sympa icon indicating copy to clipboard operation
sympa copied to clipboard

Published 20 hours ago verified publisher icon sympa-community

Deleted account not really deleted

Open SansPseudoFix opened this issue 1 year ago • 9 comments

Version

6.2.72

Expected behavior

When you delete your account, you should not be able to reconnect to it by going through the password reset request. Your account should by actually deleted.

Actual behavior

When your account is deleted, you can reconnect by using password reset page.

Steps to reproduce

  1. delete your account by passing by /sympa/pref page
  2. go to connection page
  3. click reset link to go to sympa/firstpasswd page
  4. enter your deleted email address
  5. use the reset password link into the email
  6. recover your account

Additional information

Reported by a user who wanted his account deleted.

SansPseudoFix avatar Sep 08 '23 08:09 SansPseudoFix

I would think that if you reissue your password, you should be able to log in.

ikedas avatar Sep 08 '23 08:09 ikedas

Your deleted your account. But what is wrong with creating it again?

racke avatar Sep 08 '23 08:09 racke

Yes, deletion should remove your data from sympa. If you want an account again, you should be able to recreate it later.

SansPseudoFix avatar Sep 08 '23 08:09 SansPseudoFix

How to recreate your account is the same as how to create your account. How have you created your account at the first time?

ikedas avatar Sep 08 '23 13:09 ikedas

I did not check the code but I guess that "I forgot my password" uses the same mechanisms than creating an account. So it recreates the account and looks like your account was not deleted.

To be confirmed.

@SansPseudoFix Could you try

  • create an account
  • subscribe to a list
  • delete your account
  • verify via /sympa/serveradmin/users that the account does not exists anymore, that it’s not subscribed to any list
  • do "I forgot my password"
  • log in and verify that you are not subscribed to any list

ldidry avatar Sep 10 '23 08:09 ldidry

Done.

log in and verify that you are not subscribed to any list

My account has no list in sympa/my (and /sympa/serveradmin/users doesn't find me, neither (which makes sense)).

SansPseudoFix avatar Sep 12 '23 10:09 SansPseudoFix

My point, by creating this issue is: from a user point of view, it doesn't make sense to recreate an account by requesting a password reset.

"Forgot my password" button should say "you don't have any account with this email address", not recreate an account.

SansPseudoFix avatar Sep 12 '23 10:09 SansPseudoFix

"Forgot my password" button should say "you don't have any account with this email address", not recreate an account.

I don’t agree with your suggestion.

  • If the GUI behavior changes depending on whether a particular account exists or not, an attacker can use it to know whether a particular person is registered or not.

  • In addition, a user who wants to use the GUI must first become a subscriber or an administrator of any list, without using the GUI.

ikedas avatar Sep 12 '23 12:09 ikedas

The simplest fix could be to add a message on the "forgot password" screen saying something like:

If you don’t have an account on this server, asking for a new password will create a new account.

ldidry avatar Sep 12 '23 14:09 ldidry