Page MenuHomePhabricator

Investigate making cas capable of handling case insensitive usernames
Open, Needs TriagePublic

Description

I was recently referred to a link on people.wikimedia.org which required logging in using SSO. As described in T279832#6992542, I was originally given access using the username "huji" but when I logged in successfully as "Huji" I got a permission denied error. @Urbanecm had to add me also as "Huji" with upper case H so that I could log in. Presumably, I could have accessed that resource if I had entered my username as "huji" when I logged in.

The point is, if the login box allows me to enter either of those and log in successfully, any underlying permission check should also gracefully handle it. In this case, it did not.

This may be related to T256656 and T275920

Event Timeline

Noting my .htaccess config for the resource I intended to share:

AuthType CAS
Require cas-attribute memberOf:cn=nda,ou=groups,dc=wikimedia,dc=org
Require cas-attribute memberOf:cn=wmf,ou=groups,dc=wikimedia,dc=org
Require user urbanecmtest
Require user huji
Require user Huji