Skip to main content

Cookie settings

We use cookies to ensure the basic functionalities of the website and to enhance your online experience. You can choose for each category to opt-in/out whenever you want.

Essential

Preferences

Analytics and statistics

Marketing

This proposal has been implemented

This incidence has been solved. Closed via #5318

Thank you for contributing!

[Critical] Managed users with same name "steals" other person's identity

Avatar: AH
AH
Finished
When a Decidim instance has a form authorization handler, it allows the admin users to "steal" existing managed users' identities with the name (even if the authorization is unique). This is due to these lines in the core code: https://git.io/fjhef On these lines, the system assumes the user's name field is unique within the organization's managed users. If a managed user with the same name has been created, that user account will be taken into control. It should not be assumed that all users have a unique name. The admin users can easily go wrong, as the field says "Name", so it guides the admin users to fill in the person's name. There can be multiple people with the same name, so it should not be assumed that the name is a unique identifier to the person. Any Decidim instance with form authorization handlers defined is affected. Found on Helsinki testing instance. This bug was discovered during Helsinki user testing. Thank you @katjah for reporting this.
Comment

Confirm

Please log in

The password is too short.

Share