search

ASKBOT / askbot-devel

Askbot is a Django/Python Q&A forum. **Contributors README**: https://github.com/ASKBOT/askbot-devel#how-to-contribute. Commercial hosting of Askbot and support are available at https://askbot.com
Other
1.56k stars 626 forks source link

Issue With Google Plus login #685

Open pijain opened 7 years ago

pijain commented 7 years ago

I have enabled google plus login and in allowed domain i have filled up my domain, lets say xyz.com

So when I click on Sign in by google and fill up domain other than xyz.com, then it takes me to next screen asking for Screen name and email address.

On this screen if I can enter any random email address like "random@xyz.com" and i will have login access to the site. Which should not happen it should check the allowed domain on the first google with login attempt and should not take me to the screen asking for screen name and email.

Please let me know if any patch for this is available.

evgenyfadeev commented 7 years ago

Please give more detailed description as to where to enter what input to reproduce and what is the issue exactly?

As far as I understand - you click on google button, then after authenticating with G+, you are redirected to the "enter name and email page", where you enter your email address. Are you able to enter absolutely any email address, even one that is not matching allowed emails/domains - and then Askbot does not reject registration?

Or the issue is that given the (non-matching the allowed pattern) email address retrieved by google, the email input screen still loads, while you expect it to reject the authentication in that case and not ever allow you to enter an alternative email?

Btw, remember that you can still enable the forced email validation - in that case a validation message is sent to your inbox and you have to click the enclosed link in order to complete the account registration.

On Thu, Jan 12, 2017 at 12:35 AM, pijain notifications@github.com wrote:

I have enabled google plus login and in allowed domain i have filled up my domain, lets say xyz.com

So when I click on Sign in by google and fill up domain other than xyz.com, then it takes me to next screen asking for Screen name and email address.

On this screen if I can enter any random email address like " random@xyz.com" and i will have login access to the site. Which should not happen it should check the allowed domain on the first google with login attempt and should not take me to the screen asking for screen name and email.

Please let me know if any patch for this is available.

— You are receiving this because you are subscribed to this thread. Reply to this email directly, view it on GitHub https://github.com/ASKBOT/askbot-devel/issues/685, or mute the thread https://github.com/notifications/unsubscribe-auth/AAGOgkDKvOEZXK01GUYJtJlibpLS04R3ks5rRRLwgaJpZM4Lg23- .

-- Askbot Valparaiso, Chile skype: evgeny-fadeev

pijain commented 7 years ago

The exact issue is,

1) When we click on google login it takes us to the google login page. 2) On my setup the only allowed domain in "directi.com" 3) But on google login page I use my personal gmail instead of my directi gapps id. 4) It shows me next page where it asks for complete registration.

The issue is if i can reach to complete registration page, i can enter any random @directi.com email id, say xyz@directi.com and complete the registration.

The domain validation should be done on the first atempt before showing the complete registration page. screenshot from 2017-01-12 10-06-03

In current scenario the domain validation happens on complete registration page, where if i enter any other id it will say domain not allowed, and if I enter correct id or any random id with @directi.com it will allow me inside.

gs-ajain commented 7 years ago

I am also facing this issue. Within out organization, we want to restrict to one email domain only. Askbot has this feature, but when Singing-in via Google Play shouldn't it autofill the email address and screen name?