Closed mickenordin closed 1 year ago
ArtificialOwl
commented
2 years ago On most setup, users cannot edit their own mail address within Nextcloud and uses it to log in. The result of this edit will prevent users to use their mail address to log in.
Might be interesting to only allow this when there is duplicated userid/email.
mickenordin
commented
2 years ago On most setup, users cannot edit their own mail address within Nextcloud and uses it to log in. The result of this edit will prevent users to use their mail address to log in.
Yes, unless their userid is their email address.
But yes, it might be an idea to make this configurable in the lookupservers config.php to disallow matching against emailadress and name. Because note that the current code also searches in the name field, so setting the username of another user as your display name will also allow that user to login as you, which cant be the intended fuction of the code?
mickenordin
commented
2 years ago Might be interesting to only allow this when there is duplicated userid/email.
Yes! That must be the right way to do it, check if there is multiple users with the same email and if so, only match on userid.
mickenordin
commented
2 years ago I have now implemented this and pushed the new proposal.
ArtificialOwl
commented
1 year ago can you rebase on master please and resolve conflict ?
mickenordin
commented
1 year ago can you rebase on
masterplease and resolve conflict ?
Fixed!
When there are several users accounts that share the same email address AND the userid for one of those accounts is the same as the email address, the lookup server will pick a user at random from those accounts that share email address, causing the user to be logged in to a random server.
This patch will make it so that usernames are only matched against the userid, and not the email field.
Fixes: #75