webui auth problems

[alextxm]

Hi all,

I'm haing some problems with webui: i've assigned different permissions to the plastic server repositories but webui seems unable to correctly handle them. it seems webui "loads" permissions not the effective user logged in but for the first one who logs in.
 

Example:

 

permissions:

repoA: user1=all user2=none

repoB: user1=all user2=all

repoC: user1=all user2=none

Expected result:

user1: sees all repositories

user2: only sees repoB

 

actual result:

logging in with user1: all repositories

then

logging in with user2: all repositories

reset the appliction pool and restart the website

logging in with user2: repoB

logging in with user1: repoB

 

that's pretty weird.
Is there anyone else experiencing this?
The webserver is IIS8 on WindowsServer2012, plastic is the 4.1.10.447 release confiured in UPWorkingMode.

Thank you

Alessandro

 

 

[alextxm]

@PlasticSCM team... is there anyone?

[calbzam]

Hi @alextxm,

 

Thanks for reporting, I´m going to try to reproduce the issue.

 

Regards,

Carlos

[alextxm]

hi @calbzam, have you been able to replicate the issue on your side ?
do you have any news on it ? i'd like to use webui but due to this bug it is pretty unusable in team.

Thank you

Alessandro

[calbzam]

Hi,

 

Yes, we have detected and fixed the problem. The fixed version will be released very soon

 

Regards,

Carlos

[alextxm]

Thank you for the great news
can't wait for the next release!
Alessandro

[manu]

The release will be ready today

[SilverKnight]

Where can we see the WebUI release notes?

 

I thought this problem was related to another that I had, so I downloaded 4.1.10.457 web-frontend (July 8th) which was supposed to have the auth fix in it.  However, I'm still seeing an issue.  I've also just tried the 4.1.10.463 version.

 

Looking at https://www.plasticscm.com/download/releasenotes.aspx, the last WebUI item listed was from

External Release 4.1.10.376 (Nov 29th 2012)

Was the auth code fixed on/after July 3rd 2013?  What version was that? 457? - but no notes in the 457 external release?

 

 

What I'm experiencing is that with Plastic setup for AD/LDAP auth, that I can log into WeebUI with ANY password, and it shows I'm logged in, and presents the choose repository list.  Everything appears to be completely functional - even though it should NOT be functional, since I didn't actually provide the correct password to log in (my AD credentials)

 

This is in the Web.Config

 

  <appSettings>
    <add key="Language" value="en" />
    <add key="SEIDWorkingMode" value="ADWorkingMode" />
    <add key="Server" value="Plastic01.gohealthcast.com:8087" />
    <add key="IdleProcessUser" value="build" />
    <add key="IdleProcessPassword" value="********************" />
    <add key="LogRequestTime" value="false" />
  </appSettings>
 

Is the Web UI actually using the IdleProcessUser for all connections to the plastic server for viewing data?

[calbzam]

Hi,

If you check release notes for: External Release 4.1.10.457 (Jul 02nd 2013): https://www.plasticscm.com/download/releasenotes.aspx: --> Bug Web UI: After logout and log in again with other user, permissions were not correctly applied. Fixed.

This is the issue we fxed in the release.

When you configure Web UI in the IIS side, if you enter wrong user password and open Web UI in the client side and enter fine user and password, you will be able to see all the items, changesets...The creadentials you enter in the client side allow you to see this information. But you will not be able to see the stadistics (Charts)

Web UI is not using the IdleProcessUser for all connections to the plastic server for viewing data. This uses is necessary to connect to the server and generate the charts.

Regards,
Carlos

[SilverKnight]

Ok, well, it seems like there is still some sort of auth problem then, unless I didn't successfully (or correctly) upgrade the necessary components.

Is there an upgrade document that shows how to do that?

 

I just downloaded the latest version 4.1.10.463 - and unzipped the bin directory over the current version I had (no other files appeared to have changed date/time)

If that is not sufficient to upgrade, then after getting the correct procedures, I'll re-test - however, if that is sufficient, then there still looks like there is a problem.

 

In my scenario:

I stopped and restarted the server, and was the ONLY user logging in - I purposly gave it a valid name, but INVALID password from the log-in page.

I logged in using my username and a bad password and was still able to access everything, including charts, change set/history, repository browsing, etc.  Instead, (ideally) I should have not made it past the log-in page, and should have been told the account or passward was invalid.  Could that have been caused by browser caching? I believe I was "logged out" prior to the server-IIS restart.

 

The whole reason I posted in this thread is that I thought I was experiencing the same issue, where the first time login I provided correct credentials, but then on the second, provided incorrect ones - hoping it would be fixed - but for me, the problem remains.

 

Is there some sort of logging I can turn on that will show the results of an auth attempt?