Creating a user might overwrite an existing user with same MXID #467
Labels
wontfix
This will not be worked on
Comments
|
The problem is actually in synapse. Here you can see that create and modify use the same HTTP verb (PUT). So synapse can't figure out if we want to create a new user or update an existing user. Yes, we could work around this by first trying to fetch the user info and only create if it does not exist, but the makes our code much more messy. |
awesome-manuel
changed the title
|
Duplicate to |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
User-Id field is not safe in your admin-panel application. When the admin creates a new user, and fills up the field User-Id the existing id of user, it can lead to overwriting the existing user profile when User-ID is the same as the existing user. Admin user does’t have any warnings about existing user with the same User-Id. That would be good if your application could check user Id and warned admin if it existed when user admin created a new user.
The text was updated successfully, but these errors were encountered: