Roundup Tracker - Issues

Issue 2551082

classification
Title: Too many details needed to create accounts on this domain
Type: security Severity: minor
Components: Web interface Versions:
process
Status: fixed Resolution: fixed
Dependencies: Superseder:
Assigned To: rouilj Nosy List: ThomasAH, dannio, rouilj
Priority: normal Keywords:

Created on 2020-02-27 11:29 by dannio, last changed 2020-03-04 02:11 by rouilj.

Files
File name Uploaded Description Edit Remove
roundup_tracker_user_reg.png rouilj, 2020-02-27 22:20 user reg page with required css change
new-registration-form.png rouilj, 2020-02-29 16:48 Final reg form.
Messages
msg6883 Author: [hidden] (dannio) Date: 2020-02-27 11:29
Just a minute ago I wanted to make a short issue, and so I had to 
register. To do this, I was asked for the following fields:

Name 
Login Name	
Login Password	
Confirm Password	
Phone	
Organisation	
E-mail address	
Alternate E-mail addresses (One address per line)

Alongside a note, "highlighted fields are required", and of course, 
all fields were highlighted.

Why on earth do you need all this information from me?!

For example, why should I be required to have a phone to use the 
Roundup issue tracker for Roundup itself (RITRI)? Why would you call 
me?! Do you think people are going to give you real numbers anyway?

Pretty much everything but username, email and password should be 
optional in my opinion, probably not even asked for. How are they 
relevant? Please consider removing these, as they give the prospective 
user between lying to you or giving away private data for no good 
reason (in order to create an issue to improve your tool!)
msg6884 Author: [hidden] (ThomasAH) Date: 2020-02-27 11:38
If I enter nothing, I get this error message:
Error: Required user properties username, password, address not supplied 

So it seems just the highlighting is broken and you don't need to
enter all the details.

If someone works on this, I suggest removing Phone and Organisation.
msg6887 Author: [hidden] (rouilj) Date: 2020-02-27 22:07
ThomasAH, I agree.

The HTML required class is assigned to exactly the fields you describe.
It looks like a css entry for required is needed. I think:

.required:before {
    content: "*";
    color: red;
    font-weight: bold;
}

to add a red * before required fields should handle this. I can also We 
do have people using the orignzsation field I think (that was the cause 
of the "can't change myuser profile" bug a while back). I think 
removing the phone number makes sense.

Surprisingly I found one of my previous co-workers is registered
on the tracker and has used the phone number 8-).

Dannio, do you think this would solve your issue?

-- rouilj
msg6889 Author: [hidden] (rouilj) Date: 2020-02-27 22:20
Here is what the css change mentinoed looks like.
msg6890 Author: [hidden] (rouilj) Date: 2020-02-28 03:37
I deployed the CSS change to this tracker.

Left the phone and org for now. Had to back merge a few other things
(credits) that were not in the hg repo, so didn;t get around to chopping 
phone/org.

Comments?
msg6893 Author: [hidden] (rouilj) Date: 2020-02-29 04:38
Hid Organisation and Phone fields on user registration form. They are 
still shown on user.item page so registered users can add/change the 
values if they like.

If nobody has an objection, I'll close this next week.
msg6894 Author: [hidden] (ThomasAH) Date: 2020-03-02 07:57
Registration form looks good to me, thank you.

I guess completely removing the phone number from this tracker and
all templates might be important, because
- GDPR (do not collect data that you do not require)
- I don't think anyone would remember updating their phone numer
  in Roundup trackers, so this wouldn't be a reliable "phone book"
  anyway.
msg6895 Author: [hidden] (rouilj) Date: 2020-03-03 03:37
Hi Thomas:

In message <1583135870.55.0.256527502797.issue2551082@roundup.psfhosted.org>,
Thomas Arendsen Hein writes:
>Registration form looks good to me, thank you.

You're welcome.

>I guess completely removing the phone number from this tracker and
>all templates might be important, because
>- GDPR (do not collect data that you do not require)

Good point.

>- I don't think anyone would remember updating their phone numer
>  in Roundup trackers, so this wouldn't be a reliable "phone book"
>  anyway.

I have to admit I have never dropped a populated element from the
schema. Dropping the field from the schema will make it inaccessible
via the tracker.

Do you know if removing the phone number from schema.py is sufficient
to also delete the data? Do I have to drop the data using the database
tools as well?

Given that I can't change the type of a property by removing it from
the schema and adding a new property with the same name but different
type, I suspect that the data and original property stay in the
database and are just inaccessible.

Have a great day.
msg6896 Author: [hidden] (ThomasAH) Date: 2020-03-03 06:28
* John Rouillard <issues@roundup-tracker.org> [20200303 04:37]:
> I have to admit I have never dropped a populated element from the
> schema. Dropping the field from the schema will make it inaccessible
> via the tracker.
> 
> Do you know if removing the phone number from schema.py is sufficient
> to also delete the data? Do I have to drop the data using the database
> tools as well?
> 
> Given that I can't change the type of a property by removing it from
> the schema and adding a new property with the same name but different
> type, I suspect that the data and original property stay in the
> database and are just inaccessible.

Dropping an attribute from schema.py does not remove the data, but
makes it inaccessible. But other that you can no longer create a new
attribute with the same name and a different type, this does not
cause any problems.

Removal of the actual data can only be done via database tools
(psql, sqlite or whatever). The journal might need to be cleaned up
as well, so keeping the attribute and thus giving the users the
option to remove the data would not actually remove the data anyway,
because it will just be moved to the journal. So dropping the
attribute now would be the right thing to do. Cleanup can happen
anytime later.
msg6897 Author: [hidden] (rouilj) Date: 2020-03-04 02:11
Removed phone number from the schema and html files.
Restarted the server.

Cleanup of underlying data to be done later.
History
Date User Action Args
2020-03-04 02:11:44rouiljsetstatus: pending -> fixed
messages: + msg6897
2020-03-03 06:28:05ThomasAHsetmessages: + msg6896
2020-03-03 03:37:06rouiljsetmessages: + msg6895
2020-03-02 07:57:50ThomasAHsetmessages: + msg6894
2020-02-29 16:48:55rouiljsetfiles: + new-registration-form.png
2020-02-29 04:38:04rouiljsetstatus: open -> pending
resolution: fixed
messages: + msg6893
components: + Web interface, - None
2020-02-28 03:37:18rouiljsetmessages: + msg6890
2020-02-27 22:20:30rouiljsetstatus: new -> open
priority: normal
messages: + msg6889
files: + roundup_tracker_user_reg.png
assignee: rouilj
2020-02-27 22:07:36rouiljsetnosy: + rouilj
messages: + msg6887
2020-02-27 11:38:54ThomasAHsetnosy: + ThomasAH
messages: + msg6884
2020-02-27 11:29:41danniocreate