globaleaks / globaleaks-whistleblowing-software

GlobaLeaks is a free and open-source whistleblowing software enabling anyone to easily set up and maintain a secure reporting platform.
https://www.globaleaks.org
Other
1.25k stars 274 forks source link

Let recipients receive tips directly by having a unique URL with their username /$USERNAME #2320

Open fpietrosanti opened 6 years ago

fpietrosanti commented 6 years ago

Current behavior There are multi-user whistleblowing initiatives where it maybe useful to have the ability to address directly specific users by submitting directly material to them in a simple way.

Expected behavior This ticket is to implement a feature to submit tips to specific enduser of the platform on the simplified URL /$USERNAME .

When a whistleblower access /$USERNAME will get presented with the first context available where the $USERNAME is found to be recipient of, enabling to make a submission directly to that enduser.

The whistleblower will need to be informed that he is making a submission to $USERNAME along with his description.

NCommander commented 6 years ago

I'm uncomfortable with "select first context available" as that sounds like a recipe for disaster. Right now, contexts have no inherent order in the system as our primary keys are UUID, and row order is not enforced by SQLite or other databases, the context could change randomly if SQLite gets updated or the phase of the moon changes.

This likely should be implemented in two steps, specifically, implementation of URLs that bypass context selection and receiver selection and bring us directly to the upload page/proof of work. Those pages will have to be modified to clearly show the context and receiver that the submission is going to.

Once that's done, we should allow creation of short(er) URLs, possibly with the pre-existing URL simplifier that allows direct submission or allow receivers to select a default context.

There's also a (minor) security issue, as far as I know, we don't expose usernames anywhere else in the system. If the username is publicly known, it does reduce the amount of effort to successfully breach an account.

evilaliv3 commented 6 years ago

@NCommander: actually Contexts can be sorted manually or alphabetically and both the two possibilities are already implemented but i agree with you that the "select first context available" would bresult in a disaster.

Actually Contexts can be sorted manually or alphabetically and both the two possibilities are already implemented but i'm also convinced that in case this feature will be implemented we will have to map the user link on a precise Context (eventually specific for the feature) or a user selected context.

As for the username, i would not consider the link to be a security vulnerability as a safe password policy is in place. @NCommander: as clarification Its only recent the implementation that uses username+password for the login, but actually usernames has been always considered to be even public in the context of GlobaLeaks (https://secure.publeaks.nl/#/login) and we keep this feature available for who is using it. On setups like these usernames are listed (as generated systematically as equal to the user.id).