Reject admin names for anonymous and (maybe) email auth #605
Comments
|
Maybe we can add some badge for real admin. Your idea will not work for non-english users. |
What do you mean? |
|
Sorry, I didn`t understand the problem correctly. But another case, how it should work for github if I change name? |
|
The goal is to restrict free-form user names, i.e. anonymous and maybe email. Possible collisions via social logins is another issue, outside of the scope of this ticket.
not a bad idea indeed. Currently, admins highlighted with a different color, but this is not very obvious. |
|
umputun |
|
First of all admin users are verified users and I think that badge together with different color of username are good enough for marking admins. |
There are two problems with this suggestion:
|
* fix admin name check for anon login #605 * update readme with admin names info * lint: list of static site params * typo * don't allow email users to reuse admin names * move admin.names to restricted-names * forgotten names member * remove names from example admin * remove names from prepTestStore
* fix admin name check for anon login #605 * update readme with admin names info * lint: list of static site params * typo * don't allow email users to reuse admin names * move admin.names to restricted-names * forgotten names member * remove names from example admin * remove names from prepTestStore
With those auth methods, bad guys can try to impersonate and pick one of admin's names. This is visible but may confuse users.
We should reject such names at least on the backend side for anonymous. Regarding email auth - unclear, because this could be a valid way for real admin to login
The text was updated successfully, but these errors were encountered: