Launchpad itself

Do not let users try to merge teams into people

Bug #681367 reported by Damien Raude-Morvan on 2010-11-25

8

This bug affects 1 person

Affects		Status	Importance	Assigned to	Milestone
	Launchpad itself	Triaged	Low	Unassigned

Bug Description

Launchpad lets user attempt to merge teams into user user profiles. Only Lp registry admin can do this. The form should not imply users can do this, nor should it scare the member of the team.

ORIGINAL MESSAGE:

I'm member of Debian Java Team. We have received the following "merge request" on our public mailing list :
-------------------------
We received a request to merge the Launchpad account named
'Debian Java Maintainers (pkg-java-maintainers)' -- which have registered the email address
'<email address hidden>' -- into the account named 'tarcisio-sousa'.
-------------------------

I don't know how we can deal with this but it's clearly an abuse of merge account feature.

See original description

Tags:

Revision history for this message

Damien Raude-Morvan (drazzib) wrote on 2010-11-25:

#1

Confirmation mail can be found here :
http://lists.alioth.debian.org/pipermail/pkg-java-maintainers/2010-November/029738.html

Revision history for this message

Gavin Panella (allenap) wrote on 2010-11-25:

#2

Damien, did you remove the contact email address from the pkg-java-maintainers team?

Changed in launchpad:
status:	New → Incomplete

Revision history for this message

Curtis Hovey (sinzui) wrote on 2010-11-25:

#3

I do not see a bug here.

User can, and do, request to merge accounts by misunder. He cannot do so unless he controls the email address. Users cannot merge team (), Lp registry admins can, so this merge cannot be performed by a user.

Revision history for this message

Gavin Panella (allenap) wrote on 2010-11-25:

#4

Curtis, there might be a bug in that he was able to request a team merge at all, which made me concerned that he might be able to proceed with the merge (made easier because the token URL was mailed to a public list address).

Revision history for this message

Damien Raude-Morvan (drazzib) wrote on 2010-11-25:

#5

Thanks Gavin, your explanation is much clearer than mine.

My issue is that many Debian team have public mailing-list so any one can request "merge" and gather token from list archive.
Maybe teams (at least *@lists.alioth.debian.org) can be protected ?

Regards,

Curtis Hovey (sinzui) on 2010-11-25

summary:	- Abuse of "Merge of Accounts" + Do let users try to merge teams into people
security vulnerability:	yes → no
visibility:	private → public
affects:	launchpad → launchpad-registry
Changed in launchpad-registry:
importance:	Undecided → Low
status:	Incomplete → Triaged
description:	updated
tags:	added: merge-deactivate

Curtis Hovey (sinzui) on 2012-12-03

summary:

- Do let users try to merge teams into people
+ Do not let users try to merge teams into people

Report a bug

This report contains Public information

Everyone can see this information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.