Bug: Users authenticated via proxy-auth can change username #2407
Labels
issue/confirmed
Issue has been reviewed and confirmed to be present or accepted to be implemented
type/bug
Comments
|
I think in the case of proxy auth (or oauth/openid) we should disallow username changes. |
|
Only local users are allowed to change username and I don't think that somehow affects linked openid etc authorization that is handled otherwise and just links to account and are not authorization source |
MTecknology
changed the title
|
This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs during the next 2 weeks. Thank you for your contributions. |
|
Yes, this is a problem |
|
This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs during the next 2 weeks. Thank you for your contributions. |
lunny
added
the
issue/confirmed
zeripath
added a commit
to zeripath/gitea
that referenced
this issue
Apr 5, 2021
Fix go-gitea#2407 Signed-off-by: Andrew Thornton <[email protected]>
zeripath
added a commit
to zeripath/gitea
that referenced
this issue
Apr 6, 2021
…annot change username ReverseProxy users should generate a session on reverse proxy username change. Also prevent ReverseProxy users from changing their username. Fix go-gitea#2407 Signed-off-by: Andrew Thornton <[email protected]>
6543
pushed a commit
that referenced
this issue
May 15, 2021
…annot change username (#15304) * Create a session on ReverseProxy and ensure that ReverseProxy users cannot change username ReverseProxy users should generate a session on reverse proxy username change. Also prevent ReverseProxy users from changing their username. Fix #2407 * add testcase Signed-off-by: Andrew Thornton <[email protected]>
AbdulrhmnGhanem
pushed a commit
to kitspace/gitea
that referenced
this issue
Aug 10, 2021
…annot change username (go-gitea#15304) * Create a session on ReverseProxy and ensure that ReverseProxy users cannot change username ReverseProxy users should generate a session on reverse proxy username change. Also prevent ReverseProxy users from changing their username. Fix go-gitea#2407 * add testcase Signed-off-by: Andrew Thornton <[email protected]>
Sign up for free
to subscribe to this conversation on GitHub.
Already have an account?
Sign in.
In the current version of gitea, it is possible for users authenticated via proxy-auth to edit their username. I'm not able to find a config option to disable this. In cases where proxy authentication is being used, this allows users to change their username and orphan their repositories because a new userid will be immediately created with their correct user.
The text was updated successfully, but these errors were encountered: