Check user existence on registration
32 views
Skip to first unread message
Andrea Parodi
Nov 14, 2012, 12:53:50 PM11/14/12
to cork-d...@googlegroups.com
It appear that the registration procedure does not check if someone has already required registration using
same username.
The second user that confirm subscription subscribe the user record of the first user.
I think this could cause security problems: any content inserted by first user will become visible to the second,
and the first loose access to the site.
same username.
The second user that confirm subscription subscribe the user record of the first user.
I think this could cause security problems: any content inserted by first user will become visible to the second,
and the first loose access to the site.
Federico Ceratto
Nov 14, 2012, 1:32:08 PM11/14/12
to cork-d...@googlegroups.com
Hi Andrea,
On Wed, Nov 14, 2012 at 5:53 PM, Andrea Parodi
<andrea...@ebansoftware.net> wrote:
> It appear that the registration procedure does not check if someone has
> already required registration using
> same username.
It's not uncommon for users to request a registration more than once
(as a confirmation email might go lost, deleted, get filtered by
antispam...) and forcing the user to wait for - say - 48 hours for the
old request to expire can be annoying.
> The second user that confirm subscription subscribe the user record of the
> first user.
That would be legitimate. The second user was faster (or luckier) in
replying the confirmation email and got her account.
> I think this could cause security problems: any content inserted by first
> user will become visible to the second,
> and the first loose access to the site.
If everything works as expected - the first requester never got a
valid account in your example.
The second will get the login.
If the first one, instead, got her account, the second user will get
an error message when visiting the confirmation link.
Did you got any other behavior different than this?
I'm going run some tests, anyways.
Thanks,
--
Federico
On Wed, Nov 14, 2012 at 5:53 PM, Andrea Parodi
<andrea...@ebansoftware.net> wrote:
> It appear that the registration procedure does not check if someone has
> already required registration using
> same username.
(as a confirmation email might go lost, deleted, get filtered by
antispam...) and forcing the user to wait for - say - 48 hours for the
old request to expire can be annoying.
> The second user that confirm subscription subscribe the user record of the
> first user.
replying the confirmation email and got her account.
> I think this could cause security problems: any content inserted by first
> user will become visible to the second,
> and the first loose access to the site.
valid account in your example.
The second will get the login.
If the first one, instead, got her account, the second user will get
an error message when visiting the confirmation link.
Did you got any other behavior different than this?
I'm going run some tests, anyways.
Thanks,
--
Federico
Andrea Parodi
Nov 14, 2012, 2:00:01 PM11/14/12
to cork-d...@googlegroups.com
Hi Federico. Yes, I got differently behaviour from what you explain.
I get this behaviour:
1) I register as user Andrea, with password AAA
2) I register a secod time as user Andrea, with password BBB
3) I confirm registration n°1, login with pwd AAA and do whatever reserved action I can do as a logged user
4) I confirm registration n°2, login with pwd BBB and see all content inserted in 3). user record from registration 1 is overwritten by the new one.
5) first user can no longer login with pwd AAA.
A simple solution could be to check for existance of a user with same name in
I get this behaviour:
1) I register as user Andrea, with password AAA
2) I register a secod time as user Andrea, with password BBB
3) I confirm registration n°1, login with pwd AAA and do whatever reserved action I can do as a logged user
4) I confirm registration n°2, login with pwd BBB and see all content inserted in 3). user record from registration 1 is overwritten by the new one.
5) first user can no longer login with pwd AAA.
A simple solution could be to check for existance of a user with same name in
validate_registration method, before saving the new record.
If the user already exists, you can raise some kind of "Too late!" exception.
I agree with you that could be legitimate to repeat registration with the same username,
maybe a user had lost the mail, or use wrong mail address or whatever.
P.S. Italiano?
Federico Ceratto
Nov 17, 2012, 3:13:00 AM11/17/12
to cork-d...@googlegroups.com
On Wed, Nov 14, 2012 at 7:00 PM, Andrea Parodi
<andrea...@ebansoftware.net> wrote:
> Hi Federico. Yes, I got differently behaviour from what you explain.
[...]
<andrea...@ebansoftware.net> wrote:
> Hi Federico. Yes, I got differently behaviour from what you explain.
> 4) I confirm registration n°2, login with pwd BBB and see all content
> inserted in 3). user record from registration 1 is overwritten by the new
> one.
> 5) first user can no longer login with pwd AAA.
Hi Andrea - thanks for the bugreport.
> inserted in 3). user record from registration 1 is overwritten by the new
> one.
> 5) first user can no longer login with pwd AAA.
The validate_registration() method needs to be tweaked to add a
security check on existing accounts.
I've opened bug #20 on GitHub and I'll have it fixed in the next release.
Thanks again.
> P.S. Italiano?
Si :)
--
Federico
Reply all
Reply to author
Forward
0 new messages