Locked Re: Auto-Login On Invite


On Tue, Jan 20, 2015 at 7:50 PM, JohnF via GROUPS.IO <user+1242@groups.io> wrote:

This is nice in one sense, as it makes it easy to join groups in response to invitations.  One complaint over at Yahoo Groups is that some people can't figure out how to manage invitations, why is why they're always asking for the direct add feature back.  I assume here at Groups.IO, that if an invited person didn't already have an account set up, that person would be guided through the process, upon clicking the link, right?

Correct. If you don't yet have an account, you're asked to create a password, and an account is created as part of the invite process. If you do have an account, and if you're logged in as that person, it just asks you for your subscription preference. If you are logged in as a different person than the invite was for, you're logged out and asked to log in (or create a password if the other person doesn't have an account).

If the invite is for an existing account, you are automatically logged in. This is a security risk if someone else gets your invite email, which would have to be through some man in the middle attack, or from you forwarding your invite email after you received it. Seems a small risk.

I've thought about other instances along the same line. It'd be really great if the Unsubscribe link in the email footers was a one click unsubscribe, regardless of whether you were logged in or not. But I don't think that's safe.


Join main@beta.groups.io to automatically receive all group messages.