> >
> >> > It ranges from Wed Nov 14 20:39:07 2001 to Tue Nov 25 12:41:45 2003.
> >> >
> >> >> Who added these users to projets (should be
> >> >> printed in these projects history)? Was it a site admin or a project
> >> >> admin?
> >> >
> >> > Project admins.
> >> >
> >> > However, I tried to add a pending user myself, and the system did not
> >> > returned it in the "Adding User(s) to Group" search box. Maybe this
> >> > situation is checked since when you installed Savannah?
> >>
> >> The search is made only of users that are not already member of a
> >> group.
> >
> > ?
> >
> > Here's the query (useradmin.php):
> >
> > $result = db_query("SELECT user_id, user_name, realname "
> > . "FROM user "
> > . "WHERE ((user_name LIKE '%$words1%') OR (realname LIKE
> > '%$words2%'))
> > AND (status='A') ORDER BY user_name LIMIT 0,26");
>
>
> What really needs to be checked is in fact member_add().
> The useradmin form apparently do not make checks on group membership
> (maybe forgotten, maybe avoiding for perfs). But member_add() test
> group membership.
>
> The problem could come from member_approve() also, but this function
> make no insert, only update.
>
> It would be interesting to know what the user exactly did about his
> account? Do you have user input?
>
> > Since this script only exists since the CERN branch from 2003/09, I
> > guess there was a bug in the previous member management code...
>
> Were these dupes created before 2004?
I am not sure I was clear enough. The problem is not that users were
added twice. The problem is that pending users, ie never logged on the
system (not group pending) were added to a group.
So these people never updated their SSH key, but still, being member
of an account, have a system account created.
We discovered them because they make the backend output Perl warnings.
--
Sylvain
