moderated /leave link changes


 

Hi All,

I've procrastinated more than enough, so I made a couple of small changes to how the leave link works:

- If you click on a leave link and are logged in as someone else, you are logged out. 
- If you are logged out, you are not then logged in as the person the /leave link belongs to.
- If you are logged in as the person the /leave link belongs to, you are still logged in.

- I re-ordered the buttons for leaving, putting the 'Leave Group' button last.
- The email address of the account is now displayed on the page.

As best I can tell, the security hole that J experienced is closed with these changes.

The security hole that exists when you forward a group email to someone else still exists, in that they can still unsubscribe you by clicking the /leave link.

Thanks,
Mark


 

Mark,

- If you click on a leave link and are logged in as someone else, you
are logged out.
I still contend that this is a mistake - very astonishing to most people (people with only one registered address at Groups.io) who happen to click on a CC'd or forwarded link.

Instead I recommend that the landing page in this case show an error message telling the user that they clicked on a link that was for someone else (contained in a message that was sent to someone else's email address).

To handle the case of a user with two registered email addresses, who happened to be logged in to the wrong one when they clicked the link, include a Log Out button on the error page so that they can then log in to the correct account. And then maybe be redirected to the correct landing page.

- The email address of the account is now displayed on the page.
In the case above, I would say show both addresses, the one from the link and the one currently logged in, for clarity.

I think there's scant privacy problem showing the address from the link - it was likely in the message that brought this user the link - unless some chain of forwards was involved.

As best I can tell, the security hole that J experienced is closed
with these changes.
And would still be closed the way I suggests - since no one gets automatically logged in.

Shal
--
https://groups.io/g/Group_Help
https://groups.io/g/GroupManagersForum


 

On Fri, Nov 10, 2017 at 1:51 PM, Shal Farley <shals2nd@...> wrote:
Mark,

> - If you click on a leave link and are logged in as someone else, you
> are logged out.

I still contend that this is a mistake - very astonishing to most people (people with only one registered address at Groups.io) who happen to click on a CC'd or forwarded link.

Instead I recommend that the landing page in this case show an error message telling the user that they clicked on a link that was for someone else (contained in a message that was sent to someone else's email address).

I've changed it so that it now does this. It displays an error message, with the email address of the leave link as well as your email address. There's also a prominent Log Out button.

Thanks,
Mark