Deleted account not really deleted

sympa-community / sympa

Sympa, Mailing List Management Software

https://www.sympa.community/sympa

GNU General Public License v2.0

237 stars 95 forks source link

Deleted account not really deleted #1713

Open SansPseudoFix opened 10 months ago

SansPseudoFix commented 10 months ago

Version

6.2.72

Expected behavior

When you delete your account, you should not be able to reconnect to it by going through the password reset request. Your account should by actually deleted.

Actual behavior

When your account is deleted, you can reconnect by using password reset page.

Steps to reproduce

delete your account by passing by /sympa/pref page
go to connection page
click reset link to go to sympa/firstpasswd page
enter your deleted email address
use the reset password link into the email
recover your account

Additional information

Reported by a user who wanted his account deleted.

ikedas commented 10 months ago

I would think that if you reissue your password, you should be able to log in.

racke commented 10 months ago

Your deleted your account. But what is wrong with creating it again?

SansPseudoFix commented 10 months ago

Yes, deletion should remove your data from sympa. If you want an account again, you should be able to recreate it later.

ikedas commented 10 months ago

How to recreate your account is the same as how to create your account. How have you created your account at the first time?

ldidry commented 10 months ago

I did not check the code but I guess that "I forgot my password" uses the same mechanisms than creating an account. So it recreates the account and looks like your account was not deleted.

To be confirmed.

@SansPseudoFix Could you try

create an account
subscribe to a list
delete your account
verify via /sympa/serveradmin/users that the account does not exists anymore, that it’s not subscribed to any list
do "I forgot my password"
log in and verify that you are not subscribed to any list

SansPseudoFix commented 10 months ago

Done.

log in and verify that you are not subscribed to any list

My account has no list in sympa/my (and /sympa/serveradmin/users doesn't find me, neither (which makes sense)).

SansPseudoFix commented 10 months ago

My point, by creating this issue is: from a user point of view, it doesn't make sense to recreate an account by requesting a password reset.

"Forgot my password" button should say "you don't have any account with this email address", not recreate an account.

ikedas commented 10 months ago

"Forgot my password" button should say "you don't have any account with this email address", not recreate an account.

I don’t agree with your suggestion.

If the GUI behavior changes depending on whether a particular account exists or not, an attacker can use it to know whether a particular person is registered or not.
In addition, a user who wants to use the GUI must first become a subscriber or an administrator of any list, without using the GUI.

ldidry commented 10 months ago

The simplest fix could be to add a message on the "forgot password" screen saying something like:

If you don’t have an account on this server, asking for a new password will create a new account.