When registering a new account, an email is sent to the email address for verification before the account is activated. However there is no check done when the email adress is changed from catdap. I think catdap should send an email to the address before applying the change. We should also prevent users from changing their email address directly connecting to the ldap server without using catdap (unless it's possible to enforce the same check).
CC: (none) => boklmBlocks: (none) => 859
CC: (none) => sysadmin-bugs
Pinging. because nothing happened to this report since more than 3 months ago, and it still has the status NEW or REOPENED. @ Buchan, Please set status to ASSIGNED. If for work flow reasons you can't do that, then please put OK on the whiteboard instead. Don't change anything if you want to be pinged by me here again :)
CC: (none) => marja11
Can you explain in more detail the motivation for requiring email validation of email change (but not e.g. password change)? Or, should we instead send email notification of any change (which might achieve the same, or better, goal)? For preventing changes via LDAP, this is difficult to prevent, as the approach we have taken is to have CatDap use the LDAP credentials of the user (so CatDap does not have any privileges itself besides being able to search for users and authenticate them). Requiring us to not allow the user to change their email address would mean we have to change this whole model, to the point where CatDap would have higher privileges, which would be easier to abuse (e.g. be able to compromise all accounts, rather than being able to compromise only one).
CC: (none) => bgmilne
CC: boklm => (none)
still valid, I can pretend to be root@mageia.org
CC: (none) => root
Confirmed too, I just set steve@jobs.pomme as email address, and it's shown in bugzilla just fine.
Priority: Normal => release_blockerCC: (none) => mageia
I don't think anyone is around who really deals with catdap these days? I know when converting to git the branches for live site and master were really horribly out of sync too. Would there be any possibility to investigate the use of the PHP-based identity system used by KDE? All the frontend stuff of that is much nicer... and lets us do the necessary stuff we'd need (basically adding SSH keys and group management stuff. Just a passing thought - no idea about the code behind it.
CC: (none) => mageia
i would vote for too.
i think it is : https://quickgit.kde.org/?p=websites%2Fidentity-kde-org.git
CC: root => (none)
"Would there be any possibility to investigate the use of the PHP-based identity system used by KDE?" PHP's LDAP support is very broken, and has been broken for 10 years (no real support for controls such as password policies etc.). Before people take stupid unilateral decisions, how about we discuss whether there is actually anything really substantially missing.
There are numerous things wrong with catdap and in the last few years I've had to fight with ldap command line on numerous occasions. Many of the links don't work and the UX in it is horrible to the extent of unusable (we frequently have to support users in using it). PHP's LDAP support might not be perfect, but it's certainly more than functional enough for our needs here. The amount of work needed to give catdap a good UX is quite high. I am also sure that there are very few people who are active just now that understand it and a lot more people that would be able to understand and help out with a PHP based system. While I'm not against improving catdap, I don't really see people lining up offering to do the work. One man's "stupid" decision, is another man's pragmatic one...
Priority: release_blocker => HighAssignee: bgmilne => sysadmin-bugs
(In reply to Nicolas Lécureuil from comment #7) > i think it is : https://quickgit.kde.org/?p=websites%2Fidentity-kde-org.git New URL is https://cgit.kde.org/websites/identity-kde-org.git Being able to choose an email address which doesn't belong to you can be a security issue. One example is that Bugzilla can be configured to give some privileges to users based on their email address (typically the domain name part of the email address), and so if an attacker chooses an email address matching the regular expression set in Bugzilla, he could get higher privileges. See e.g. https://bugzilla.mozilla.org/show_bug.cgi?id=1202447 for a recent similar issue. The good news is that Mageia Bugzilla is not configured to give privileges based on the email address. But I don't know about other Mageia services. So it would still be good to address this issue in CatDap. This doesn't look to hard to do.
CC: (none) => LpSolit
Hi, This is High priority bug for a good reason. Making Mageia even better than ever is best direction. In order to do right thing, this bug should be examined and fixed as soon as possible. Packagers, please make the status to Assigned when you are working on this. Feel free to reassign the bug if bad-triaged. Also, if bug is old, please close it. On October 1st 2020, we will drop priority to normal.