CQC is an executive non-departmental public body, sponsored by the
Department of Health.
They have asked to be allowed to register for Notify using the
`cqc.org.uk` and `digital.cqc.org.uk` domains. We know that this really
is there domain because it’s linked to from here:
https://www.gov.uk/government/organisations/care-quality-commission
> Scottish Enterprise is Scotland's main economic development agency
> and a non-departmental public body of the Scottish Government.
– https://www.scottish-enterprise.com/about-us
For some reason their email domain is `scotent.co.uk` (but it redirects
to www.scottish-enterprise.com on the web for the some reason
¯\_(ツ)_/¯)
Use `it`/`they` depending on how many different characters you've used
Also don't wrap the message with quotes, as it looks confusing and
potentialy implies that you can't use apostrophes
We have a bunch of different styles of handling when function
definitions span multiple lines, which they almost always do with tests.
Here’s why an argument per line, single indent is best:
- cleaner diffs when you change the name of a method (one line change
instead of multiple lines)
- works better on narrow screens, eg Github’s diff view, or with two
terminals side by side on a laptop screen
- works with any editor’s indenting shortcuts, no need for an IDE
Also, trailing comma in the list of arguments is good because adding a
new argument to a method becomes a one line, not two line diff.
Suppliers need to be invited by people who work for the government.
People who work for the government can invite anyone to join their team,
no matter what their email address is.
So there’s no need for these domains to be in the list now.
> I cannot register as the Email address field will not accept my email
> address format (.org.uk). Natural England is a non-departmental
> government body sponsored by Defra (Department for Environment, Food
> and Rural Affairs). Can you register me on the system or change the
> system so it will accept my email address?
– Deskpro ticket
> Natural England is an executive non-departmental public body,
> sponsored by the Department for Environment, Food & Rural Affairs.
– https://www.gov.uk/government/organisations/natural-england
***
Checks out…
There’s a chance that someone will run out of imagination and use
the name of the thing they’re signing up for as their password.
This wouldn’t be caught by the generic blacklist.
If a user chooses a very common password then an attacker could guess it
in relatively few attempts, circumventing the lockout.
CESG recommend blacklisting the most common passwords:
> …enforcing the requirement for complex character sets in passwords is
> not recommended. Instead, concentrate efforts on technical controls,
> especially:
>
> - defending against automated guessing attacks by either using account
> lockout, throttling, or protective monitoring
> - blacklisting the most common password choices
How I made this list:
- went to the OWASP repository of security lists:
https://github.com/danielmiessler/SecLists
- downloaded `10k_most_common.txt`, `twitter-banned.txt` and
`500-worst-passwords.txt`
- filtered out any under 8 characters:
```
sed -r '/^.{,7}$/d' passwords-twitter.txt > passwords-combined.txt
sed -r '/^.{,7}$/d' passwords-500.txt >> passwords-combined.txt
sed -r '/^.{,7}$/d' passwords.txt >> passwords-combined.txt
```
- filtered out any duplicates:
```
cat passwords-combined.txt | awk '!x[$0]++' > passwords-combined-deduped.txt
```
> If a user tries to save a template containing something like
> ((name,date)) we should give a validation error.
This is because it causes havoc with the column headers in CSV files.
https://www.pivotaltracker.com/story/show/117043389
Refactored the forms so that fields like email_address can be used in multiple forms.
Refactored form validation so that a query function is passed into the form to be run, this
way the form is not exposed to the dao layer and the query is more efficient.
This PR still requires some frontend attention. Will work with Chris to update the templates.
