Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Show full name if DEFAULT_SHOW_FULL_NAME setting enabled #6710

Merged
merged 3 commits into from May 8, 2019

Conversation

7 participants
@42wim
Copy link
Contributor

commented Apr 22, 2019

Fixes #3697 and #3509

Adds a new key DEFAULT_SHOW_FULL_NAME (default false) to the [ui] section.
If enabled the full name will be shown (unless it's empty, then
the default username will be used)

@codecov-io

This comment has been minimized.

Copy link

commented Apr 22, 2019

Codecov Report

❗️ No coverage uploaded for pull request base (master@a84f10a). Click here to learn what that means.
The diff coverage is 40%.

Impacted file tree graph

@@            Coverage Diff            @@
##             master    #6710   +/-   ##
=========================================
  Coverage          ?   41.32%           
=========================================
  Files             ?      432           
  Lines             ?    59552           
  Branches          ?        0           
=========================================
  Hits              ?    24611           
  Misses            ?    31703           
  Partials          ?     3238
Impacted Files Coverage Δ
modules/templates/helper.go 48.43% <0%> (ø)
modules/setting/setting.go 47.57% <100%> (ø)
models/action.go 58.77% <40%> (ø)
models/user.go 51.05% <50%> (ø)

Continue to review full report at Codecov.

Legend - Click here to learn more
Δ = absolute <relative> (impact), ø = not affected, ? = missing data
Powered by Codecov. Last update a84f10a...6f825fd. Read the comment docs.

@silverwind

This comment has been minimized.

Copy link
Contributor

commented Apr 23, 2019

Please also add the new option to app.ini.sample and possibly the config cheat sheets.

@techknowlogick
Copy link
Member

left a comment

Blocking per @silverwind's comment re: docs.

@techknowlogick techknowlogick added this to the 1.9.0 milestone Apr 23, 2019

@42wim 42wim force-pushed the 42wim:fullusername branch from 770d8dd to 090c778 Apr 23, 2019

@42wim

This comment has been minimized.

Copy link
Contributor Author

commented Apr 23, 2019

done

@silverwind

This comment has been minimized.

Copy link
Contributor

commented Apr 23, 2019

Thanks. One more thing I missed is the korean chinese cheat sheet. I guess it's not strictly required but if a korean speaker can contribute the description for the option, we could add it there as well.

@techknowlogick

This comment has been minimized.

Copy link
Member

commented Apr 23, 2019

@silverwind zh-cn is simplified Chinese, but like you said translations for this can wait for a different PR.

docs have been added.

@lafriks

This comment has been minimized.

Copy link
Member

commented Apr 23, 2019

I would prefer if it would be named as DEFAULT_SHOW_FULL_NAME so that later it could be added as per-user preference

Show resolved Hide resolved templates/repo/diff/comments.tmpl Outdated

@42wim 42wim force-pushed the 42wim:fullusername branch from 090c778 to 7ece119 Apr 23, 2019

@42wim 42wim changed the title Show full name if SHOW_FULL_NAME setting enabled Show full name if DEFAULT_SHOW_FULL_NAME setting enabled Apr 23, 2019

@42wim

This comment has been minimized.

Copy link
Contributor Author

commented Apr 23, 2019

  • changed setting to DEFAULT_SHOW_FULL_NAME
  • adds GetDisplayName function in models/user.go and use it in templates
@mrsdizzie

This comment has been minimized.

Copy link
Contributor

commented Apr 23, 2019

This is replacing something relatively limited like usernames -- which can only be letters, numbers, _, and . -- with user controlled input that currently has no real limitations other than length.

Unfortunately, I don't think Gitea can safely handle this type of change as-is without some more in depth testing. I checked out this PR and was able to find a security issue within a few minutes:

Create an issue with a user.

Change the users full name to <script>alert(document.domain)</script>

Then visit http://example.com/user/repo/issues

It will execute the code above. This is true for any of the opened x days ago by x text generated under issues in various views. Sticking that type of user generated text into the HTML code of many pages should probably be viewed as a big change and potential security issue that requires more extensive testing, auditing, and thought. Not really the fault of the PR or this feature, but the reality of the current code having a history of input escaping/security issues due to its origin.

At minimum there should need to be some type of sanitizing of the full name and double checking of every location that would use it to make sure it isn't easy to break out of the expected HTML as seen above.

Show resolved Hide resolved templates/repo/issue/view_content/comments.tmpl Outdated
Show resolved Hide resolved templates/repo/issue/view_content/comments.tmpl Outdated
Show resolved Hide resolved templates/repo/issue/view_content/comments.tmpl Outdated
Show resolved Hide resolved templates/repo/issue/view_title.tmpl Outdated
Show resolved Hide resolved templates/repo/issue/view_title.tmpl Outdated
Show resolved Hide resolved templates/user/dashboard/issues.tmpl Outdated
Show resolved Hide resolved templates/user/dashboard/issues.tmpl Outdated
Show resolved Hide resolved templates/repo/issue/milestone_issues.tmpl Outdated
Show resolved Hide resolved templates/repo/issue/milestone_issues.tmpl Outdated

@42wim 42wim force-pushed the 42wim:fullusername branch from f7722b0 to 076a3f6 Apr 24, 2019

Show full name if DefaultShowFullName setting activated
Adds a new key DEFAULT_SHOW_FULL_NAME (default false) to the [ui] section.
If enabled the full name will be shown (unless it's empty, then
the default username will be used)

@42wim 42wim force-pushed the 42wim:fullusername branch from 076a3f6 to 9f7eb16 Apr 24, 2019

@42wim

This comment has been minimized.

Copy link
Contributor Author

commented Apr 24, 2019

  • created GetDisplayName() and GetDisplayNameTitle() in action.go to fix @lafriks suggestion
  • @mrsdizzie issue should be fixed by the Escape sanitize

@GiteaBot GiteaBot added lgtm/need 1 and removed lgtm/need 2 labels May 8, 2019

@techknowlogick techknowlogick requested a review from lafriks May 8, 2019

@lafriks

lafriks approved these changes May 8, 2019

@GiteaBot GiteaBot added lgtm/done and removed lgtm/need 1 labels May 8, 2019

@lafriks lafriks merged commit 4508380 into go-gitea:master May 8, 2019

2 checks passed

approvals/lgtm this commit looks good
continuous-integration/drone/pr Build is passing
Details

@lafriks lafriks referenced this pull request May 8, 2019

Closed

[Feature] add full name in issue assignee #3509

2 of 7 tasks complete
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.