Usernames are case sensitive #3575
Comments
|
Thanks for opening this issue, Phil. Another concern is the potential for abuse. Example: someone with the username MichelleObama (with two lowercase L's) could be spoofed by someone with the username MicheIIeObama (with two uppercase i's). It's also possible that this sort of confusion could arise by accident as well. |
|
Yeah, we should probably fix this at some point but it hasn't been a priority. Let's make a new issue when we decide to pick this up. |
|
This issue still exists in Dataverse. Also Julian and I noticed that the search field on the Dataverse permissions page is case sensitive. Eg: searching for "bob" will not find the "Bob11" account. Just looking at usernames that begin with the letter 'a', I came across 16 instances of usernames that are identical except for capitalization differences. |
|
We should display our regular message about the username already being taken when someone tries to create a username with different capitalization.
|
|
I mentioned in standup that it would be great if JPA supported a case insensitive uniqueness constraint so I just opened jakartaee/persistence#209 I also indicated that our previous fix was for #2598 to disallow people from choosing the same dataverse "alias" but with different cases ("mra" vs "MRA" or whatever). So I assume we'll apply a similar fix. Here's the fix we added back then: https://github.com/IQSS/dataverse/blob/v4.10.1/scripts/database/reference_data.sql#L31 See also https://stackoverflow.com/questions/25743191/how-to-add-a-case-insensitive-jpa-unique-constraint |
|
For existing accounts Gustavo is running queries to identify accounts with usernames that have case insensitive matches. Danny is deleting inactive accounts and communicating with owners of active accounts on an ad hoc basis and combining accounts or changing user names as needed to eliminate duplicates. The goal of this ticket is that there are no additional accounts created with the same case insensitive user name as an existing account. It has been proposed that we save all new usernames in all lower case regardless of how they are entered. On login a user may enter a mixed case user name and it will be compared as an all lower case with existing entries. (The effect on the UX is that the user may see the all lowercase username when they edit their account information.) Is this worth mentioning on account creation or on the edit account page? Once all of the duplicate removal has been completed should we go back and update the unaffected accounts so that all user names are entirely lower case? Should the users be notified and how? |
|
It's fine if account names are saved and displayed as lowercase. No need to notify folks in the UI or via email. |
|
#5811 has been merged and will be included in the next release. After that release is out on Github, we can then merge this issue and include it in the following release (since the cleanup is a dependency). I'll sit on this one for now. |
make usernames case insensitive #3575
@scolapasta @landreev @sekmiller we just got a reply on the issue I opened. I left a new comment but other comments from you folks are welcome. Thanks. |
@dlmurphy asked the following at #3539 (comment)
I posted my answer at #3539 (comment)
We discussed this a bit more today an I'm fairly sure that case-insensitive usernames is a usability issue. I can imagine a poor user saying "When you assign me permission to your dataset please be sure to choose
@jharvardand not@JHARVARDbecause the upper-case version isn't me!"#1445 is highly related.
The text was updated successfully, but these errors were encountered: