Page MenuHomePhabricator

Users are able to sign Legalpad documents before verifying email address
Closed, ResolvedPublic

Description

  1. Register at https://legalpad.wikimedia.org/
  2. Don't verify any email address
  3. Follow a URL pointing to a Legalpad document, i.e. https://legalpad.wikimedia.org/L1

EXPECTED

Since the user can't access to the Legalpad homepage (a "Must Verify Email" page appears instead) it would be logical not to grant them permissions to sign the document either.

ACTUALLY

Users that haven't verified their email addresses can sign the document.

CONSIDERATION

Following the usual policies in Wikimedia, if possible it would be good to allow view permissions to everybody, anonymous included, so they can browse and read the Legalpad docs. However, only those with verified email address should be able to sign them.

Details

Reference
fl440

Event Timeline

flimport raised the priority of this task from to Needs Triage.Sep 12 2014, 1:41 AM
flimport added a project: Legalpad.
flimport set Reference to fl440.

Rush wrote on 2014-07-09 14:33:52 (UTC)

So, surprised the heck out of me this works. Few things.

  1. This is controlled by auth.require-email-verification which we have set to true.
  2. It does indicate (if you can see all signatures) who has signed as an unverified user, but that is not what we need.

unexpected behavior to me, but I did verify what qgil outlined above.

Rush wrote on 2014-07-09 14:40:28 (UTC)

current legalpad settings

Rush wrote on 2014-07-09 14:46:59 (UTC)

from epriestley: Okay, let me poke at this. I can't repro what I thought the issue was so maybe there's a real bug here. Give me a minute..

Rush wrote on 2014-07-09 14:49:38 (UTC)

epriestley: chasemp: this is an actual bug, I'll get it fixed
chasemp: epriestley: thanks man!

qgil wrote on 2014-07-09 14:54:16 (UTC)

In T440#5, @Rush wrote:

current legalpad settings

"Default View Policy: Public" would be more in line with our policies. As long as anonymous can view but not touch.

Rush wrote on 2014-07-09 15:01:10 (UTC)

So with those settings the undesired behavior we are seeing would be expected...is my understanding. That is what upstream thought we were doing initially.

Quote:

If you set Legalpad to public and set the visibility of a document to "Public (No Login Required)', it's expected that logged-out users will be able to view and sign it.

I will test to confirm this but I think we can't have it both ways in this instance at the moment.

qgil wrote on 2014-07-09 15:10:13 (UTC)

Signing a doc sounds more "Write" than "View". The policies should be different. Is this the bug @epriestley was talking about, or should I create a new one upstream to request this separation of permissions?

Rush wrote on 2014-07-09 15:17:26 (UTC)

Let's move the policy discussion back to the other ticket, and leave this one for this bug only. Otherwise we can't close this when the bug is fixed and the discussion is spread thin.

But I will test these settings once we can confirm the bug in our current setup is fixed? I would rather not change things out from underneath a 'unbreak now' style bug and muddy the waters. But hopefully we can set a view policy that doesn't allow signing, I just don't know if we can yet.

Rush wrote on 2014-07-09 20:25:01 (UTC)

@Qgil as the original reporter can you confirm this is fixed?

https://secure.phabricator.com/D9857

I deployed this to our legalpad instance and it seems to have resolved the issue

qgil wrote on 2014-07-10 12:52:34 (UTC)

Yep, this is resolved now. Registering with another SUL account (my personal-volunteer one) I could access to https://legalpad.wikimedia.org/L1 only after verifying the email address. Thank you for the fast fix & deploy!

importing issue status

flimport closed this task as Resolved.Sep 12 2014, 1:41 AM
flimport added a subscriber: chasemp.