Page MenuHomePhabricator

Use trigger.account over trigger.nick to authenticate users in channelmgnt
Closed, ResolvedPublic1 Estimated Story Points

Description

We need to use trigger.account when approving users for channelmgnt.

As @LakesideMiners reminded me, the Security issue is that anyone using that nick but not account could use it to takeover a channel.

The other fault is if a user is on an alternate nick, it won’t work.

Event Timeline

RhinosF1 created this task.Dec 17 2019, 3:09 PM
RhinosF1 set Security to Software security bug.
RhinosF1 added a project: acl*security.
RhinosF1 changed the visibility from "Public (No Login Required)" to "Custom Policy".
RhinosF1 renamed this task from Security to Use trigger.account over trigger.nick to authenticate users in channelmgmt.Dec 17 2019, 3:12 PM
RhinosF1 claimed this task.
RhinosF1 triaged this task as High priority.
RhinosF1 removed projects: acl*security, Epic.
RhinosF1 updated the task description. (Show Details)
RhinosF1 set the point value for this task to 1.
RhinosF1 added a subscriber: LakesideMiners.
Restricted Application added a project: acl*security. · View Herald TranscriptDec 17 2019, 3:12 PM
Urbanecm added a subscriber: Urbanecm.EditedDec 17 2019, 3:17 PM

(never mind, missed the update)

Thanks for triaging @Urbanecm

RhinosF1 renamed this task from Use trigger.account over trigger.nick to authenticate users in channelmgmt to Use trigger.account over trigger.nick to authenticate users in channelmgnt.Dec 17 2019, 3:48 PM
RhinosF1 updated the task description. (Show Details)
Zppix claimed this task.Dec 25 2019, 2:00 PM
Restricted Application added a project: User-Zppix. · View Herald TranscriptDec 25 2019, 2:00 PM

Resolved in production and patch public. Can someone make this?

RhinosF1 closed this task as Resolved.Dec 26 2019, 7:16 PM

Needs to be made public though

sbassett changed the visibility from "Custom Policy" to "Public (No Login Required)".Dec 26 2019, 8:37 PM
Restricted Application added a subscriber: MacFan4000. · View Herald TranscriptDec 26 2019, 8:37 PM
sbassett added a subscriber: sbassett.

@RhinosF1 Task now public.

@RhinosF1 Task now public.

Thanks!