Gossamer Forum
Home : Products : DBMan : Discussions :

Identical Usernames - Watch Out!

Quote Reply
Identical Usernames - Watch Out!
Hi All!

If you've been the Administer of a DBMan database at all, you have probobly noticed that DBMan will quite happily allow you to add multiple users with the same username to the database. This is not a good idea!

It's always been good practice to keep usernames unique, but if you do have identical usernames in your database, you could be putting your data at risk!

The function in DBMan which checks to see what permissions each user has to the database, matches on the first matching username it sees in the .pass file.

What this means is this:

Let's say you have a user called "fred" with View, Modify and Delete permissions. Then sometime down the track you add a new user for another Fred, give him a username of "fred" also, but with only View permissions.

If the second Fred logs into the database, DBMan will open the password file, scan through until he hits the first occurance of "fred" and then assign permissions based on that username. So suddenly Fred2 has Modify and Delete permissions!

So basically, if there are multiple identical usernames in your database, each user will recieve permissions identical to the user that is the highest up in your .pass file.

The signup function DOES check for existing usernames! So don't go into a panic if you are allowing signup. Obviously this would be an even bigger problem if it wasn't checking. Someone could potentially sign up as "admin" and get Admin access to your database.

So, in short, try not to add users to your database with usernames that already exist. If you'd like to add username checking to your database, then you need to make the following changes to your db.cgi file:

1) Find the sub-routine called admin_display

2) Add the red code to the green code:

Code:
$in{'new_username'} and do {
unless ((length($in{'new_username'}) >= 3) and (length($in{'new_username'}) <= 12) and ($in{'new_username'} =~ /^[a-zA-Z0-9]+$/)) {
$message = "Invalid username: $in{'new_username'}. Must only contain letters and numbers and be less then 12 and greater then 3 characters.";
last CASE;
}
unless ((length($in{'password'}) >= 3) and (length($in{'password'}) <= 12)) {
$message = "Invalid password: '$in{'password'}'. Must be less then 12 and greater then 3 characters.";
last CASE;
}
open (PASS, "<$auth_pw_file") or &cgierr ("unable to open: $auth_pw_file.\nReason: $!");
if ($db_use_flock) { flock(PASS, 1); }
while (<PASS>) {
/^\Q$in{'new_username'}\E:/ and ($message = "userid already exists. Please try another.");
}
close PASS;
last CASE if ($message);

open (PASS, ">>$auth_pw_file") or &cgierr ("unable to open: $auth_pw_file.\nReason: $!");
if ($db_use_flock) {
flock(PASS, 2) or &cgierr("unable to get exclusive lock on $auth_pw_file.\nReason: $!");
}
my @salt_chars = ('A' .. 'Z', 0 .. 9, 'a' .. 'z', '.', '/');
my $salt = join '', @salt_chars[rand 64, rand 64];
my $encrypted = crypt($in{'password'}, $salt);
print PASS "$in{'new_username'}:$encrypted:$in{'per_view'}:$in{'per_add'}:$in{'per_del'}:$in{'per_mod'}:$in{'per_admin'}\n";
close PASS;
That done, any attempt to add a duplicate username by an admin, shall result in an error message.

Happy DBMan-ing! Smile

- Mark


Astro-Boy!!
http://www.zip.com.au/~astroboy/