Artur
opened 2 years ago
-
A public email is required for security reason. Considering this scenario:
- An internal account "robin" exists in OneDev with administration permission
- OneDev is configured to accept login via GitHub SSO
- A hacker creates an account name "robin" at GitHub, and logins via GitHub SSO. At this point, OneDev finds that the account "robin" already exists, and it ensures that GitHub account has same email address as internal account "robin" before allowing account access.
-
I understand the need for the email for a user. However, having your email public anywhere is not a good idea nowadays. It's like asking for more spam and inviting scammers. Therefore, I have my email private and I think more and more people will be hiding their emails.
I just wonder if the 1dev can ask github to access user's email if it is set to private? This way user can hide his email from public and 1dev can check user's email during authorization time.
-
Name Previous Value Current Value Type
Improvement
Bug
Affected Versions
empty <=9.5.0
-
OneDev
changed state to 'Closed' 2 years ago
Previous Value Current Value Open
Closed
-
State changed as code fixing the issue is committed (b2fecfc8)
-
OneDev
changed state to 'Released' 2 years ago
Previous Value Current Value Closed
Released
-
State changed as build #4496 is successful
| Type |
Bug
|
| Priority |
Normal
|
| Assignee | |
| Affected Versions |
<=9.5.0
|
| Labels |
No labels
|
Issue Votes (0)
Watchers (3)
I have my emails set to private on github, which seems like a reasonable option. However, 1dev cannot login a user with github if user's email is not public.
Maybe, 1dev could ask github for user's email during authorization time?