alaveteli icon indicating copy to clipboard operation
alaveteli copied to clipboard

Published 20 hours ago verified publisher icon mysociety

Be more careful about who gets "authority" privileges

Open hsenag opened this issue 12 years ago • 8 comments

Currently anyone with an email address @ the same domain as the FOI address can do special things on behalf of the authority. This goes wrong for small councils that use personal email accounts instead of having their own domain - e.g. anyone @gmail.com could upload to some councils.

This will also become more of a risk if and when we open up more features to the authority.

A few ideas for fixing this

  • don't apply the logic to .com addresses
  • have a blacklist somewhere of domains the logic doesn't apply to
  • add a field to the authority page for specifying the domain to accept with "[none]" or similar to disable, and default to the current logic and/or some of the other proposals

hsenag avatar Feb 14 '12 06:02 hsenag

Has this been closed because it has been fixed?

Or because it's related to #41?

RichardTaylor avatar Feb 14 '12 14:02 RichardTaylor

Because the UI makes it too easy to close things!

sebbacon avatar Feb 14 '12 15:02 sebbacon

.ac.uk addresses are also a risk because students may be given [email protected]

confirmordeny avatar Jul 22 '12 08:07 confirmordeny

Just to note we're dealing with a case on WhatDoTheyKnow at the moment where this would have helped.

The user was able to use their @institution.ac.uk email address to respond maliciously to requests to that institution. Such responses were published on WhatDoTheyKnow and appeared as if they had been sent by the institution.

MattK1234 avatar Mar 31 '20 14:03 MattK1234

Had a clear-out of my pinboard over the weekend so scanned the notes I made on this.

Doc

garethrees avatar Jul 26 '21 08:07 garethrees

+1

This has understandably confused a poor Parish clerk today who was confused as to why WhatDoTheyKnow only offered the reply via WhatDoTheyKnow.com option to those with a googlemail address (the Parish council request address was @googlemail.com )

On a very closely related point we should stop calculated home pages eg. googlemail.com

Do we need a list of exceptions ?

This could be assembled from a list of the most common domains used in request addresses, presumably after excluding .ac.uk/.nhs.uk/gov.uk then hotmail / aol / gmail / outlook would come top and we could treat the latter specially?

RichardTaylor avatar Aug 04 '21 16:08 RichardTaylor

On a very closely related point we should stop calculated home pages eg. googlemail.com

Do we need a list of exceptions ?

This could be assembled from a list of the most common domains used in request addresses, presumably after excluding .ac.uk/.nhs.uk/gov.uk then hotmail / aol / gmail / outlook would come top and we could treat the latter specially?

I've split this into #6434 as it's definitely an issue in its own right - and it's one that is a nuisance not only for Alavateli admins, but for re-users of our data.

mdeuk avatar Aug 04 '21 19:08 mdeuk

We now list over 8000 parish councils on WDTK. Many (1000s) have gmail, hotmail, outlook, btinternet, etc email addresses.

garethrees avatar Aug 17 '22 13:08 garethrees