[Critical] Managed users with same name "steals" other person's identity
When a Decidim instance has a form authorization handler, it allows the admin users to "steal" existing managed users' identities with the name (even if the authorization is unique).
This is due to these lines in the core code:
On these lines, the system assumes the user's name field is unique within the organization's managed users. If a managed user with the same name has been created, that user account will be taken into control.
It should not be assumed that all users have a unique name. The admin users can easily go wrong, as the field says "Name", so it guides the admin users to fill in the person's name.
There can be multiple people with the same name, so it should not be assumed that the name is a unique identifier to the person.
Any Decidim instance with form authorization handlers defined is affected. Found on Helsinki testing instance.
This bug was discovered during Helsinki user testing. Thank you @katjah for reporting this.
This proposal has been accepted because:
This incidence has been solved. Closed via #5318.
Thank you for contributing!
Report a problem
Is this content inappropriate?