Populating Full Name with Email Address if Left Blank by SSO

Continuing the discussion from "Full Name" Shown on /About With Full Name Option Disabled:

It seems (from our experience and one other poster in the above thread) that the behaviour when Discourse isn’t passed a full name by SSO (which is an optional field) is that it populates that field with the email address.

This seems like a bug (it should probably be left blank, or if it’s required by the settings then populated with username).

I’m trying to repro this but looks like this isn’t the case.

https://github.com/discourse/discourse/blob/master/app/models/discourse_single_sign_on.rb#L109

The only way to have an entire email address on the name would be a improperly configured SSO passsing the email on the username field, since User.suggest_name will remove everything after the @.

2 Likes

It doesn’t literally use the entire email, yes, but it does populate something potentially public with information from something that’s definitely non-public, which turns into a privacy diaster any time there’s a failure to check whether full names are supposed to be enabled/exposed.

IMO, even though I dislike this behavior, I’d suggest that simply warning about this in the SSO documentation could be more than enough of a “fix”. (Where it states that a field is optional, clarify that it doesn’t mean that the field in the database is left blank/null, but is instead populated in this way.)

5 Likes

Sure, feel free to edit to clarify.

Not sending username OR name in sso payload is considered highly irregular and this is simply a corner case being handled.

I am also to a PR that requires name or username is always set when sending through sso reqs.

A pr-welcome for “either name or username must be set, if not sso returns an error”

2 Likes