Add pagination so I can find a face

RESOLVED FIXED

Status

RESOLVED FIXED
2 years ago
10 months ago

People

(Reporter: ekyle, Unassigned)

Tracking

Trunk
Points:
---

Firefox Tracking Flags

(Not tracked)

Details

(Reporter)

Description

2 years ago
I am terrible with names, and I would like to lookup someone on phonebook by face, but there seems to be a new feature that prevents me from getting full search results

https://phonebook.mozilla.org/?search/toronto

Please add pagination, or remove the ?24? result limit.

Thank you
Yeah, that is a known problem with the limiting feature. It's a tricky problem to solve with the current Phonebook - the lack of pagination is to prevent an attacker from downloading the entire site full of phone numbers in one go - but there's a severe drawback for faces.

The correct fix, and the far more difficult one in our code, is to rate limit Phonebook record lookups - but to still provide complete search results for faces and org tree. This may not be doable in a short amount of time for us; we have only our free time to help here.

As an aside, does the Mozillians Phonebook have this same issue for you? It would be very interesting to us to know whether it does or doesn't meet your needs here (even given the different dataset).
(Reporter)

Comment 2

2 years ago
We have phone numbers!?

The Mozillians Phonebook does not have the people I am looking for, and in general a poor source of name and faces.

Anyway, a rate limiting scheme will probably not work, given the small number of records in the phonebook.  For example, I can iterate through all string prefixes (of well chosen length) to get all entries.  What will the rate limit be? How long will it take to download everyone? A day?  If okta signin is not good enough security, then the information should probably not be in phonebook.
(Reporter)

Comment 3

2 years ago
Last week I was trying to find people in the Vancouver office, because I am going there in February.  A search for "vancouver" [1] gave me results for mountain view. These false positive matches would not be a problem if I could page through them. Furthermore, I guess no one will ever find out that I am in the Toronto office [2].

It is interesting that the tree [3] shows everyone: An attacker need only iterate through all names to get everything. Meanwhile, I can not find out who to visit while in Vancouver.


[1] https://phonebook.mozilla.org/?search/vancouver
[2] https://phonebook.mozilla.org/?search/toronto
[3] https://phonebook.mozilla.org/tree.php
We're going to back out the limit feature. I'm going to close this; the backout will ship in the near future, pending Webops availability.
Status: NEW → RESOLVED
Last Resolved: 10 months ago
Resolution: --- → FIXED
You need to log in before you can comment on or make changes to this bug.