Opened 15 years ago

Last modified 15 years ago

#186 closed defect (FIXED)

It is possible to confirm an email address when logged in as a different user.

Reported by: joar Owned by:
Priority: trivial Milestone:
Component: programming Keywords:
Cc: Parent Tickets:

Description

for example, logged in with user "joar" I may use the confirmation link for user "hook" to verify his email. I am still logged in as "joar" after doing so.

Change History (6)

comment:1 by Caleb Davis, 15 years ago

So, this happens because

  • activating an account by confirming an email address doesn't change the login state.
  • activating an account while not logged-in is accepted

We could specifically exclude this scenario, but actually I'm tempted to leave it as is because I might want multiple accounts on an instance, and I might forget whoami while activating a second account. That seems okay to me.

Why is this behavior bad?

comment:2 by joar, 15 years ago

Priority: NormalLow

I was confused by it, but it presents no danger since email validation does not authenticate the user.

comment:3 by Caleb Davis, 15 years ago

Status: NewClosed

Ok, closed it then!

comment:4 by Caleb Davis, 15 years ago

Status: ClosedNew

oops, perhaps I closed this prematurely.

comment:5 by Caleb Davis, 15 years ago

Status: NewClosed

ok, I guess not. Yay! :)

comment:6 by Will Kahn-Greene, 14 years ago

The original url for this bug was http://bugs.foocorp.net/issues/479 .
Relations:
#100: related

Note: See TracTickets for help on using tickets.