[dashboard] Disallow team names that might conflict with dashboard URLs #5131
Conversation
|
Looking at this now! 👀 |
| const userRepo = await this.getUserRepo(); | ||
| const existingUsers = await userRepo.query('SELECT COUNT(id) AS count FROM d_b_user WHERE fullName LIKE ? OR name LIKE ?', [ name, slug ]); | ||
| if (existingUsers[0].count > 0) { | ||
| throw new Error('A team cannot have the same name as an existing user'); |
There was a problem hiding this comment.
question: Do we want to surface this kind of information? It seems this is privacy sensitive information, right? Maybe using a more generic message could be better? What do you think? 💭
| throw new Error('A team cannot have the same name as an existing user'); | |
| throw new Error('Team path is already in use'); |
There was a problem hiding this comment.
Hmm, not sure about the privacy aspect. If someone wants to create a team called "Jan Keromnes", and it fails, I'd be okay with the error message saying that a user is already called that name. 😋
There was a problem hiding this comment.
Also, user names come directly from GitHub or GitLab, where they're already public information anyway.
There was a problem hiding this comment.
I still think this something we could consider changing in the future but it should be fine shipping this as is for now! 🙈
There was a problem hiding this comment.
What I'd love in the future is public Gitpod profiles, e.g. showcasing some public Gitpod stuff you'd like to share with the world. 🙂 Could give Gitpod more of a "social" vibe.
There was a problem hiding this comment.
This is one of the reasons I'd vote for making this more privacy-aware but should be fine to skip this for now.
| @@ -15,6 +16,34 @@ import { DBTeamMembership } from "./entity/db-team-membership"; | |||
| import { DBUser } from "./entity/db-user"; | |||
| import { DBTeamMembershipInvite } from "./entity/db-team-membership-invite"; | |||
|
|
|||
| const FORBIDDEN_SLUGS = [ | |||
There was a problem hiding this comment.
praise: Thanks for extending the forbidden slugs here! 🌟
There was a problem hiding this comment.
How do we ensure this list does not drift w.r.t. the dashboard URLs?
There was a problem hiding this comment.
I don't think a perfect match is required at all times. The imported blocklist already contains a lot of teams names we wouldn't want to ever allow, and this complementary list ensures that current and potential near future dashboard paths aren't immediately taken by teams.
While a collision could still potentially happen in the more distant future, it's highly unlikely, and would be a sufficiently small problem that we can deal with it ad-hoc then.
| 'access-control', | ||
| 'account', | ||
| 'admin', | ||
| 'blocked', | ||
| 'from-referrer', | ||
| 'install-github-app', | ||
| 'integrations', | ||
| 'login', | ||
| 'new', | ||
| 'notifications', | ||
| 'oauth-approval', | ||
| 'plans', | ||
| 'preferences', | ||
| 'projects', | ||
| 'settings', | ||
| 'setup', | ||
| 'sorry', | ||
| 'start', | ||
| 'subscription', | ||
| 'teams', | ||
| 'upgrade-subscription', | ||
| 'usage', | ||
| 'variables', | ||
| 'workspaces', | ||
| ...(blocklist), |
There was a problem hiding this comment.
suggestion: What do you think of adding a few more slugs that could be useful in the near future?
For example, we could include snapshots, prebuilds, as well as branches, issues, pull-requests, and merge-requests. Your call! 🏓
| @@ -4,6 +4,7 @@ | |||
| * See License-AGPL.txt in the project root for license information. | |||
| */ | |||
|
|
|||
| import { list as blocklist } from "the-big-username-blacklist"; | |||
There was a problem hiding this comment.
praise: Nice one! Thanks @corneliusludmann for also suggesting this in #4469 (comment). 🏀
|
Cool, thanks for the review! Will address your excellent suggestions. 🔝 /hold |
jankeromnes
force-pushed
the
jx/disallow-bad-team-names
branch
from
b8e485d to
558f29b
Compare
|
[APPROVALNOTIFIER] This PR is APPROVED Approval requirements bypassed by manually added approval. This pull-request has been approved by: Associated issue: #4469 The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
|
/werft run 👍 started the job as gitpod-build-jx-disallow-bad-team-names.5 |
|
I believe all nits are addressed 😁
@gtsiolis please take another look when you have time 👀 /unhold |
|
@jankeromnes UX works like a charm. 🔮
|
|
Many thanks for the reviews! 🙌
Interpreting as /lgtm 😇 |
|
Thanks @jankeromnes for merging this and @csweichel for taking a look! 👀 |
Fixes #4469
How to test