Legacy issue tracker

You are currently viewing the legacy bug tracker for MediaGoblin. We have now switched to code hosting and issue tracking at SourceHut.

This legacy issue tracker remains available to allow us to reference old issues. If you find a ticket here which is still relevant, please feel free to continue the discussion. For new issues, please use SourceHut.

Context Navigation

← Previous Ticket
Next Ticket →

Opened 13 years ago

Last modified 13 years ago

#186 closed defect (FIXED)

It is possible to confirm an email address when logged in as a different user.

Reported by:	joar	Owned by:
Priority:	trivial	Milestone:
Component:	programming	Keywords:
Cc:		Parent Tickets:

Description

for example, logged in with user "joar" I may use the confirmation
link for user "hook" to verify his email. I am still logged in as
"joar" after doing so.

Change History (6)

comment:1 by Caleb Davis, 13 years ago

So, this happens because


-  activating an account by confirming an email address doesn't
   change the login state.
-  activating an account while not logged-in is accepted

We could specifically exclude this scenario, but actually I'm
tempted to leave it as is because I might want multiple accounts on
an instance, and I might forget whoami while activating a second
account. That seems okay to me.

Why is this behavior bad?

comment:2 by joar, 13 years ago

Priority:	Normal → Low

I was confused by it, but it presents no danger since email
validation does not authenticate the user.

comment:3 by Caleb Davis, 13 years ago

Status:	New → Closed

Ok, closed it then!

comment:4 by Caleb Davis, 13 years ago

Status:	Closed → New

oops, perhaps I closed this prematurely.

comment:5 by Caleb Davis, 13 years ago

Status:	New → Closed

ok, I guess not. Yay! :)

comment:6 by Will Kahn-Greene, 12 years ago

The original url for this bug was http://bugs.foocorp.net/issues/479 .
Relations:
#100: related

Note: See TracTickets for help on using tickets.

Download in other formats: