usernames
brianteeman opened this issue · 4 comments
If I read this correctly you are creating folders based on the username.
This raises a few issues
- Its possible to have a character in a username that is not allowed in a foldername
- Some people would consider this as a leak of personal information
- Some people would consider this as a security issue
A possible solution to all the above is to create foldernames based on the hashed username
This keeps the unique, ensures the character set is ok and doesn't reveal the username
Some people would consider this as a leak of personal information + Some people would consider this as a security issue
The security concern is a bit stretched but then again a brute force script could expose the usernames which is one of the 2 parts needed to gain access, so it's a valid concern. Anyways hashing the name could be done extremely easy:
/**
* Returns and array of adapters
*
* @return \Joomla\Component\Media\Administrator\Adapter\AdapterInterface[]
*/
public function getAdapters()
{
$userName = $this->app->getIdentity()->username;
// simple encode with base64 WEAK
$directoryPath = JPATH_ROOT . '/images/users/' . base64_encode($userName);
// Using the md5 algo
$directoryPath = JPATH_ROOT . '/images/users/' . md5($userName);
if (!is_dir($directoryPath)) mkdir($directoryPath, 0777, true);
$adapter = new \Joomla\Plugin\System\RestrictedFS\Adapter\RestrictedFSAdapter(
$directoryPath . '/',
$userName
);
return [$adapter->getAdapterName() => $adapter];
}well as I discovered there is an error with the username validation in core regarding the characters its a valid concern
Implemented as a user selectable option in the plugin's configuration