Flyspray - The bug killer!

  • Status Confirmed
  • Percent Complete
    50%
  • Task Type Bug Report
  • Category User Interface
  • Assigned To No-one
  • Operating System All
  • Severity Low
  • Priority Very Low
  • Reported Version 1.0-rc7
  • Due in Version Undecided
  • Due Date Undecided
  • Votes
  • Private
Attached to Project: Flyspray - The bug killer!
Opened by Stefan - 05.01.2019
Last edited by peterdd - 07.01.2019

FS#2528 - New user registration doesn't check for duplicate usernames

Steps done to create the problem:
Visit https://bugs.flyspray.org/index.php?do=register in a private browser window (so you are logged out)

Put in an already taken username (e.g. Stefan or Stefan2)

Expected behavior:
Username gets red and a note appears that username already is taken

Experienced behavior:
Username gets green and registration of a new user proceeds with sending a notification mail with confirmation code.
After putting in the confirmation code in provided page, user gets presented a “username is already taken, choose another” (where?) message, and has to re-start registration process from beginning and hopefully this time choose a not taken name.

Project Manager
peterdd commented on 05.01.2019 22:12

Mmh, the ajax call to js/callbacks/searchnames.php during filling the username field is denied for anonymous users since 2014 ( https://github.com/Flyspray/flyspray/commit/651f09801a35533205971cf322483a0e52ad0a1d#diff-6587b52c9a7caf3912717d323dae2027 ), so the empty response is interpreted always as username available in js/functions.js in function checkname(value).

Was this done for security reasons to make it a bit harder to collect usernames in Flyspray by brute trying names here? Or they just forgot the registration use case and had only the user registration forms( single and bulk ) in the admin area in mind?

Also the function checkname() shows an error in the browsers javascript console because there is no variable booler defined. (try userö with the ö umlaut for instance). Probably copy&paste error from function allow(booler) in js/functions.js ...

Maybe allow accessing the js/callbacks/searchnames.php also as guests when Flyspray is configured for self registering of users and deny it for guests in more restricted Flyspray configurations as a compromise?

Project Manager
peterdd commented on 05.01.2019 22:22

At least this part I cannot reproduce:

Username gets green and registration of a new user proceeds with sending a notification mail with confirmation code.

I tried and the form response page informs about that username is taken ( and so no confirmation code is send to user)

Stefan commented on 06.01.2019 13:14

Okay weird. Today I cannot reproduce it either... but I promise I got confirmation mail sent for username "Stefan", see attached mail.

Project Manager
peterdd commented on 07.01.2019 09:35

Made a fix at github master.

The other with confirmation mail sent needs some investigation too.

Maybe it has to do with if a temporary entry yet in the registration table exists or not beside entries in user table.

Maybe also check that case: When 2 different people try to register a not yet existing username with the same username when registration requires email verification code, in this case the first dude finishing the complete registration should win and the other dude later looses and must retry the registration steps, right?

Project Manager
peterdd commented on 07.01.2019 13:30

I reproduced the problem of registration email even username exists now: When someone tries to register an existing username (disable javascript in browser and no captcha stuff enabled to reproduce)
, an entry into the registrations-table is made even it is completely useless.

When someone tries this a second time with that username, the existing entry in the registrations table is detected and a normal 'username taken' response is made.

Loading...

Available keyboard shortcuts

Tasklist

Task Details

Task Editing