moderated Re: /leave link changes



- If you click on a leave link and are logged in as someone else, you
are logged out.
I still contend that this is a mistake - very astonishing to most people (people with only one registered address at who happen to click on a CC'd or forwarded link.

Instead I recommend that the landing page in this case show an error message telling the user that they clicked on a link that was for someone else (contained in a message that was sent to someone else's email address).

To handle the case of a user with two registered email addresses, who happened to be logged in to the wrong one when they clicked the link, include a Log Out button on the error page so that they can then log in to the correct account. And then maybe be redirected to the correct landing page.

- The email address of the account is now displayed on the page.
In the case above, I would say show both addresses, the one from the link and the one currently logged in, for clarity.

I think there's scant privacy problem showing the address from the link - it was likely in the message that brought this user the link - unless some chain of forwards was involved.

As best I can tell, the security hole that J experienced is closed
with these changes.
And would still be closed the way I suggests - since no one gets automatically logged in.


Join to automatically receive all group messages.