search

rochester-rcl / irplus

Automatically exported from code.google.com/p/irplus
Apache License 2.0
8 stars 3 forks source link

User affiliation request approval or denial is cumbersome, leading to potential attacks #43

Closed GoogleCodeExporter closed 9 years ago

GoogleCodeExporter commented 9 years ago 
The process you have to go through to thoroughly review and act upon unapproved 
affiliation requests is cumbersome; this encourages a busy/careless/lazy 
administrator to take shortcuts that may allow attackers to successfully 
impersonate a legitimate user.

The current process is as follows (IR+ 2.0.4 on RHEL5).  To review an 
affiliation request:

R1. Click on Administration button.
R2. Click on Approve User Affiliation.
R3. Click on user ID.
R4. Click on Emails tab.
R5. Review user's e-mail address and note whether it's been verified.

To approve:

A6. Click on Administration button.
A7. Click on Approve User Affiliation.
A8. Select user's checkbox.
A9. Click on Approve.

To deny you will most likely want to delete the user:

D6. Click on Back to Users.
D7. Locate user (likely to require a search).
D8. Select user's checkbox.
D9. Click on Delete.
D10. Confirm deletion.

Proposed fixes:

* Add (preferred) e-mail address to list of user affiliation requests.
* Add Approve and Deny/Delete buttons to list of user affiliation requests.

The first of these two is the more important.

Thanks!

Original issue reported on code.google.com by nkui...@nkuitse.com on 11 Jan 2011 at 4:08

GoogleCodeExporter commented 9 years ago 
Please assign this a high priority -- it seems all too easy to mistakenly 
approve an affiliation that should not be approved.

Original comment by nkui...@nkuitse.com on 11 Jan 2011 at 4:09

GoogleCodeExporter commented 9 years ago

Original comment by nates...@gmail.com on 11 Jan 2011 at 4:18

GoogleCodeExporter commented 9 years ago 
Updated to high priority.  Will show the preferred email address on the list of 
users.

Original comment by nates...@gmail.com on 13 Jan 2011 at 6:59

GoogleCodeExporter commented 9 years ago 
The preferred email is now shown in the approval screen.  Part 2 was moved into 
an enhancement request - issue #44.  This change will be in the next major 
release (2.x or 3.0).

Original comment by nates...@gmail.com on 13 Jan 2011 at 7:07