Anonymous user handling
1 view
Skip to first unread message
markus.t...@gmail.com
Oct 19, 2009, 6:11:30 AM10/19/09
to byteflow-users, m...@nysv.org
Hi!
I'm somewhat confused about the comments system in Byteflow.
I set this blog up and I wanted behaviour like anonymous posts if the
captcha passes with registration only optional.
ANONYMOUS_COMMENTS_APPROVED = False
CAPTCHA = 'simple'
gives me pretty much what I wanted, but there are two problems:
1. The user gets logged in immediately and has a profile - I'd like
for him to have to activate the account first
2. Anonymous comments with captcha-only would require a patch
Is anyone interested in such a patch?
Here's what I think would have to be done:
* "You are not logged in, do you wish to create a user?"
* If yes, he will have to activate the account, like it is now
* If not, the post has to be moderated
If ANONYMOUS_COMMENTS_APPROVED = True
* "You are not logged in, do you wish to create a user?"
* If yes, he will have to activate the account
* Either way, his comment would appear
Am I mistaken when I think the automatic profile creation is
vulnerable?
I tried f...@example.com and it logged me in, which is sort of
disturbing as it's
clearly an invalid address...
Thanks!
I'm somewhat confused about the comments system in Byteflow.
I set this blog up and I wanted behaviour like anonymous posts if the
captcha passes with registration only optional.
ANONYMOUS_COMMENTS_APPROVED = False
CAPTCHA = 'simple'
gives me pretty much what I wanted, but there are two problems:
1. The user gets logged in immediately and has a profile - I'd like
for him to have to activate the account first
2. Anonymous comments with captcha-only would require a patch
Is anyone interested in such a patch?
Here's what I think would have to be done:
* "You are not logged in, do you wish to create a user?"
* If yes, he will have to activate the account, like it is now
* If not, the post has to be moderated
If ANONYMOUS_COMMENTS_APPROVED = True
* "You are not logged in, do you wish to create a user?"
* If yes, he will have to activate the account
* Either way, his comment would appear
Am I mistaken when I think the automatic profile creation is
vulnerable?
I tried f...@example.com and it logged me in, which is sort of
disturbing as it's
clearly an invalid address...
Thanks!
Alexander Solovyov
Oct 20, 2009, 5:53:22 AM10/20/09
to byteflo...@googlegroups.com
On Mon, Oct 19, 2009 at 1:11 PM, m...@nysv.org
<markus.t...@gmail.com> wrote:
>
> Hi!
>
> I'm somewhat confused about the comments system in Byteflow.
>
> I set this blog up and I wanted behaviour like anonymous posts if the
> captcha passes with registration only optional.
>
> ANONYMOUS_COMMENTS_APPROVED = False
> CAPTCHA = 'simple'
>
> gives me pretty much what I wanted, but there are two problems:
> 1. The user gets logged in immediately and has a profile - I'd like
> for him to have to activate the account first
<markus.t...@gmail.com> wrote:
>
> Hi!
>
> I'm somewhat confused about the comments system in Byteflow.
>
> I set this blog up and I wanted behaviour like anonymous posts if the
> captcha passes with registration only optional.
>
> ANONYMOUS_COMMENTS_APPROVED = False
> CAPTCHA = 'simple'
>
> gives me pretty much what I wanted, but there are two problems:
> 1. The user gets logged in immediately and has a profile - I'd like
> for him to have to activate the account first
That's quite strange, because setting ANONYMOUS_COMMENTS_APPROVED
to False means that user will need to be activated. Maybe this is a bug.
> 2. Anonymous comments with captcha-only would require a patch
You mean posts without creating a profile? That's not possible
currently in Byteflow...
> Is anyone interested in such a patch?
Yes. ;-)
--
Alexander
markus.t...@gmail.com
Oct 21, 2009, 12:45:45 PM10/21/09
to byteflow-users, m...@nysv.org
On Oct 20, 12:53 pm, Alexander Solovyov <pira...@piranha.org.ua>
wrote:
Steps:
1. Log out (be sure you're logged out)
2. Comment on a post using credentials that still direct to your
email, like foo...@yourdomain.com
3. Notice that the post did not show up
4. Notice that you got an email encouraging to activate your account
5. Notice that you are mystically logged in!
6. Post another comment on the form
7. Verify it uses a username like mjt+jkala-nysv.org clearly generated
from the email
7.1. You can even reply to this comment!
8. Activate your account
9. Notice your original post came up above your recent test messages
I read through the code:
discussion/forms.py: AnonymousCommentForm.save calls
ActionRecord.registrations.create_inactive_user
The registrations member is an instance of
accounts.managers.RegistrationManager
and the create_inactive_user does create an inactive user.
Maybe a more in-depth analysis is required ;)
> > 2. Anonymous comments with captcha-only would require a patch
>
> You mean posts without creating a profile? That's not possible
> currently in Byteflow...
>
> > Is anyone interested in such a patch?
>
> Yes. ;-)
I cannot promise such a patch.
There was something, however, that I might be sending your way after I
conf hg.
I'm surprised we always create a user, it almost doesn't make sense if
ANONYMOUS_COMMENTS_APPROVED == True to do this. It's not very
anonymous
and requires of course a captcha so the database doesn't get filled
with users
in an attack ;)
Also, is this some kind of minibug?
If I enable ANONYMOUS_COMMENTS_APPROVED (with a captcha) I can enter
an email
like literally 'f...@example.com' and the comment comes through, but if
I try to
reply to it with the same email, a confirmation goes to example.com,
which obviously
does not work.
Could it be considered a vulnerability, because I can enter someone
else's email
and then flood comments and the someone else gets a lot of mail?
Probably not a very
serious vulnerability because there's a captcha, but just found it
sort of funny :)
Thanks!
--
mjt
wrote:
> > ANONYMOUS_COMMENTS_APPROVED = False
> > CAPTCHA = 'simple'
>
> > gives me pretty much what I wanted, but there are two problems:
> > 1. The user gets logged in immediately and has a profile - I'd like
> > for him to have to activate the account first
>
> That's quite strange, because setting ANONYMOUS_COMMENTS_APPROVED
> to False means that user will need to be activated. Maybe this is a bug.
Would it be "vazmozhno" for you to confirm this as a bug?
> > CAPTCHA = 'simple'
>
> > gives me pretty much what I wanted, but there are two problems:
> > 1. The user gets logged in immediately and has a profile - I'd like
> > for him to have to activate the account first
>
> That's quite strange, because setting ANONYMOUS_COMMENTS_APPROVED
> to False means that user will need to be activated. Maybe this is a bug.
Steps:
1. Log out (be sure you're logged out)
2. Comment on a post using credentials that still direct to your
email, like foo...@yourdomain.com
3. Notice that the post did not show up
4. Notice that you got an email encouraging to activate your account
5. Notice that you are mystically logged in!
6. Post another comment on the form
7. Verify it uses a username like mjt+jkala-nysv.org clearly generated
from the email
7.1. You can even reply to this comment!
8. Activate your account
9. Notice your original post came up above your recent test messages
I read through the code:
discussion/forms.py: AnonymousCommentForm.save calls
ActionRecord.registrations.create_inactive_user
The registrations member is an instance of
accounts.managers.RegistrationManager
and the create_inactive_user does create an inactive user.
Maybe a more in-depth analysis is required ;)
> > 2. Anonymous comments with captcha-only would require a patch
>
> You mean posts without creating a profile? That's not possible
> currently in Byteflow...
>
> > Is anyone interested in such a patch?
>
> Yes. ;-)
There was something, however, that I might be sending your way after I
conf hg.
I'm surprised we always create a user, it almost doesn't make sense if
ANONYMOUS_COMMENTS_APPROVED == True to do this. It's not very
anonymous
and requires of course a captcha so the database doesn't get filled
with users
in an attack ;)
Also, is this some kind of minibug?
If I enable ANONYMOUS_COMMENTS_APPROVED (with a captcha) I can enter
an email
like literally 'f...@example.com' and the comment comes through, but if
I try to
reply to it with the same email, a confirmation goes to example.com,
which obviously
does not work.
Could it be considered a vulnerability, because I can enter someone
else's email
and then flood comments and the someone else gets a lot of mail?
Probably not a very
serious vulnerability because there's a captcha, but just found it
sort of funny :)
Thanks!
--
mjt
markus.t...@gmail.com
Oct 21, 2009, 12:46:39 PM10/21/09
to byteflow-users, m...@nysv.org
> > ANONYMOUS_COMMENTS_APPROVED = False
> > CAPTCHA = 'simple'
>
> > gives me pretty much what I wanted, but there are two problems:
> > 1. The user gets logged in immediately and has a profile - I'd like
> > for him to have to activate the account first
>
> That's quite strange, because setting ANONYMOUS_COMMENTS_APPROVED
> to False means that user will need to be activated. Maybe this is a bug.
> > CAPTCHA = 'simple'
>
> > gives me pretty much what I wanted, but there are two problems:
> > 1. The user gets logged in immediately and has a profile - I'd like
> > for him to have to activate the account first
>
> That's quite strange, because setting ANONYMOUS_COMMENTS_APPROVED
> to False means that user will need to be activated. Maybe this is a bug.
Would it be "vazmozhno" for you to confirm this as a bug?
Steps:
1. Log out (be sure you're logged out)
2. Comment on a post using credentials that still direct to your
email, like foo...@yourdomain.com
3. Notice that the post did not show up
4. Notice that you got an email encouraging to activate your account
5. Notice that you are mystically logged in!
6. Post another comment on the form
7. Verify it uses a username like mjt+jkala-nysv.org clearly generated
from the email
7.1. You can even reply to this comment!
8. Activate your account
9. Notice your original post came up above your recent test messages
I read through the code:
discussion/forms.py: AnonymousCommentForm.save calls
ActionRecord.registrations.create_inactive_user
The registrations member is an instance of
accounts.managers.RegistrationManager
and the create_inactive_user does create an inactive user.
Maybe a more in-depth analysis is required ;)
Steps:
1. Log out (be sure you're logged out)
2. Comment on a post using credentials that still direct to your
email, like foo...@yourdomain.com
3. Notice that the post did not show up
4. Notice that you got an email encouraging to activate your account
5. Notice that you are mystically logged in!
6. Post another comment on the form
7. Verify it uses a username like mjt+jkala-nysv.org clearly generated
from the email
7.1. You can even reply to this comment!
8. Activate your account
9. Notice your original post came up above your recent test messages
I read through the code:
discussion/forms.py: AnonymousCommentForm.save calls
ActionRecord.registrations.create_inactive_user
The registrations member is an instance of
accounts.managers.RegistrationManager
and the create_inactive_user does create an inactive user.
Maybe a more in-depth analysis is required ;)
> > 2. Anonymous comments with captcha-only would require a patch
>
> You mean posts without creating a profile? That's not possible
> currently in Byteflow...
>
> > Is anyone interested in such a patch?
>
> Yes. ;-)
>
> You mean posts without creating a profile? That's not possible
> currently in Byteflow...
>
> > Is anyone interested in such a patch?
>
> Yes. ;-)
Markus Törnqvist
Oct 25, 2009, 9:04:19 AM10/25/09
to byteflo...@googlegroups.com
Hi!
I dunno how I missed this, but it was simple.
apps/blog/views.py had a call to _login() disregarding of the status.
I sent a patch to byteflow-hackers about it.
--
mjt
Alexander Solovyov
Oct 25, 2009, 11:54:52 AM10/25/09
to byteflo...@googlegroups.com
2009/10/25 Markus Törnqvist <m...@nysv.org>:
Thanks! I've applied all your patche, though combining two of them
in a single patch.
--
Alexander
Reply all
Reply to author
Forward
0 new messages