New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Reject admin names for anonymous and (maybe) email auth #605
Comments
Maybe we can add some badge for real admin. Your idea will not work for non-english users. |
What do you mean? |
The goal is to restrict free-form user names, i.e. anonymous and maybe email. Possible collisions via social logins is another issue, outside of the scope of this ticket.
not a bad idea indeed. Currently, admins highlighted with a different color, but this is not very obvious. |
umputun |
First of all admin users are verified users and I think that badge together with different color of username are good enough for marking admins. |
There are two problems with this suggestion:
|
* fix admin name check for anon login #605 * update readme with admin names info * lint: list of static site params * typo * don't allow email users to reuse admin names * move admin.names to restricted-names * forgotten names member * remove names from example admin * remove names from prepTestStore
* fix admin name check for anon login #605 * update readme with admin names info * lint: list of static site params * typo * don't allow email users to reuse admin names * move admin.names to restricted-names * forgotten names member * remove names from example admin * remove names from prepTestStore
With those auth methods, bad guys can try to impersonate and pick one of admin's names. This is visible but may confuse users.
We should reject such names at least on the backend side for anonymous. Regarding email auth - unclear, because this could be a valid way for real admin to login
The text was updated successfully, but these errors were encountered: