gregcorbett
commented
1 year ago This magic number also prevents recovery of an account if you have maxed out your number of allowed identifiers. Given this, maybe we don't need the check.
Open gregcorbett opened 2 years ago
gregcorbett
commented
1 year ago This magic number also prevents recovery of an account if you have maxed out your number of allowed identifiers. Given this, maybe we don't need the check.
gregcorbett
commented
1 year ago This magic number also prevents recovery of an account if you have maxed out your number of allowed identifiers. Given this, maybe we don't need the check.
i.e. If I have an X.509 cert and EGI CheckIn identifier associated with my account, I can't recover my account if my DN changes.
See: https://github.com/GOCDB/gocdb/blob/dev/htdocs/web_portal/controllers/user/link_identity.php#L52
1is a bit of a magic number here, I believe it limits the number of identities one can associate with an account. I.e. if a user user has both an EGI Check In identifier and a X.509 identifier associated, they wouldn't be able to associate an IRIS IAM account as well - because they'd trigger this if statement and get shown the user/link_identity_rejected.php page.This check might be best reworked as a comparison to the length of $authTypes (on the assumption that a user can't have multiple identifiers of the same type - which I don't believe they can, and certainly the intention is they shouldn't be able to.) Or it might not be needed.
This may be best fixed as a hot fix so it can be pushed out quickly, or as part of 5.9.0 itself.For testing, one would need a user with two identifiers associated with them and the ability to associate a third (i.e. using the preprod DB on an instance integrated with IRIS IAM)