LOC-5: Users can pretend to be SYSTEM

Issue Information

Issue Type: Bug
 
Priority: Major
Status: Closed

Reported By:
Ben Tasker
Assigned To:
Ben Tasker
Project: LocalChat (LOC)
Resolution: Fixed (2018-05-12 16:11:41)
Affects Version: v0.0.1a, V0.0.2,
Target version: V0.0.2,
Components: Server ,

Created: 2018-05-12 15:50:58
Time Spent Working


Description
There's currently nothing in the codebase which prevents a user from inviting SYSTEM and then joining with that name.

Although it'll push a notification to say that someone did so, that notification won't be visible for anyone who joins afterwards. The user will then be able to push what appear to be system messages (i.e. they'll be purple and from SYSTEM).

Need to adjust the backend to prevent SYSTEM from being invited, or from joining as it's a reserved name.


Issue Links

relates to LOC-10: Clients can spoof sender value
Toggle State Changes

Activity


2018-05-12 16:10:13
Repo: LocalChat
Host:Rimmer

commit cc2c1a0a6025762093e2bc208d23e20252b3e474
Author: B Tasker <github@<Domain Hidden>>
Date: Sat May 12 16:09:01 2018 +0100

Commit Message: LOC-5 - Prevent SYSTEM from joining rooms, and warn if users try to invite it

We prevent anyone from joining with the name SYSTEM, and warn the entire room if someone tries to authorise SYSTEM to log in (because they're almost certainly up to no good)

server/LocalChat.py | 15 +++++++++++++++
1 files changed, 15 insertions(+), 0 deletions(-)


View Commit | View Changes

2018-05-12 16:10:50
It's no longer possible to join with the name SYSTEM.

If a user runs /room invite SYSTEM a message is pushed into the group warning who tried to do it. The room owner can then use /kick or /ban to exact vengeance :)

2018-05-12 16:11:41
btasker changed status from 'Open' to 'Resolved'

2018-05-12 16:11:41
btasker added 'Fixed' to resolution

2018-05-12 16:11:45
btasker changed status from 'Resolved' to 'Closed'

2018-05-20 23:40:38
Repo: LocalChat
Host:Rimmer

commit b61c9c49052392ebc08d5d5c48ae07ab18ca2817
Author: B Tasker <github@<Domain Hidden>>
Date: Sun May 20 23:29:46 2018 +0100

Commit Message: Added regression test for LOC-5

Test user attempts to create an invite for SYSTEM (as a precursor to signing in using the generated credentials)

tests/run_tests.py | 56 ++++++++++++++++++++++++++++++++++++++++++++++++++-
1 files changed, 54 insertions(+), 2 deletions(-)


View Commit | View Changes