[ACP-401]  Disabled account can still start new run
Type Bug
Priority High
Severity Minor
Component AcquireSupport library, Server-Side Web ASP pages
Fixed In Version [6.06.0
Versions Affected [5.1.115.1 Hot Fix 11
Severity Closed
Resolution Complete
Reported By Bob Denny
Resources Bob Denny
Start Date 6/9/2010

Description 
If an account is disabled via the aacountctrl script, and the user remains logged in, he can still start a new run. This looks like a hold in the initialization logic in AcquireSupport. See this Ron Wodaski post in the Comm Center

Comments
6/9/2010 2:30:08 PM   Bob Denny 

    
        

            SVN Comment
        

        

            Author
            rbdenny
        

        

            Repository
            svn+ssh://rbdenny@a2_svn_dc3/home/rbdenny/svn/astro/acp
        

        

            SVN Revision
            61
        

        

            Affected files
            /trunk/ACP Help/relnotes.htm (Modified)

            /trunk/ACP.vbp (Modified)

            /trunk/WebUser.cls (Modified)

            /trunk/frmWebServer.frm (Modified)

            		
        

        

            Check-in comment
            ACP.EXE version 5.1.8 (private build). Fix for authentication and a change to the HTTP 401 message to make it clear that the account could have been disabled.
            GEM:401
6/9/2010 2:29:39 PM   Bob Denny 
I also changed the HTTP 401 response message to indicate that either the login was invalid or the account may have been disabled.
6/9/2010 2:17:38 PM   Bob Denny 
Found it! In acp.exe's WebUser.Authenticate(), there is an optimization to prevent registry access by comparing against the username/password that is cached in ACP (m_sUsername and m_sPassword) and if the same, skip the rest of the auth check.
6/9/2010 1:40:09 PM   Bob Denny 
More info from Ron. Turns out that only when the account is disabled by aacountctrl.asp from a remote machine does the problem manifest itself!






I found a problem in aacountctrl.asp that prevents requests from completing normally... the test for user's UserData folder was trying to read a registry key and needs to try for a value under that key. Fixed in ACP-422
6/2/2010 5:31:29 PM   Bob Denny 
I assumed that there was something wrong within ACP's disabling logic that let the AJAX requests through. Turns out it is working as advertised. So I'm going to need a click-by-click repro scenario from Ron. I left a message in the Comm Center thread for this.
6/2/2010 5:09:27 PM   Bob Denny 
Bad news (in the short term) - This will require that the ACP "WebUser" class (called User in ACP namespace) have a new property Enabled added! Otherwise there is no way to get to the state of the Enabled/Disabled property (added in 3.1.5 as non-visible).
6/2/2010 4:54:54 PM   Bob Denny 
Actually, this should be trapped in the web "start run" ASP scripts, which should return a popup/lightbox message "Your account is disabled, perhaps you have run out of time." or something.