automatically create hedgedoc user accounts so that edits are no longer anonymous #2
Conversation
…ount based on the user's ctfpad username
| cache: 'no-cache', | ||
| credentials: 'include', | ||
| headers: { 'Content-Type': 'application/x-www-form-urlencoded'}, | ||
| body: "email={{request.user}}%40localhost.localdomain&password=hedgedoc"}); |
There was a problem hiding this comment.
Because if I register lanjelot on ctfpad using hahanfiwhothisis@gmail.com and we use request.user.email instead of request.user then hedgedoc will use hahanfiwhothisis as the username and we'll have no idea that it is actually me (hedgedoc uses everything before @ as the username)
| cache: 'no-cache', | ||
| credentials: 'include', | ||
| headers: { 'Content-Type': 'application/x-www-form-urlencoded'}, | ||
| body: "email={{request.user}}%40localhost.localdomain&password=hedgedoc"}); |
There was a problem hiding this comment.
Also not a fan of static password: we have access to request.user object, that leaves room for crafting unique password per users.
There was a problem hiding this comment.
yeah i just wanted to have a quick PoC working, feel free to use request.user.password or whatever instead. Also I didn't want to bother with what if the user resets or updates their password in ctfpad, then we need to update it in hedgedoc as well etc.
| @@ -70,6 +71,17 @@ def form_valid(self, form): | |||
| messages.error(self.request, "Username already exists, try logging in instead") | |||
| return redirect("ctfpad:home") | |||
|
|
|||
| # create the hedgedoc user | |||
| email = form.cleaned_data["username"] + '@localhost.localdomain' | |||
There was a problem hiding this comment.
same reply as above ;)
This allows "authorship highlightiing", we can now see who made what changes to a note.