Bots can be created with the same full name as existing users

[kevinr]

...which allows the owner of the bot to impersonate them.

EDITED from discussion below. The current proposed approach to solving this problem is to modify the way bots are displayed in the frontend UI to make clear they are bots. Concrete ideas on the design wanted!

[tdickers]

It's most effective if you use the same username and the same avatar. You can click on the user's avatar or name to see the email address associated (and will see xxx-bot@yyy.zz), but it's fairly effective.

The hard part in mitigating this would probably be edge cases of character like l and I (lower case 'el' and capital 'eye'), null characters, etc.

Maybe just have a config option to require all bot display names to be prefixed with the user's name?

[timabbott]

I agree with @tdickers, because of Unicode characters that look identical to each other, it's difficult to prevent a human user from impersonating another by copying their name and avatar (potentially modulo using a very-similar-looking unicode character).

There are a few things one can do to solve the human or bot impersonation problem:

1. Use social pressure to discourage bad behavior (usually quite effective in a work context).
2. Set NAME_CHANGES_DISABLED to make it difficult for humans to change their names (you'll want to be using LDAP or something to set them in the first place). It might be nice to have a UI for realm admins to change users' names to go along with this setting for teams not using LDAP.
3. Display the user's email address more prominently (kinda ugly) or switch to using a unique username (rather than an actual name) as the display name of users.
4. Display bots differently from human users (e.g. with a nice "bot" icon next to their name). If done well, this could be a nice feature regardless, and is probably the best path forward for this issue. A variant of this would be to just require that all bot names are of the form "X Bot" :)
5. Block users having the same name as other users, perhaps after some sort of unicode normalization. Imperfect fix.
6. Similar to 5 but just display users with duplicate names differently (e.g. with email as well)

I think (2) and (4) are probably the most promising technical things to do here, but I'm definitely interested in thoughts!

[tdickers]

NAME_CHANGES_DISABLED worked well for solving the "primary user account impersonating another" but doesn't cover the bot case.

[timabbott]

@tdickers @kevinr what are your thoughts on approach (4) in my list?

[tdickers]

I think number 4 is the best option proposed.

[timabbott]

OK, edited the issue description (from Kevin's post) to note that proposal; hopefully someone will have a good idea for how to do this nicely from a design perspective.

We could consider just doing an icon on one side of the user's name; we currently use FontAwesome (http://fontawesome.io/icons/) as our main source for icons.

[tommyip]

I will work on this.

[timabbott]

@kevinr you may want to take a quick look at the options being discussed in #2909.

[kevinr]

Wow, I'm way behind on this issue. I commented on #2909.

A couple other options:

1. Display a user's picture whenever they're mentioned. So Hiya @Kevin Riggle! would result in "Hiya (small userpic)Kevin Riggle"
2. Include the user's email address in the title text of their display name and picture.

[timabbott]

Just an update on this thread, we just merged #2909, which means we now have different styling for bot users from human users.