- Status Confirmed
- Percent Complete
- Task Type Bug Report
- Category User Interface
- Assigned To No-one
- Operating System All
- Severity Low
- Priority Very Low
- Reported Version 1.0-rc7
- Due in Version Undecided
-
Due Date
Undecided
- Votes
- Private
FS#2528 - New user registration doesn't check for duplicate usernames
Steps done to create the problem:
Visit https://bugs.flyspray.org/index.php?do=register in a private browser window (so you are logged out)
Put in an already taken username (e.g. Stefan or Stefan2)
Expected behavior:
Username gets red and a note appears that username already is taken
Experienced behavior:
Username gets green and registration of a new user proceeds with sending a notification mail with confirmation code.
After putting in the confirmation code in provided page, user gets presented a “username is already taken, choose another” (where?) message, and has to re-start registration process from beginning and hopefully this time choose a not taken name.
Loading...
Available keyboard shortcuts
- Alt + ⇧ Shift + l Login Dialog / Logout
- Alt + ⇧ Shift + a Add new task
- Alt + ⇧ Shift + m My searches
- Alt + ⇧ Shift + t focus taskid search
Tasklist
- o open selected task
- j move cursor down
- k move cursor up
Task Details
- n Next task
- p Previous task
- Alt + ⇧ Shift + e ↵ Enter Edit this task
- Alt + ⇧ Shift + w watch task
- Alt + ⇧ Shift + y Close Task
Task Editing
- Alt + ⇧ Shift + s save task
Mmh, the ajax call to js/callbacks/searchnames.php during filling the username field is denied for anonymous users since 2014 ( https://github.com/Flyspray/flyspray/commit/651f09801a35533205971cf322483a0e52ad0a1d#diff-6587b52c9a7caf3912717d323dae2027 ), so the empty response is interpreted always as username available in js/functions.js in function checkname(value).
Was this done for security reasons to make it a bit harder to collect usernames in Flyspray by brute trying names here? Or they just forgot the registration use case and had only the user registration forms( single and bulk ) in the admin area in mind?
Also the function checkname() shows an error in the browsers javascript console because there is no variable booler defined. (try userö with the ö umlaut for instance). Probably copy&paste error from function allow(booler) in js/functions.js ...
Maybe allow accessing the js/callbacks/searchnames.php also as guests when Flyspray is configured for self registering of users and deny it for guests in more restricted Flyspray configurations as a compromise?
At least this part I cannot reproduce:
I tried and the form response page informs about that username is taken ( and so no confirmation code is send to user)
Okay weird. Today I cannot reproduce it either... but I promise I got confirmation mail sent for username "Stefan", see attached mail.
Made a fix at github master.
The other with confirmation mail sent needs some investigation too.
Maybe it has to do with if a temporary entry yet in the registration table exists or not beside entries in user table.
Maybe also check that case: When 2 different people try to register a not yet existing username with the same username when registration requires email verification code, in this case the first dude finishing the complete registration should win and the other dude later looses and must retry the registration steps, right?
https://github.com/Flyspray/flyspray/commit/0e13d3a5f44d5a67427004fd3db59374cab682d4
I reproduced the problem of registration email even username exists now: When someone tries to register an existing username (disable javascript in browser and no captcha stuff enabled to reproduce)
, an entry into the registrations-table is made even it is completely useless.
When someone tries this a second time with that username, the existing entry in the registrations table is detected and a normal 'username taken' response is made.