Bitbucket Server permissions - how to know if usernames were previously changed?
Created by: slimsag
A customer with existing Sourcegraph user accounts does not have auth.enableUsernameChanges set to false currently, which I presume means that users could have already changed their usernames.
According to our documentation, enabling Bitbucket Server permissions could lead to privilege escalation due to this:
Ensure you have set
auth.enableUsernameChangestofalsein the site config to prevent users from changing their usernames and escalating their privileges.
How can we verify that no user has already changed their username in Sourcegraph in such a way that would lead to privilege escalation if they were to turn on Bitbucket Server permissions?
For context, the customer in question uses OpenID Connect in an Apache module for verification, and from the perspective of Sourcegraph http-header auth is used: https://docs.sourcegraph.com/admin/auth#http-authentication-proxies - from what I understand at any point in time a user that was authenticated via the proxy could have then changed their username in Sourcegraph and as such turning on Bitbucket Server permissions could lead to privilege escalation?