dudel icon indicating copy to clipboard operation
dudel copied to clipboard

Published 20 hours ago verified publisher icon opatut

[security] Account registration does not check for existing accounts

Open RalfJung opened this issue 9 years ago • 4 comments

When creating a new account, if I pick an already existing account name, the system accepts this just fine. Dudel then seems to mix up both accounts, e.g. the original account's email address shows up in the profile.

This is on the hotfix branch. I know Dudel is being re-written, but I hope this is critical enough to warrant a fix. For now, I will try to disable account creation.

RalfJung avatar Feb 12 '16 11:02 RalfJung

This is even more trouble some considering that "being an admin" is decided by

    def is_admin(self):
        return "ADMINS" in app.config and self.username in app.config["ADMINS"]

RalfJung avatar Feb 12 '16 13:02 RalfJung

Ouch :wink:

This is on the hotfix branch

What do you mean with that? Do you have a hotfix, if so, please submit a PR :)

opatut avatar Feb 16 '16 10:02 opatut

I meant: There is a branch called hotfix in your repo. This is the branch I am using.

RalfJung avatar Feb 16 '16 10:02 RalfJung

The Problem is the form.populate_obj(user) in views.py line 122, as the documentation stats it is a destructive operation the Group creation have the same Problem.

Akasch avatar Feb 29 '16 10:02 Akasch