username validation is probably bypassed when !auth.use_usernames #759

sourcejedi opened this Issue Mar 22, 2013 · 2 comments


None yet

2 participants


(From code inspection). Note that "use_usernames" only affects display. usernames can still be used for login according to the value of auth.login_type. And various forms will still let you set a username.

This isn't an XSS hole; it just looks a bit unfinished. Some day I'm feeling more awake, perhaps :).

i960 commented Mar 22, 2013

I'd like to offer my thoughts on this. What would be nice to have is the ability to customize user fields across the board, in both display and validation. In my particular case, when a user registers, I only want to ask for email address and password. I don't care about username, display name, timezone, or language. I can modify the register view to remove these, but for timezone I have to either modify the users controller because it's a required field, or add a hidden field with a default value set. It would be nice if we could select the fields we care about from admin, and have Bonfire automatically remove display and validation for the removed fields, both in the frontend and backend. This is just wishful thinking at this point and maybe I can help out with some code when I have more time.

@sourcejedi sourcejedi added a commit that referenced this issue Apr 3, 2013
@sourcejedi sourcejedi Don't disable username validation when !auth.use_usernames (issue #759)
This would have allowed e.g. duplicating a username someone else had
created, which could break logins (if auth.login_type was not
set specifically to 'email').

Also fix the username field to be required when
auth.login_type == 'username' (even if auth.use_usernames is disabled).

Done! @i960 note that if you want to keep your comment "live", you'll want to split it into a new issue :).

@sourcejedi sourcejedi closed this Apr 3, 2013
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment