FEATURE: Improve use_email_for_username_and_name_suggestions (#30845)

Previously this setting would only control values received in an 'email'
field from an identity provider. This commit extends it, so that it also
applies to email-like content in other fields. This provides improved
protections against partial email addresses being leaked
This commit is contained in:
David Taylor
2025-01-21 13:04:48 +00:00
committed by GitHub
parent e8d5059156
commit 6fd577d97d
4 changed files with 24 additions and 9 deletions

View File

@ -2729,7 +2729,7 @@ en:
create_revision_on_bulk_topic_moves: "Create revision for first posts when topics are moved into a new category in bulk."
allow_changing_staged_user_tracking: "Allow a staged user's category and tag notification preferences to be changed by an admin user."
use_email_for_username_and_name_suggestions: "Use the first part of email addresses for username and name suggestions. Note that this makes it easier for the public to guess full user email addresses (because a large proportion of people share common services like `gmail.com`)."
use_email_for_username_and_name_suggestions: "Use the first part of email addresses for username and name suggestions. Warning: This can make it easier for bad actors to discover your members' full email address (because a large proportion of people share common serves like `gmail.com`)."
use_name_for_username_suggestions: "Use a user's full name when suggesting usernames."
suggest_weekends_in_date_pickers: "Include weekends (Saturday and Sunday) in date picker suggestions (disable this if you use Discourse only on weekdays, Monday through Friday)."
show_bottom_topic_map: "Shows the topic map at the bottom of the topic when it has 10 replies or more."

View File

@ -7,6 +7,9 @@ module UserNameSuggester
def self.suggest(*input, current_username: nil)
name =
input.find do |item|
if !SiteSetting.use_email_for_username_and_name_suggestions
next if item.to_s =~ User::EMAIL
end
parsed_name = parse_name_from_email(item)
break parsed_name if sanitize_username(parsed_name).present?
end

View File

@ -967,7 +967,7 @@ RSpec.describe Email::Receiver do
user = topic.user
expect(user.staged).to eq(true)
expect(user.username).to eq("random.name")
expect(user.username).to eq("user1")
expect(user.name).to eq("Случайная Имя")
end
@ -1090,10 +1090,12 @@ RSpec.describe Email::Receiver do
it "associates email replies using both 'In-Reply-To' and 'References' headers" do
expect { process(:email_reply_1) }.to change(Topic, :count).by(1) &
change(Post, :count).by(3)
change(Post, :count).by(3) & change(User, :count).by(3)
topic = Topic.last
users = User.last(3)
ordered_posts = topic.ordered_posts
expect(ordered_posts.size).to eq(3)
expect(ordered_posts.first.raw).to eq("This is email reply **1**.")
@ -1101,7 +1103,7 @@ RSpec.describe Email::Receiver do
expect(post.action_code).to eq("invited_user")
expect(post.user.email).to eq("one@foo.com")
expect(%w[two three].include?(post.custom_fields["action_code_who"])).to eq(true)
expect(users.map(&:username)).to include(post.custom_fields["action_code_who"])
end
expect { process(:email_reply_2) }.to change { topic.posts.count }.by(1)

View File

@ -42,6 +42,13 @@ RSpec.describe UserNameSuggester do
expect(UserNameSuggester.suggest("a")).to eq("a11")
end
it "doesn't suggest anything based on usernames by default" do
expect(UserNameSuggester.suggest("bob@example.com")).to eq("user1")
end
context "with use_email_for_username_and_name_suggestions enabled" do
before { SiteSetting.use_email_for_username_and_name_suggestions = true }
it "is able to guess a decent username from an email" do
expect(UserNameSuggester.suggest("bob@example.com")).to eq("bob")
end
@ -50,6 +57,7 @@ RSpec.describe UserNameSuggester do
expect(UserNameSuggester.suggest("me@eviltrout.com")).to eq("eviltrout")
expect(UserNameSuggester.suggest("i@eviltrout.com")).to eq("eviltrout")
end
end
it "shortens very long suggestions" do
expect(UserNameSuggester.suggest("myreallylongnameisrobinwardesquire")).to eq(
@ -63,12 +71,14 @@ RSpec.describe UserNameSuggester do
end
it "doesn't suggest reserved usernames" do
SiteSetting.use_email_for_username_and_name_suggestions = true
SiteSetting.reserved_usernames = "myadmin|steve|steve1"
expect(UserNameSuggester.suggest("myadmin@hissite.com")).to eq("myadmin1")
expect(UserNameSuggester.suggest("steve")).to eq("steve2")
end
it "doesn't suggest generic usernames" do
SiteSetting.use_email_for_username_and_name_suggestions = true
UserNameSuggester::GENERIC_NAMES.each do |name|
expect(UserNameSuggester.suggest("#{name}@apple.org")).to eq("apple")
end