Something got me wondering about Discobot

This question is just theoretical and may never happen.

Hello everyone! Earlier today, I was thinking about Discobot. If you are unaware on what Discobot is, it is this dude.

Discobot is a feature in Discourse Which is what the DevForum is created with who helps you use the forum when you first join. Now something got me wondering.
There is an account called DiscoBot. He has a Roblox account!

image
The Roblox account is this:

image image image

Now I was wondering since Discobot on the DevForum joined image , does that mean whoever made this Roblox account could just re-login and be Discobot? This question is really intriguing and I really want to know. Could Discobot be controlled by this account?

If you have an answer, please let me know. Thanks! WE

4 Likes

This is purely guesswork, but I think that logging into your Devforum account from Roblox is based on your email, whereas the plugin that shows the Roblox profile of a user is based purely on username. If that is the case, which I certainly hope, then that wouldn’t be an issue. It’s just the plugin’s fault.

8 Likes

Are you sure? When I logged into the Dev Forum for the first time it just automatically connected with my Roblox account.

1 Like

Yeah, and it created the account based on the email connected to your account. If you don’t have a verified email it won’t let you into the Devforum.

4 Likes

What im saying is that I think whoever owns this Discobot account could just log in with their Roblox account and have full control of Discobot.

But what if he got a verified email if he logged in again?

Ah I wasn’t thinking of that, thank you!

1 Like

The account would be created based on that email, which is not the same email @discobot has, so it would be a different account.

4 Likes

But still. When I changed my email for security reasons, my devforum changed automatically without doing anything else on the Devforum. I would think that if DiscoBot logged into the devforum, it would just give whoever owns this account some special privileges without doing anything on the forum.

Maybe that is the case. I don’t think the Roblox to Discourse sign-in thing is open source, so anything I say is just speculation. Regardless, I don’t think there’s any way anybody could check, so it doesn’t matter that much.

4 Likes

Plus this dude has been offline for years it’s unlikely he would log in out of nowhere.

4 Likes

Which is why I said that in this topic.

1 Like

discobot is a server bot, not a client bot, so its not an actual account you can log into

if someone had access to the roblox discobot account, and tried to create a devforum account, they would get an error code

1 Like

The same is true for @system. Unfortunately the only way to try it would be to guess the password of the account but that would get it and your account terminated pretty quickly.

2 Likes

Forum accounts do not require a Roblox account counterpart. The discobot account is not tied to an actual Roblox account as discobot already existed when our forum was created. Discobot doesn’t have an actual email so I doubt it’d be possible for someone to login as that account.

Roblox manages our forum logins with an SSO, I don’t have details about this, but I’m pretty sure they can block certain accounts from logging in.

2 Likes

You can see in this file that Discourse matches users by email when using the built-in SSO functionality, if they’ve never logged in before: https://github.com/discourse/discourse/blob/a91ee45de93c21637f9c062bd2eb6bf36a5213a1/app/models/discourse_single_sign_on.rb

The username is not used to match to existing users. Discobot has an email adress of (literally) “discobot_email” (no @ domain) so it’s impossible to SSO into one of these using a Roblox account since Roblox doesn’t let you set your username to this value. Same for all the other system accounts (e.g. system = “no_email” as email address).

When this user on Roblox tries to SSO into the forum their username would become “DiscoBot1” because of this line:

Aside from built-in SSO, Discourse has another facility called “managed authenticator” which is used for third-party integrations (e.g. “log in with Google”). This one also matches by email at most, not by username:

So TL;DR it is not possible to SSO into these accounts.

7 Likes

This might be a little tricky, but what if the user named DiscoBot1 tries to log in on Roblox when the Roblox user named discobot is already logged in and used the username DiscoBot1.
It seems a little unfair that some users are unable to get their Roblox names. Has this ever been a problem? I mean, it’s probably not even worth asking as dead accounts are unlikely to log into the forum. But still good to know.

(sorry I am using translator)

1 Like

They would become DiscoBot11

This is literally not worth worrying about – usernames are unique between users on Roblox, so also on this forum. It only happens with these two system accounts (discobot and system). It’s unlikely either of these users will ever use the devforum based on their last login dates.

3 Likes

Good question. I’ve actually noticed the same thing with System, which is the account that notifies you when a post of yours is deleted, etc. My guess is that this guy can log in and be Discobot, but the account probably will never log on because it is most likely a dummy account created by Roblox, same goes for System.

However, if the account were to be hacked, then I think yes, they could post as Discobot with his unique profile picture and confuse many DevForum members.

1 Like

Please have a look at buildthomas’ reply just above yours:

And the one above the one above his:

1 Like