Skip to content

Support restricting user search #6960

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
ThiefMaster merged 7 commits into from
Jul 10, 2025
Merged

Support restricting user search #6960

ThiefMaster merged 7 commits into from
Jul 10, 2025

Conversation

@ThiefMaster
Copy link
Member

@ThiefMaster ThiefMaster commented Jul 4, 2025
edited
Loading

Some admins would prefer to lock down the user search more tightly. This gives them the ability to do so.

This is a re-implementation of #5024 in what I think is a cleaner and more maintainable way.

TODO:

  • Limit registration email check endpoint (or remove from setting description)
  • Disable person link email check logic in CfA when search is restricted
  • Potentially disallow unlisted events w/o an ACL on who can create them when search is restricted. Added a warning instead.

@ThiefMaster ThiefMaster added this to the v3.3 milestone Jul 4, 2025
This was referenced Jul 4, 2025
Closed
Merged
@ThiefMaster ThiefMaster added the build-wheel Build a Python wheel for this PR label Jul 5, 2025
@ThiefMaster ThiefMaster force-pushed the restricted-user-search branch 3 times, most recently from 78aab00 to aa79c73 Compare July 8, 2025 10:08
@ThiefMaster ThiefMaster marked this pull request as ready for review July 8, 2025 13:33
@rafaelcorvino1
Copy link

rafaelcorvino1 commented Jul 8, 2025

Looks great, I saw that all the TODO points were completed successfully. The new implementation is definitely cleaner and more maintainable. If I manage to free up some time in the next few days, I'll try to validate an extra scenario, but everything looks aligned so far. Thanks again for the support and for accepting the CVE.
Rafael Corvino (@rafaelcorvino1)
Red Team Resident – RNP / Brazil

@ThiefMaster ThiefMaster force-pushed the restricted-user-search branch from 2e019e4 to 0493589 Compare July 9, 2025 19:26
@tomasr8 tomasr8 self-requested a review July 10, 2025 07:26
@ThiefMaster
Support restricting user search
4efbb0a
@ThiefMaster
Warn about unlisted events misconfiguration
72f493d
@ThiefMaster
Restrict abstract person email check
5c49b0c
@ThiefMaster
Avoid revealing details about email user in regform
9ddd9c2 
This means you cannot register on behalf of someone else w/ an Indico
account, but it's probably an uncommon case, even more so since it will
only affect instances that restrict user search.
@ThiefMaster
Add changelog entry
c57d3ee
@ThiefMaster ThiefMaster force-pushed the restricted-user-search branch from 0493589 to c57d3ee Compare July 10, 2025 07:37
ThiefMaster
ThiefMaster commented Jul 10, 2025
View reviewed changes
indico/modules/users/controllers.py
# where no context is passed much harder. of course any of the access checks below will still
# be short-circuited for an admin, so calling this endpoint with `category_id=0` would always
# work for an admin
if self.category and self.category.can_create_events(session.user):
Copy link
Member Author

@ThiefMaster ThiefMaster Jul 10, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This is currently only used for categories, but I think there's no harm in leaving the other object types here as well since they're all valid reasons to get a search token.

indico/util/user.py
if user.id != sig_uid:
raise BadSignature
except BadSignature:
raise Forbidden('Invalid search token')
Copy link
Member Author

@ThiefMaster ThiefMaster Jul 10, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This could happen if someone opened a page/form with an embedded search token, and then waited for 24h. I guess it's uncommon enough to not really be a problem...

@rafaelcorvino1
Copy link

rafaelcorvino1 commented Jul 10, 2025

Thanks for the detailed updates. The check in controllers.py makes sense, and I agree that supporting other object types for token retrieval is a reasonable design choice. Also, the expired token scenario seems like a valid edge case, but rare enough not to cause practical issues. Looks good to me.
Rafael Corvino (@rafaelcorvino1)
Red Team Resident – RNP / Brazil

@ThiefMaster ThiefMaster merged commit 189b0c4 into indico:master Jul 10, 2025
11 checks passed
@ThiefMaster ThiefMaster deleted the restricted-user-search branch July 10, 2025 18:17
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@tomasr8 tomasr8 Awaiting requested review from tomasr8

Assignees

No one assigned

Labels

build-wheel Build a Python wheel for this PR

Projects

None yet

Milestone

v3.3

Development

Successfully merging this pull request may close these issues.

2 participants

@ThiefMaster @rafaelcorvino1