-
-
Notifications
You must be signed in to change notification settings - Fork 1.5k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Deleting a user from admin leaves it in DB, preventing username to be reused. #870
Comments
I just reproduced this bug on develop. The user, channel, and videos are deleted but not the underlying Actor. |
Isn't that the behavior an AP-enabled app should have (not deleting the actor) ? Because the user/actor could be followed be other people, and the next user reusing the same actor will still have them, and then could publish anything crap they want, somewhat impersonating the "previous" user. |
@rhaamo I don't think so: if we delete the actor on our instance, we'll send an AP message and remote instances will remove the actor too (deleting the follow at the same time). And if an actor is created with the same username, the public/private keys will not be the same. |
But I agree in a federated network, we should prefer blocking. Should be fixed in e04551d |
In fact we should forbid to reuse an actor username to prevent potential identity theft |
Would be good to be able to override from root user then, no? Or give possibility to fully remove user account.
…On 30 July 2018 11:09:46 BST, Chocobozzz ***@***.***> wrote:
In fact we should forbid to reuse an actor username to prevent
potential identity theft
--
You are receiving this because you authored the thread.
Reply to this email directly or view it on GitHub:
#870 (comment)
--
Sent from my Android device with K-9 Mail. Please excuse my brevity.
|
This reverts commit e04551d. See #870 (comment)
Fixed by c907c2f @popindavibe Admin can remove it from the database but we don't really want to facilitate this kind of behaviour, because it could involve identity problems in the federation |
Fine by me, explicit error message does the job.
…On 27 August 2018 15:44:22 BST, Chocobozzz ***@***.***> wrote:
Fixed by
c907c2f
@popindavibe Admin can remove it from database but we don't really want
to facilitate this kind of behaviour, because it could involve to
identity problems in the federation
--
You are receiving this because you were mentioned.
Reply to this email directly or view it on GitHub:
#870 (comment)
--
Sent from my Android device with K-9 Mail. Please excuse my brevity.
|
"In fact we should forbid to reuse an actor username to prevent potential identity theft" Well I had to face an identity theft and wasn't able to easily reuse that actor username because the first one to use the name was the thief. I guess that would really be helpful. Can't you open it for discussion please ? :-/ For now I guess we should just see what happen. But please consider that's not just a little issue. I may be paranoid, but as a QueerTube admin I guess I should be. I guess this is a minor security issue and we might have on way of solving it : Change the actor's owner :
Ping @Chocobozzz |
@FirePowi good idea 👍 Please create separate issues |
@FlatEarthTruther Please create an issue 👍 |
In my opinion there should be a path to remove a user permanently. |
Hi, could you please tell me how to do this from the server's CLI? I have just setup an instance but I used some nicknames for channels instead of users and viceversa and I would really like to fix this before opening the instance to the public. Thank you. |
Go in your database and run:
|
@Chocobozzz thank you very much! |
Hi, can we hide or dim the button "Delete your account"? |
If the handle is going to go into a pool of unusable account names, this should be made explicitly clear when deleting a user. Most social apps have the ability to recover an account that's been deleted at least within a certain period. Certainly the root user of an instance should have the capacity to restore a user, otherwise we are not following the ethos of software freedom. I believe there needs to be a way to restore a username, or have it returned to an available pool. |
PeerTube version or URL:
PeerTube v1.0.0-beta.9
Browser name/version:
Firefox 61.0.1
NodeJS version:
v8.11.3
What is the expected behaviour?
A user removed by admin user in the web interface should be fully removed from database.
What do you see instead?
User is still listed in the actor table, and trying to re-create user via API gives:
The text was updated successfully, but these errors were encountered: