Locked Re: Auto-Login On Invite
On Tue, Jan 20, 2015 at 7:50 PM, JohnF via GROUPS.IO <firstname.lastname@example.org> wrote:
Correct. If you don't yet have an account, you're asked to create a password, and an account is created as part of the invite process. If you do have an account, and if you're logged in as that person, it just asks you for your subscription preference. If you are logged in as a different person than the invite was for, you're logged out and asked to log in (or create a password if the other person doesn't have an account).
If the invite is for an existing account, you are automatically logged in. This is a security risk if someone else gets your invite email, which would have to be through some man in the middle attack, or from you forwarding your invite email after you received it. Seems a small risk.
I've thought about other instances along the same line. It'd be really great if the Unsubscribe link in the email footers was a one click unsubscribe, regardless of whether you were logged in or not. But I don't think that's safe.