[savannah-help-public] [sr #109310] Loophole Creating Account

2018-04-22 Thread Ineiev 
Update of sr #109310 (project administration):

  Status:   Need Info => Done   

___

Follow-up Comment #6:

I've just pushed and installed a commit explaining what the confirmation email
looks like and where it comes from.

___

Reply to this item at:

  

___
  Message sent via/by Savannah
  http://savannah.gnu.org/

Re: [savannah-help-public] [sr #109310] Loophole Creating Account

2018-04-16 Thread Rick Johnson 
Yes, certainly a little more alert about the email would help.  I cannot
remember why I didn't attend to mine.

Another idea would be to add a little note with the Login invalid error
message, like
"(You can reset your password if you validated your email)".

Rick


On Mon, Apr 16, 2018 at 12:41 AM Ineiev  wrote:

> Follow-up Comment #5, sr #109310 (project administration):
>
> > The "INVALID.NOREPLY" sender didn't encourage me to pay attention to the
> verification email.
>
> We could warn new users about it and tell them what the email is going to
> look
> like. Do you think that would help?
>
> ___
>
> Reply to this item at:
>
>   
>
> ___
>   Message sent via/by Savannah
>   http://savannah.gnu.org/
>
> --
Rick Johnson
631-921-8450

[savannah-help-public] [sr #109310] Loophole Creating Account

2018-04-16 Thread Ineiev 
Follow-up Comment #5, sr #109310 (project administration):

> The "INVALID.NOREPLY" sender didn't encourage me to pay attention to the
verification email. 

We could warn new users about it and tell them what the email is going to look
like. Do you think that would help?

___

Reply to this item at:

  

___
  Message sent via/by Savannah
  http://savannah.gnu.org/

Re: [savannah-help-public] [sr #109310] Loophole Creating Account

2018-04-15 Thread Rick Johnson 
Sorry about the "customer" idea.
I really have not engaged enough to know better.

On Sat, Apr 14, 2018 at 8:39 PM Bob Proulx  wrote:

> Hi Rick,
>
> Rick Johnson wrote:
> > Okay, as long as you know and it gets logged as an issue.  It
> > creates customer pain.  Some ask for help sooner than others.  We
> > who are caught in the loop are few, so not much of a problem for
> > you, I guess.
>
> I chafe at the use of the word customer since it is a community
> resource.  We are all in this together.  It isn't a customer
> relationship.
>
> You may be thinking that I am somehow the developer of the web
> interface.  I am not.  I have only poked my nose into it on a few
> occasions.  I'm primarily working on the mailing lists and the
> hosting.  The web UI could definitely use some help.  Are you
> interested in contributing to it?
>
> > Many are probably okay with using different usernames.
>
> That's a poor workaround.  Anyone who has problems should contact us
> for assistance.  It isn't difficult to push things along.
>
> > Maybe Lastpass causes a pattern of use that enables the problem.
>
> It's possible.  Especially since we had a number of complaints from
> LastPass users all at once.  Seemed more than a normal amount.  And
> haven't heard any problems from then since.  Since the web UI hasn't
> changed it was possible that it was the password manager.
>
> Note that I think random passwords are the best security.  I am not a
> user of LastPass myself but they seem reasonable.  And in general I
> encourage the use of password managers.  I would definitely like the
> web UI to work well with password managers.
>
> > Just tryin' to help.
>
> Sure.  Patches welcome.  There hasn't been too much development done
> on the web site UI for some time.
>
> Bob
>
-- 
Rick Johnson
631-921-8450

Re: [savannah-help-public] [sr #109310] Loophole Creating Account

2018-04-14 Thread Bob Proulx 
Hi Rick,

Rick Johnson wrote:
> Okay, as long as you know and it gets logged as an issue.  It
> creates customer pain.  Some ask for help sooner than others.  We
> who are caught in the loop are few, so not much of a problem for
> you, I guess.

I chafe at the use of the word customer since it is a community
resource.  We are all in this together.  It isn't a customer
relationship.

You may be thinking that I am somehow the developer of the web
interface.  I am not.  I have only poked my nose into it on a few
occasions.  I'm primarily working on the mailing lists and the
hosting.  The web UI could definitely use some help.  Are you
interested in contributing to it?

> Many are probably okay with using different usernames.

That's a poor workaround.  Anyone who has problems should contact us
for assistance.  It isn't difficult to push things along.

> Maybe Lastpass causes a pattern of use that enables the problem.

It's possible.  Especially since we had a number of complaints from
LastPass users all at once.  Seemed more than a normal amount.  And
haven't heard any problems from then since.  Since the web UI hasn't
changed it was possible that it was the password manager.

Note that I think random passwords are the best security.  I am not a
user of LastPass myself but they seem reasonable.  And in general I
encourage the use of password managers.  I would definitely like the
web UI to work well with password managers.

> Just tryin' to help.

Sure.  Patches welcome.  There hasn't been too much development done
on the web site UI for some time.

Bob

Re: [savannah-help-public] [sr #109310] Loophole Creating Account

2018-04-14 Thread Rick Johnson 
Okay, as long as you know and it gets logged as an issue.
It creates customer pain.  Some ask for help sooner than others.
We who are caught in the loop are few, so not much of a problem for you, I
guess.
Many are probably okay with using different usernames.

Maybe Lastpass causes a pattern of use that enables the problem.

Just tryin' to help.
Rick


On Mon, Apr 9, 2018 at 9:15 PM Bob Proulx  wrote:

> Follow-up Comment #4, sr #109310 (project administration):
>
> Yours was not the only Lastpass user that reported problems.  There were
> several all at one time.  Seemed suspicious.
>
> The design is that pending accounts should be deleted after 36 hours or 3
> days
> or some similar time that I don't recall at this moment.  But in theory
> pending accounts that are not activated within that time are discarded and
> then allowed to be registered new again.  At that time a new email is sent
> out.  Something does appear to be broken there however.
>
> The web interface has been running on inertia for a while.  It could
> definitely use some help from someone who enjoys dealing with old PHP
> code.
> As with many projects like this I will say, patches welcome!
>
>
> ___
>
> Reply to this item at:
>
>   
>
> ___
>   Message sent via/by Savannah
>   http://savannah.gnu.org/
>
> --
Rick Johnson
631-921-8450

[savannah-help-public] [sr #109310] Loophole Creating Account

2018-04-09 Thread Bob Proulx 
Follow-up Comment #4, sr #109310 (project administration):

Yours was not the only Lastpass user that reported problems.  There were
several all at one time.  Seemed suspicious.

The design is that pending accounts should be deleted after 36 hours or 3 days
or some similar time that I don't recall at this moment.  But in theory
pending accounts that are not activated within that time are discarded and
then allowed to be registered new again.  At that time a new email is sent
out.  Something does appear to be broken there however.

The web interface has been running on inertia for a while.  It could
definitely use some help from someone who enjoys dealing with old PHP code. 
As with many projects like this I will say, patches welcome!


___

Reply to this item at:

  

___
  Message sent via/by Savannah
  http://savannah.gnu.org/

[savannah-help-public] [sr #109310] Loophole Creating Account

2018-04-09 Thread Rick Johnson 
Follow-up Comment #3, sr #109310 (project administration):

Hi Bob,  or TWIMC

This is definitely NOT "some bad interaction with Lastpass".  I only mentioned
LastPass to indicate that I had certainly gotten my username and password
correct.  

I am guilty for missing the idea of an email verification or forgetting about
it after the email took too long and I moved on with my life.  I also managed
to archive the verification email.  
The "INVALID.NOREPLY" sender didn't encourage me to pay attention to the
verification email.

I was correct in wanting my ONE username, as this site has significant
discussion activity.

My (mis)use-case is valid.  
The site should NOT put a new account username/password into a PENDING
purgatory.  I suggest the login rejection of an attempt that actually has the
right credentials include the message that reminds about the email
verification, for instance, "Perhaps you have missed the emailed verification
link?".

Also, consider the case where the initial attempt is sent to you with a typo
in their email.  Is that covered?

And the database of PENDING credentials should time out and be purged at some
point... a day, a month, or the minimum delay consistent with your defense
against bots.

Rick Johnson  -- RickJohn57
631-921-8450 (mobile)


___

Reply to this item at:

  

___
  Message sent via/by Savannah
  http://savannah.gnu.org/

[savannah-help-public] [sr #109310] Loophole Creating Account

2018-04-09 Thread Bob Proulx 
Update of sr #109310 (project administration):

 Open/Closed:Open => Closed 

___

Follow-up Comment #2:

It's been a year and haven't heard back.  Closing this ticket.


___

Reply to this item at:

  

___
  Message sent via/by Savannah
  http://savannah.gnu.org/

[savannah-help-public] [sr #109310] Loophole Creating Account

2017-05-12 Thread Bob Proulx 
Update of sr #109310 (project administration):

  Status:None => Need Info  
 Assigned to:None => rwp

___

Follow-up Comment #1:

I have manually activated your account.  The account is active.  Which means
that you should be able to log in using the password you set previously.  If
not then you should be able to trigger the lost password recovery process.

There is definitely some bad interaction with Lastpass.  Yours is an
additional report of a problem when using Lastpass.  At the moment we don't
know what the bad interaction is however.  I believe Lastpass should work okay
with the Savannah site because Savannah's login forms are very old-school and
should be okay to use with Lastpass.

Accounts are "PENDING" until the email address has been confirmed. But this is
a little bit of a circular dependency for triggering the lost password
recovery routine since that part will only recognize "ACTIVE" accounts. Since
it is pending it just isn't active.

One can't create an additional account on top of an existing account.  There
isn't any code to handle that case.

In any case your account is now activated.  You should be able to log in now.
Please let us know if you are now able to login.  I think you should be able
to do so.  If you need to trigger the password recovery please let us know
that too.  I will leave the ticket open hoping to hear back from you on your
login success.


___

Reply to this item at:

  

___
  Message sent via/by Savannah
  http://savannah.gnu.org/

[savannah-help-public] [sr #109310] Loophole Creating Account

2017-05-11 Thread anonymous 
URL:
  

 Summary: Loophole Creating Account
 Project: Savannah Administration
Submitted by: None
Submitted on: Thu 11 May 2017 06:05:09 AM UTC
Category: None
Priority: 5 - Normal
Severity: 4 - Important
  Status: None
 Assigned to: None
Originator Email: rickjoh...@gmail.com
Operating System: None
 Open/Closed: Open
 Discussion Lock: Any

___

Details:

I cannot login with my user name (important name for me).
I used my "Lastpass" program to generate the initial password while creating
the account.  I depended on Lastpass to create a login entry in its database
or at least remember the generated password but it did not this time.

So after I verified, via the emailed link, I went to do the "Forgot Password"
process.  This is possible on every other account authorization scheme I have
ever seen.  "Savannah" will not allow me to reset the password for this
account because it is "pending".  I also cannot start over and create a new
account with my login name since it is already there.

I am in limbo.  I have an account that I forgot the password to and I am
permanently locked out.

Why does the login process lock me out of being able to reset the password?  I
never heard of that before.  What is this extra validation protecting
against?

Why am I not able to create an new account over the old one ESPECIALLY when
using the same username AND email address?

Rick Johnson
631-921-8450 (mobile)




___

Reply to this item at:

  

___
  Message sent via/by Savannah
  http://savannah.gnu.org/