Opened 13 years ago

Last modified 13 years ago

#186 closed defect (FIXED)

It is possible to confirm an email address when logged in as a different user.

Reported by: joar Owned by:
Priority: trivial Milestone:
Component: programming Keywords:
Cc: Parent Tickets:


for example, logged in with user "joar" I may use the confirmation
link for user "hook" to verify his email. I am still logged in as
"joar" after doing so.

Change History (6)

comment:1 by Caleb Davis, 13 years ago

So, this happens because

-  activating an account by confirming an email address doesn't
   change the login state.
-  activating an account while not logged-in is accepted

We could specifically exclude this scenario, but actually I'm
tempted to leave it as is because I might want multiple accounts on
an instance, and I might forget whoami while activating a second
account. That seems okay to me.

Why is this behavior bad?

comment:2 by joar, 13 years ago

Priority: NormalLow
I was confused by it, but it presents no danger since email
validation does not authenticate the user.

comment:3 by Caleb Davis, 13 years ago

Status: NewClosed
Ok, closed it then!

comment:4 by Caleb Davis, 13 years ago

Status: ClosedNew
oops, perhaps I closed this prematurely.

comment:5 by Caleb Davis, 13 years ago

Status: NewClosed
ok, I guess not. Yay! :)

comment:6 by Will Kahn-Greene, 12 years ago

The original url for this bug was .
#100: related

Note: See TracTickets for help on using tickets.