Double user accounts in Hedgedoc
We have several double user accounts in Hedgedoc, with one account having a username as profileid
and the other having an email address.
One symptom of this is your history of notes becoming empty. I suspect that it may also lead to losing access to private notes. It might even be abused to get access to someone else's notes by setting your username to match theirs.
I suspect that this is due to this code in the dashboard (in kratos_user.py
):
# Name should be set, however, we do not enforce this yet.
# if somebody does not set it's name, we use the email address
# as name
if self.name:
name = self.name
else:
name = self.email
My theory is that the double accounts arise when someone logs in without username set so the email is used, then later they set a username and that gets used, and Hedgedoc uses this name as identifier. This is still to be confirmed.
If this is indeed the cause, then this issue is related to dashboard#161