Allow lower case logins only
|Category:||Accounts / authentication|
We're running 1.3.2 with some custom own made patches, and we recently noticed an annoying 'feature' by redmine we categorize as a redmine bug. This bug seems to also be in the latest devel version according to github sources.
TLDR? We want login name sent from login/registration form to be downcased so users in redmine will always have usernames downcased.
In redmine users can have mixed-case login names ... this is not really an 'issue' in the standard redmine, but for us who write some custom extensions to it.
We currently have some scripts maintaining a sync. for certain LDAP groups and it's membership in redmine.
Since redmine pr. default allow you to login as BLUPPIDAPP when username is bluppidapp, how it is stored in the database doesn't matter for you. (assume this is active record magic or something).
It even tells you your username is 'bluppidapp' and not BLUPPIDAPP which is «fine» for the normal users, but not fine for us who do modifications to redmine.
Now, the interesting problem raises when you have 'create users on the fly' enabled and you fetch users from LDAP.
LDAP matches also incasesenstive on ldap search's, so when the user on his first login types "Foo" instead of "foo" (as everyone else have done until now…), the user is created with the username "Foo".
This caused issues for us where we expect usernames to be lowercase.
Fix: downcase 'login' in https://github.com/redmine/redmine/blob/master/app/models/user.rb#L156
(Our scripts plugs into redmine's internal functions, calling the same methods as redmine does for certain functions, so it's not possible for us to say «You can just downcase database results and problem is solved.»)
Note: it's bad IMHO also to allow caSeSenSiTIvE user names. I havent tested if redmine allow to have users both as "FOO" and "foo", but it's still bad and usernames should be downcased.