Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

It is possible to hijack an account which was created via OSUser #12112

Closed
dylanmccall opened this issue Apr 27, 2024 · 1 comment
Closed

It is possible to hijack an account which was created via OSUser #12112

dylanmccall opened this issue Apr 27, 2024 · 1 comment
Assignees
@rtibbles
Labels
P0 - critical Priority: Release blocker or regression
Milestone
Kolibri 0.16: Pla...

Comments

@dylanmccall
Copy link
Contributor

dylanmccall commented Apr 27, 2024
edited

Observed behavior

Using the new get_os_user feature in kolibri.plugins.app.utils.interface, it is possible to create a desktop Kolibri app which automatically signs in as a Kolibri user that is associated with an OS user. When this happens, Kolibri creates a regular user account, and with a correct authentication token, Kolibri signs in to the user account automatically when the user is using the app.

However, if a different user chooses this account from the sign in screen, that user is asked to create a new password for the account:

image

Instead, if an account is associated with an OSUser and has no password, Kolibri should require a valid authentication token.

User-facing consequences

This affects desktop Kolibri apps deployed on multi-user systems, such as kolibri-gnome on Endless OS. That app is the only one which meets that definition, and its Kolibri 0.16 update is not yet released. This issue is a blocker for doing so.

Context
@rtibbles rtibbles added the P0 - critical Priority: Release blocker or regression label Apr 27, 2024
@rtibbles rtibbles self-assigned this Apr 27, 2024
@rtibbles rtibbles mentioned this issue Apr 30, 2024
Merged
9 tasks
dylanmccall added a commit to learningequality/kolibri-installer-gnome that referenced this issue May 4, 2024
@dylanmccall
Add patch for Kolibri OSUser password prompt issue
5141787 
learningequality/kolibri#12112
dylanmccall added a commit to learningequality/kolibri-installer-gnome that referenced this issue May 4, 2024
@dylanmccall
Add patch for Kolibri OSUser password prompt issue
4e5346e 
learningequality/kolibri#12112
dylanmccall added a commit to learningequality/kolibri-installer-gnome that referenced this issue May 4, 2024
@dylanmccall
Add patch for Kolibri OSUser password prompt issue
b5320ff 
learningequality/kolibri#12112
@marcellamaki
Copy link
Member

Closed with #12115

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@rtibbles rtibbles

Labels
P0 - critical Priority: Release blocker or regression
Projects
None yet
Milestone
Kolibri 0.16: Planned Patch 2
Development

No branches or pull requests
3 participants
@dylanmccall @rtibbles @marcellamaki