Capacity to change the username and the risk of usurpation

โš“ Dev    ๐Ÿ“… 2023-03-27    ๐Ÿ‘ค root    ๐Ÿ‘๏ธ 176      

root

Hi, Iโ€™m testing your forum and Iโ€™m very happy with it. Itโ€™s full of good ideas and nice features.

Butโ€ฆ

Itโ€™s possible to change the username and use the same one as an other user! I thought, yeah, itโ€™s a cool feature to troll, then I thougt of the case of two users with the same username and the same weak password, so I tried.

You log in with the last user (highest id) and if you change the username again, you canโ€™t log in with the first username anymore

400 Bad Request

Error: wrong password

I think it is a major bug.

I donโ€™t know Rust, at all, sorry, I canโ€™t help you.

๐Ÿท๏ธ bug ๐Ÿท๏ธ feature
๐Ÿ‘ ๓ ฎ๓ ฎ๓ ฎ๓ ฎ ๐Ÿ‘Ž ๓ ฎ๓ ฎ๓ ฎ๓ ฎ

root    2023-03-27 ๐Ÿ‘ ๐Ÿ‘Ž [op]

Even with different passwords, having the same username kill the login of users with lower uid. It is a big, big problem :D

1

freedit    2023-03-28 ๐Ÿ‘ 1 ๐Ÿ‘Ž

Thanks, I just fixed https://github.com/freedit-org/freedit/commit/7b83de1115354c6f3841940fe4af21a5cba8e49c

Anyway, you can login your account with uid.

2

root    2023-03-28 ๐Ÿ‘ ๐Ÿ‘Ž [op]

Thanks a lot, great reactivity!

3

Root    2023-03-30 ๐Ÿ‘ ๐Ÿ‘Ž

@root @freedit Initially-capitalized usernames, Root, and lowercase root, should belong to the same user and not 2 different users, which can easily cause confusion

4

freedit    2023-03-30 ๐Ÿ‘ ๐Ÿ‘Ž

@Root , in case anyone has login issue with username, just login with id and change your username.

6

root    2023-04-03 ๐Ÿ‘ ๐Ÿ‘Ž [op]

Thank you @Root, you killed my username! :D I was able to login with the uid.

7