Skip to content

HTTPS clone URL

Subversion checkout URL

You can clone with
or
.
Download ZIP

Loading…

username validation is probably bypassed when !auth.use_usernames #759

Closed
sourcejedi opened this Issue · 2 comments

2 participants

@sourcejedi

(From code inspection). Note that "use_usernames" only affects display. usernames can still be used for login according to the value of auth.login_type. And various forms will still let you set a username.

This isn't an XSS hole; it just looks a bit unfinished. Some day I'm feeling more awake, perhaps :).

@i960

I'd like to offer my thoughts on this. What would be nice to have is the ability to customize user fields across the board, in both display and validation. In my particular case, when a user registers, I only want to ask for email address and password. I don't care about username, display name, timezone, or language. I can modify the register view to remove these, but for timezone I have to either modify the users controller because it's a required field, or add a hidden field with a default value set. It would be nice if we could select the fields we care about from admin, and have Bonfire automatically remove display and validation for the removed fields, both in the frontend and backend. This is just wishful thinking at this point and maybe I can help out with some code when I have more time.

@sourcejedi sourcejedi referenced this issue from a commit
@sourcejedi sourcejedi Don't disable username validation when !auth.use_usernames (issue #759)
This would have allowed e.g. duplicating a username someone else had
created, which could break logins (if auth.login_type was not
set specifically to 'email').

Also fix the username field to be required when
auth.login_type == 'username' (even if auth.use_usernames is disabled).
deb15db
@sourcejedi

Done! @i960 note that if you want to keep your comment "live", you'll want to split it into a new issue :).

@sourcejedi sourcejedi closed this
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Something went wrong with that request. Please try again.