allura-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Dave Brondsema" <brond...@users.sf.net>
Subject [allura:tickets] #7717 Better existing email addr handling
Date Tue, 23 Sep 2014 20:38:40 GMT



---

** [tickets:#7717] Better existing email addr handling**

**Status:** open
**Milestone:** forge-oct-17
**Created:** Tue Sep 23, 2014 08:38 PM UTC by Dave Brondsema
**Last Updated:** Tue Sep 23, 2014 08:38 PM UTC
**Owner:** nobody

When adding an email address to an account, we check to see if someone else has already claimed
that address, and show error "Email address already claimed".  This can be a form of email
address enumeration (finding out if someone else's email is in the system).

We should avoid that, and have the result on the page be the same whether the email is already
claimed or not.  The email that we send out to the address can be different (since only the
real owner will get it).  The email can say something like "You tried to add EMAIL to your
SITE_NAME account, but it is already claimed by your USERNAME account.  You should use that
account instead, or remove that address from that account.  If this was not you who attempted
this, you can safely ignore this email".  

We should also check to see if a claimed address belongs to a disabled user or not.


---

Sent from sourceforge.net because dev@allura.apache.org is subscribed to https://sourceforge.net/p/allura/tickets/

To unsubscribe from further messages, a project admin can change settings at https://sourceforge.net/p/allura/admin/tickets/options.
 Or, if this is a mailing list, you can unsubscribe from the mailing list.
Mime
  • Unnamed multipart/related (inline, None, 0 bytes)
View raw message