[openstreetmap/openstreetmap-website] Disallow username changes to user_n if n isn't their id (PR #4218)

Andy Allan notifications at github.com
Thu Jan 18 14:29:01 UTC 2024 

> Wasn't [this report](https://github.com/openstreetmap/openstreetmap-website/security/advisories/GHSA-2779-44wq-qcm8) seen by anyone again, like [previously](https://github.com/openstreetmap/openstreetmap-website/issues/4362)?

I think I read this at the time, but there's so many notifications from this repo that I can't say I remember the text of all of them. But when I was reviewing PRs I remembered that this one was an important one to deal with, which is why it I worked on it yesterday before the 100+ other open PRs.

I thought it was worth explaining clearly in my comment what the impact is, of course you understand it but I thought it would be worth clarifying for everyone else.

> Looks like they are only visible to [osm org members](https://github.com/orgs/openstreetmap/people?query=role%3Aowner) and @gravitystorm is not one of them.

For historical reasons I'm an owner for the openstreetmap organisation, so I can see the reports no problem.

However, they aren't super obvious though in the Github UI - there's no little numbers beside the `Security` tab, nor even the `Advisories` menu option. It's only when you click on that menu that you can see the list - and be reminded about any open ones!

I'll try to formally deal with the security advisory next week - I've accepted it, but now it's complaining about not having affected versions specified, and I need to figure out what is the most appropriate thing (git commit id? Date?) that I should put in there.

![Screenshot from 2024-01-18 14-20-38](https://github.com/openstreetmap/openstreetmap-website/assets/360803/96d672e2-5379-49d9-888e-10b7a644ed6a)


-- 
Reply to this email directly or view it on GitHub:
https://github.com/openstreetmap/openstreetmap-website/pull/4218#issuecomment-1898586375
You are receiving this because you are subscribed to this thread.

Message ID: <openstreetmap/openstreetmap-website/pull/4218/c1898586375 at github.com>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstreetmap.org/pipermail/rails-dev/attachments/20240118/1ee3d856/attachment.htm>

More information about the rails-dev mailing list