Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Security for /email show #1119

Closed
Twonox opened this issue Mar 1, 2017 · 6 comments
Closed

Security for /email show #1119

Twonox opened this issue Mar 1, 2017 · 6 comments
Assignees
@hex3l
Labels
Good first issue Marks issues that should be easy to fix/close, useful for new contributors. Type: enhancement
Milestone
5.4.0

Comments

@Twonox
Copy link
Contributor

Twonox commented Mar 1, 2017

A player who hack an account with a register email can easily see the registered email to be able to change it using /email change
So, I don't have any solution to suggest... just to remove that command but idk if this command is used frequently.
@sgdc3
Copy link
Member

sgdc3 commented Mar 2, 2017

we should move it to the admin permissions subgroup

@ljacqu
Copy link
Member

ljacqu commented Mar 2, 2017

/email show was requested because there's no way for a user to see his own email address otherwise. We could add a permission to it (in the authme.player.* branch) so it may be disabled.

@ljacqu ljacqu added Type: enhancement Good first issue Marks issues that should be easy to fix/close, useful for new contributors. labels Mar 2, 2017
@sgdc3
Copy link
Member

sgdc3 commented Mar 2, 2017

Yeah, you're right

@Twonox
Copy link
Contributor Author

Twonox commented Mar 3, 2017
edited
Loading

Other thing:
The email commands (like /email add, /email change, etc..) are not hidden. If that's normal, I think you should add those commands to the list of hidden commands for security reasons.

@ljacqu ljacqu added this to the 5.4 milestone Jun 2, 2017
@ljacqu ljacqu mentioned this issue Jun 2, 2017
Closed
@Maxetto
Copy link
Contributor

Maxetto commented Aug 8, 2017
edited
Loading

I'm providing also another security issue that relates to this.
If you hack an Account who has email, you can unregister it and register it back in order to give it another email and make it impossible to recover.

@sgdc3
Copy link
Member

sgdc3 commented Aug 9, 2017

@HexelDev i'm a bit busy with my network atm, could you fix this in the meantime?

@hex3l hex3l self-assigned this Aug 9, 2017
@hex3l hex3l mentioned this issue Aug 10, 2017
Closed
hex3l added a commit that referenced this issue Aug 11, 2017
@hex3l
#1119 new permission and email hider
e295487
sgdc3 pushed a commit that referenced this issue Aug 12, 2017
@sgdc3
#1119 email show permission and privacy improvements (#1312)
1dfb357 
* #1119 new permission and email hider

* Updated commands.md

* Improved email hiding method

* Revert "Improved email hiding method"

This reverts commit cb60d7b

* New config option, updated tests, config.md and permission_nodes.md

* Moved to service import, fixed typo and updated config.md

* Removed unused imports O.o
@hex3l hex3l closed this as completed Aug 12, 2017
@ljacqu ljacqu mentioned this issue Mar 7, 2019
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@hex3l hex3l

Labels
Good first issue Marks issues that should be easy to fix/close, useful for new contributors. Type: enhancement
Milestone
5.4.0
Development

No branches or pull requests
5 participants
@Maxetto @hex3l @ljacqu @sgdc3 @Twonox