moderated Re: /leave link changes
- If you click on a leave link and are logged in as someone else, youI still contend that this is a mistake - very astonishing to most people (people with only one registered address at Groups.io) who happen to click on a CC'd or forwarded link.
Instead I recommend that the landing page in this case show an error message telling the user that they clicked on a link that was for someone else (contained in a message that was sent to someone else's email address).
To handle the case of a user with two registered email addresses, who happened to be logged in to the wrong one when they clicked the link, include a Log Out button on the error page so that they can then log in to the correct account. And then maybe be redirected to the correct landing page.
- The email address of the account is now displayed on the page.In the case above, I would say show both addresses, the one from the link and the one currently logged in, for clarity.
I think there's scant privacy problem showing the address from the link - it was likely in the message that brought this user the link - unless some chain of forwards was involved.
As best I can tell, the security hole that J experienced is closedAnd would still be closed the way I suggests - since no one gets automatically logged in.