search

fedora-infra / fas

Fedora Account System
https://admin.fedoraproject.org/accounts
GNU General Public License v2.0
40 stars 50 forks source link

[FAS3] Unique contrant failed on people.ircnick when two accounts are created with blank contact info #173

Closed skrzepto closed 8 years ago

skrzepto commented 8 years ago

Summary: When creating two accounts with the contact page blank like the image below shows. selection_022

The second account throws an error

Output

IntegrityError: (sqlite3.IntegrityError) UNIQUE constraint failed: people.ircnick [SQL: u'INSERT INTO people (username, password, fullname, ircnick, avatar, avatar_id, introduction, postal_address, country_code, locale, birthday, birthday_month, telephone, facsimile, affiliation, bio, timezone, gpg_fingerprint, ssh_key, email, recovery_email, bugzilla_email, email_token, unverified_email, security_question, security_answer, login_attempt, password_token, old_password, certificate_serial, status, status_timestamp, privacy, email_alias, blog_rss, latitude, longitude, fas_token, github_token, twitter_token, login_timestamp, creation_timestamp, update_timestamp) VALUES (?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, CURRENT_TIMESTAMP, CURRENT_TIMESTAMP)'] [parameters: (u'test_user', '$2a$10$UbFdhCoFnRUuN5CpoVWWMecAxxn5Ezg5WlfDuD3DaLIKJfZR93Nfi', u'test user', u'', u'', None, u'', u'', None, u'en_US', None, None, u'', None, None, None, u'UTC', None, None, u'test@user.com', None, None, None, None, u'-', u'-', None, 'f3852ef679423727e2c77b2f18b6413f1a755b96', None, 1, 3, '2016-07-07 14:24:47.587360', 0, 1, None, None, None, None, None, None, '2016-07-07 14:24:47.587375')]

DB image of original data selection_023

Notice that the ircnick is an empty string and not None.

We either need to force the user to input data that is not blank or if blank data is detected then we must insert None into the db instead.

skrzepto commented 8 years ago

This might be needed for a new issue but ill type it here for now.

Also, another malicious event someone can do is, Let's say Bob malicously/accidently enters my information during registraction for example in the IRC section he enters 'skrzepto' instead of 'bob' then when I try to create a user in FAS3 I can't enter my nick because it was already taken.

Some possible ideas is to have a pending_confirmation table where this info is located and in the main people table its inserted as None until the information is confirmed and then is filled accordingly.

laxathom commented 8 years ago

As most of users don't have an irc nickname. We have to make sure to insert None. This should be easy to do by adding a default value to the form object located at fas.forms.people.py

laxathom commented 8 years ago

hm..interesting. However, how can we prevent a user to use someone else nickname once validated? What we could do is either provide a rest method to look up the nickname dynamically (client-side) or do it when the user click save (server-side) and return an error message stating to change it.

skrzepto commented 8 years ago

@laxathom I was trying to write unit functional tests for the registration and can't seem to mockout the Captcha. Any thoughts?

Is there a setting I can turn off captcha or have it valid for all requests on a test instance?

I read up somewhere it to mock out the captcha form and set my own values in. This should be doable

skrzepto commented 8 years ago

Merged #175