Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Users can create account even when registration is disabled #2503

Open
wzrdtales opened this issue Mar 4, 2019 · 10 comments
Open

Users can create account even when registration is disabled #2503

wzrdtales opened this issue Mar 4, 2019 · 10 comments

Comments

@wzrdtales
Copy link

@wzrdtales wzrdtales commented Mar 4, 2019

Infos:

  • Used Zammad version: 2.9.x
  • Installation method (source, package, ..): helm
  • Operating system: docker provided
  • Database + version: postgresql from helm
  • Elasticsearch version: postgresql from helm
  • Browser + version: firefox latest

Expected behavior:

When the user registration is being disabled in the settings it is expected that users may not be able to create an account on the platform, except they are being explicitly added.

Actual behavior:

When the user registration is disabled, but the password reset is enabled, every user that once send a mail to the system, automatically gains an account, which they can start using, simply by resetting their password.

Steps to reproduce the behavior:

See behavior description.

Yes I'm sure this is a bug and no feature request or a general question.

@MrGeneration

This comment has been minimized.

Copy link
Collaborator

@MrGeneration MrGeneration commented Mar 5, 2019

Thanks for your contribution.
This is actually working as designed and not a bug.

Currently every customer in your Zammad-Instance is also a user account.
Those can be created via E-Mail as well as via WebApp, the main difference is that I could create dozens of customer-accounts without one single ticket via WebApp as I am not forced to create a ticket upon login / registration.

To completely ensure your customers can't use the WebApp (for whatever reason), you'd need to deactivate "password recovery" as well. The reason this works is that we share the same login and backend-URL for both agents and customers.

I'd suggest a LDAP authentication in that case, disabling password recovery will then not harm you in case the password has to be changed.

@wzrdtales

This comment has been minimized.

Copy link
Author

@wzrdtales wzrdtales commented Mar 5, 2019

So this is insecure by design? Password resetting is a completely different topic from registering an account.

Of course the customers should be able to use the WebApp, but not every user sending a mail into a system is a customer. But exactly this is the case for zammad currently. If you disable the registration, it should not be possible to register an account unless you have been registered explicitly.

@wzrdtales

This comment has been minimized.

Copy link
Author

@wzrdtales wzrdtales commented Mar 5, 2019

And this is a problem, since there is currently no real spam protection (no captcha or alternative approaches like PoW), which can be especially via the webapp hardly abused.

@MrGeneration

This comment has been minimized.

Copy link
Collaborator

@MrGeneration MrGeneration commented Mar 6, 2019

We've been discussing this issue internally and found that the use case is valid.
Currently we need to think of a solution that adresses this issue, but does not disable other possible use cases.

We'll update the issue as soon as there's news for it.
Sorry for the back and forth!

@wzrdtales

This comment has been minimized.

Copy link
Author

@wzrdtales wzrdtales commented Mar 6, 2019

Suggestion:

Add a validation to accounts created by e-mail, and give an option to the agents to enable those accounts for registration, which will send out an email to the customer with the link to set his password. This way the whole process would be clean, since also the user is properly involved and informed of how to proceed.

@martinvonwittich

This comment has been minimized.

Copy link

@martinvonwittich martinvonwittich commented Mar 15, 2019

Further suggestions:

  • Add an option that allows password resets only for accounts that already have a password.
  • Add an option to limit password resets to a list of roles so that admins can limit password resets e.g. to agents.
@sinichi19

This comment has been minimized.

Copy link

@sinichi19 sinichi19 commented Mar 20, 2019

Thanks for this report. i will not update temporarily to 2.9 because like in our setup that our customer is only a internal ,, if the registration cant disable everyone can now register and can abuse..

(In our setup only the administrator and agent can register new user)

Please back the enable and disable of the registration in 2.9 version

@MrGeneration

This comment has been minimized.

Copy link
Collaborator

@MrGeneration MrGeneration commented Mar 20, 2019

Just to make this clear: This affects all versions of Zammad.

Edit: Currently the only way of ensuring this doesn't work, you'll need to disable manual user creation and the password lost function.

@sinichi19

This comment has been minimized.

Copy link

@sinichi19 sinichi19 commented Mar 22, 2019

Just to make this clear: This affects all versions of Zammad.

Edit: Currently the only way of ensuring this doesn't work, you'll need to disable manual user creation and the password lost function.

Thank you for clarification.

@wucherpfennig

This comment has been minimized.

Copy link

@wucherpfennig wucherpfennig commented Jan 28, 2020

Just to make this clear: This affects all versions of Zammad.
Edit: Currently the only way of ensuring this doesn't work, you'll need to disable manual user creation and the password lost function.

Thank you for clarification.
@MrGeneration
This is partially true. Even with this settings disabled It will create new users if you have third party authentication (o365) enabled. Which is in my opinion counter intuitive.

BR wucherpfennig

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Linked pull requests

Successfully merging a pull request may close this issue.

None yet
5 participants
You can’t perform that action at this time.