Page MenuHomePhabricator

modify-ldap-group should make it impossible to add users who don't exist to a group
Closed, DuplicatePublic


Currently it is possible to run the modify-ldap-group script and add any user name to an LDAP group.

Even if this user does not exist (yet). If this happens, due to a typo or mistake or because a an LDAP access request ticket is handled before the user has actually been created, anyone could notice this, go to Wikitech and register that user and then be in that group and get all the access it provides.

There should be a check against this, ideally modify-ldap-group would refuse to save a file if a user does not exist.