Admin user and #admins: room

[Thatoo]

For what I understood from https://gitlab.com/famedly/conduit/-/issues/12, at install, a #admins:server.name room should be created and the first user that register to conduit join automatically this room.

During my first test with conduit, I could install, register a user and login but with this user, I could not join #admins:server.name and no even verify if #admins:server.name room exists.

Maybe we should ask to select an admin user at install and be sure this user join the room at install.

Of course this issue is also related to the lack of OIDC and LDAP support. I'm just writing it down to track the issue.

[Thatoo]

Well I tried several installation and I guess the problem is comes from reinstallation. If you install conduit for the first time on a domain name, the first user will get access to this room. If you reinstall with the same domain name, then, even the first user won't have access to this room.

I'm not entirely sure about it, just a feeling I have after several attempt. Maybe it needs to be checked upstream.

[Thatoo]

So apparently, it would be because robots would actually create a user faster and get the room admin.

It is possible to get back the room admin following this explanations, using the emergency_password and the @conduit user : https://gitlab.com/famedly/conduit/-/issues/252

[Thatoo]

So the solution would be to ask to choose a user to be the admin of the server and its password and create this user (as ldap isn't working with conduit) at install. Something similar as libreerp is doing. I need to find out how to create a user at install time with command line.

[Thatoo]

Something sounds weird to me. At the same time, in manifest.toml it is written that If registration is yes, to protect your server and the federation from spammer, federation will be deactived by default. However, in ths install script, it is coded like federation="true" so value of federation don't seem to depend on value of registration, does it?

[Thatoo]

Actually, to make it easy, I would not ask about registration at install time. I would deactivate it anyway and deactivate federation and activate only registration_token="password" and explain that the first user should be created thanks to this token because it becomes the admin user who has access to the admin room and can manage the server. Then, only in the config panel, I would let option to activate registration without token and let activate federation. I'll make a PR in this sense.

[Thatoo]

Well, I face a weird situation. I set up conduit.toml like that

allow_registration = false
registration_token = "STORNG_PASSWORD"
allow_federation = false

and thus, if I was not fast enough, I would not become admin, an other user would become admin even though the TOKEN was pretty strong.

Then, I realized that if I open a new private window in Firefox and I got directly to https://mydomain/element/#/home , then it would log me as a visitor.

So I discovered and reported upstream that a visitor can become admin if no user register fast enough.

So it would be better to limit conduit to all_user only (not visitors) at install but switch to visitors when federation is activated.

[Thatoo]

Here is the upstream issue : https://gitlab.com/famedly/conduit/-/issues/415

We need that to be solved upstream to solve this issue.

[Thatoo]

It will be solved with the next conduit version : https://gitlab.com/famedly/conduit/-/merge_requests/591 Then we will be able to close this issue.

[ericgaspar]

Is the issue fixed with 0.7.0 release?