Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Deleted account not really deleted #1713

Closed
SansPseudoFix opened this issue Sep 8, 2023 · 9 comments · Fixed by #1718
Closed

Deleted account not really deleted #1713

SansPseudoFix opened this issue Sep 8, 2023 · 9 comments · Fixed by #1718
Labels
bug

Comments

@SansPseudoFix
Copy link

Version

6.2.72

Expected behavior

When you delete your account, you should not be able to reconnect to it by going through the password reset request. Your account should by actually deleted.

Actual behavior

When your account is deleted, you can reconnect by using password reset page.

Steps to reproduce

  1. delete your account by passing by /sympa/pref page
  2. go to connection page
  3. click reset link to go to sympa/firstpasswd page
  4. enter your deleted email address
  5. use the reset password link into the email
  6. recover your account

Additional information

Reported by a user who wanted his account deleted.
@ikedas
Copy link
Member

ikedas commented Sep 8, 2023

I would think that if you reissue your password, you should be able to log in.

@racke
Copy link
Contributor

racke commented Sep 8, 2023

Your deleted your account. But what is wrong with creating it again?

@SansPseudoFix
Copy link
Author

Yes, deletion should remove your data from sympa. If you want an account again, you should be able to recreate it later.

@ikedas
Copy link
Member

ikedas commented Sep 8, 2023

How to recreate your account is the same as how to create your account. How have you created your account at the first time?

@ldidry
Copy link
Contributor

ldidry commented Sep 10, 2023

I did not check the code but I guess that "I forgot my password" uses the same mechanisms than creating an account. So it recreates the account and looks like your account was not deleted.

To be confirmed.

@SansPseudoFix Could you try

  • create an account
  • subscribe to a list
  • delete your account
  • verify via /sympa/serveradmin/users that the account does not exists anymore, that it’s not subscribed to any list
  • do "I forgot my password"
  • log in and verify that you are not subscribed to any list

@SansPseudoFix
Copy link
Author

Done.

log in and verify that you are not subscribed to any list

My account has no list in sympa/my (and /sympa/serveradmin/users doesn't find me, neither (which makes sense)).

@SansPseudoFix
Copy link
Author

My point, by creating this issue is: from a user point of view, it doesn't make sense to recreate an account by requesting a password reset.

"Forgot my password" button should say "you don't have any account with this email address", not recreate an account.

@ikedas
Copy link
Member

ikedas commented Sep 12, 2023
edited
Loading

"Forgot my password" button should say "you don't have any account with this email address", not recreate an account.

I don’t agree with your suggestion.

  • If the GUI behavior changes depending on whether a particular account exists or not, an attacker can use it to know whether a particular person is registered or not.

  • In addition, a user who wants to use the GUI must first become a subscriber or an administrator of any list, without using the GUI.

@ldidry
Copy link
Contributor

ldidry commented Sep 12, 2023

The simplest fix could be to add a message on the "forgot password" screen saying something like:

If you don’t have an account on this server, asking for a new password will create a new account.

ikedas added a commit to ikedas/sympa that referenced this issue Sep 20, 2023
@ikedas
Add links to create or recreate password (sympa-community#1713)
5ce4b0f
@ikedas ikedas mentioned this issue Sep 20, 2023
Merged
ikedas added a commit that referenced this issue Aug 25, 2024
@ikedas
Merge pull request #1718 from ikedas/issue-1713 by ikedas
7c708e3 
Add links to create or recreate password (#1713)
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Add links to create or recreate password (#1713) ikedas/sympa
4 participants
@racke @ldidry @ikedas @SansPseudoFix