-
Notifications
You must be signed in to change notification settings - Fork 490
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Usernames are case sensitive #3575
Comments
Thanks for opening this issue, Phil. Another concern is the potential for abuse. Example: someone with the username MichelleObama (with two lowercase L's) could be spoofed by someone with the username MicheIIeObama (with two uppercase i's). It's also possible that this sort of confusion could arise by accident as well. |
Yeah, we should probably fix this at some point but it hasn't been a priority. Let's make a new issue when we decide to pick this up. |
This issue still exists in Dataverse. Also Julian and I noticed that the search field on the Dataverse permissions page is case sensitive. Eg: searching for "bob" will not find the "Bob11" account. Just looking at usernames that begin with the letter 'a', I came across 16 instances of usernames that are identical except for capitalization differences. |
I mentioned in standup that it would be great if JPA supported a case insensitive uniqueness constraint so I just opened jakartaee/persistence#209 I also indicated that our previous fix was for #2598 to disallow people from choosing the same dataverse "alias" but with different cases ("mra" vs "MRA" or whatever). So I assume we'll apply a similar fix. Here's the fix we added back then:
https://github.com/IQSS/dataverse/blob/v4.10.1/scripts/database/reference_data.sql#L31 See also https://stackoverflow.com/questions/25743191/how-to-add-a-case-insensitive-jpa-unique-constraint |
For existing accounts Gustavo is running queries to identify accounts with usernames that have case insensitive matches. Danny is deleting inactive accounts and communicating with owners of active accounts on an ad hoc basis and combining accounts or changing user names as needed to eliminate duplicates. The goal of this ticket is that there are no additional accounts created with the same case insensitive user name as an existing account. It has been proposed that we save all new usernames in all lower case regardless of how they are entered. On login a user may enter a mixed case user name and it will be compared as an all lower case with existing entries. (The effect on the UX is that the user may see the all lowercase username when they edit their account information.) Is this worth mentioning on account creation or on the edit account page? Once all of the duplicate removal has been completed should we go back and update the unaffected accounts so that all user names are entirely lower case? Should the users be notified and how? |
It's fine if account names are saved and displayed as lowercase. No need to notify folks in the UI or via email. |
#5811 has been merged and will be included in the next release. After that release is out on Github, we can then merge this issue and include it in the following release (since the cleanup is a dependency). I'll sit on this one for now. |
make usernames case insensitive #3575
@scolapasta @landreev @sekmiller we just got a reply on the issue I opened. I left a new comment but other comments from you folks are welcome. Thanks. |
@dlmurphy asked the following at #3539 (comment)
I posted my answer at #3539 (comment)
We discussed this a bit more today an I'm fairly sure that case-insensitive usernames is a usability issue. I can imagine a poor user saying "When you assign me permission to your dataset please be sure to choose
@jharvard
and not@JHARVARD
because the upper-case version isn't me!"#1445 is highly related.
The text was updated successfully, but these errors were encountered: