Opened 7 years ago

Closed 7 years ago

Last modified 7 years ago

#1556 closed defect (fixed)

[with patch, positive review] improve readability of unknown username error page

Reported by: yi Owned by: boothby
Priority: major Milestone: sage-2.9.1
Component: notebook Keywords: notebook
Cc: Merged in:
Authors: Reviewers:
Report Upstream: Work issues:
Branch: Commit:
Dependencies: Stopgaps:

Description

The current page you get when you try to login to the notebook with an unknown username is incredibly hard to read since it does not even alphabetize usernames. This patch will alphabetize the list and put each username on a single line.

Attachments (1)

unknown_username.patch (1.1 KB) - added by yi 7 years ago.

Download all attachments as: .zip

Change History (3)

Changed 7 years ago by yi

comment:1 Changed 7 years ago by rlm

  • Resolution set to fixed
  • Status changed from new to closed
  • Summary changed from [with patch] improve readability of unknown username error page to [with patch, positive review] improve readability of unknown username error page

Merged in 2.9.1 alpha2

comment:2 Changed 7 years ago by was

- Hide quoted text -
On Dec 20, 2007 10:57 PM, William Stein <wstein@gmail.com> wrote:
> On Dec 20, 2007 6:24 PM, Robert Miller <rlmillster@gmail.com> wrote:
> >
> > As pointed out by Michael Abshoff, it seems like an information leak
> > to list all the usernames on a notebook when you fail to use a valid
> > one to log in. Thoughts?
>
> This exact question comes up about every other week.   Are you talking
> about a public notebook like sagenb.org or sagenb.com?  If so, then
> note that *anybody* can make a new account, and once they login
> with that account, it is trivial for them -- in several different ways -- to get
> a list of all user names.  If you're talking about a server that you personally
> run but with no user accounts, then there is just one name, i.e., "admin".
> In both cases, security by obscuring the existing usernames is no security
> at all.
>
> So maybe you are talking about semi-private servers that have a fixed list
> of accounts and users, like a normal UNIX system say, where potential
> users cannot sign up for a new account -- only an admin can create accounts.
> In this case getting a list of users would be a security issue.  But
> you probably
> don't mean this since it isn't implemented in sage (yet!).

I should have finished by adding that there is no point at all in
not listing usernames in the scenarios in the first paragraph above -- that
would just be security by obscurity.  There is a point in not listing
user names in paragraph two above.  When Sage actually supports
what is described in paragraph two, then when the notebook is in
that mode it shouldn't list usernames.

Note: See TracTickets for help on using tickets.