Topics

moderated Two issues in joining a group #bug


Malcolm Austen
 

First a minor bug in some text ... when I initiate the joining process (with a dummy but valid) address, the web page https://kent-eng.groups.io/g/all-Kent/joined says :
Look for a message from Groups.io with the Subject: "Confirm Your Groups.io Account"

However, the message received actually has the subject line:
[KEN] Confirm your join-ken-eng@... email address

Can these please agree with each other?

And then issue two which I'm sure has been discussed before ... the message sequence is all wrong. First I get a welcome message (and the owner is told I have joined the list) and then I get a second email asking me to confirm my request to join the list. (In reality I think these three messages are all sent at the same time and the exact arrival order is unpredictable.) The welcome message should and must not go out until the confirmation process has completed. It's not right for the member to still be in [NC] status when both they and the owner have been informed they have joined the list.

I am happy that the owner should be informed of the application but I feel strongly that the sequence should be:
1. user applies to join
2. user is asked to confirm and owner is informed of the application, user set [NC]
If (and only if) user does confirm then
3. [NC] is removed, user is sent welcome message and owner is informed  of completion

Keep safe, Malcolm.

-- 
Malcolm Austen <malcolm.austen@...>


Duane
 

On Thu, Jan 28, 2021 at 04:03 PM, Malcolm Austen wrote:
user set [NC]
Just to make sure you understand, they're only set to NC if they don't already have a groups.io account.

They should also get 2 separate emails, one to confirm their email address if they don't have an account, the other to confirm that they really want to join a group.

I know there's a list showing the complete sequence someplace, both with an account and without, as well as restricted group or not.

Duane


Starchild <sfdreamer@...>
 


     +1 on this suggestion from Malcolm!

Love & Liberty,

((( starchild )))

-----Original Message-----
From: Malcolm Austen
Sent: Jan 28, 2021 1:59 PM
To: "main@beta.groups.io Calendar"
Subject: [beta] Two issues in joining a group #bug

First a minor bug in some text ... when I initiate the joining process (with a dummy but valid) address, the web page https://kent-eng.groups.io/g/all-Kent/joined says :
Look for a message from Groups.io with the Subject: "Confirm Your Groups.io Account"

However, the message received actually has the subject line:
[KEN] Confirm your join-ken-eng@... email address

Can these please agree with each other?

And then issue two which I'm sure has been discussed before ... the message sequence is all wrong. First I get a welcome message (and the owner is told I have joined the list) and then I get a second email asking me to confirm my request to join the list. (In reality I think these three messages are all sent at the same time and the exact arrival order is unpredictable.) The welcome message should and must not go out until the confirmation process has completed. It's not right for the member to still be in [NC] status when both they and the owner have been informed they have joined the list.

I am happy that the owner should be informed of the application but I feel strongly that the sequence should be:
1. user applies to join
2. user is asked to confirm and owner is informed of the application, user set [NC]
If (and only if) user does confirm then
3. [NC] is removed, user is sent welcome message and owner is informed  of completion

Keep safe, Malcolm.

-- 
Malcolm Austen <malcolm.austen@...>


Malcolm Austen
 

On 28/01/2021 22:43:47, Duane <txpigeon@...> wrote:

On Thu, Jan 28, 2021 at 04:03 PM, Malcolm Austen wrote:
user set [NC]
Just to make sure you understand, they're only set to NC if they don't already have a groups.io account.
Malcolm Austen: 
Thanks Duane, I was not aware of that (or if I was, I have forgotten!)

That seems to say that if person A is already a member of one group (and therefore has an account) then person B (a baddie) can, by spoofing the sending address, subscribe person A to arbitrary numbers of other groups.

That would be a seriously worrying security flaw.
They should also get 2 separate emails, one to confirm their email address if they don't have an account, the other to confirm that they really want to join a group.
Malcolm Austen: 
This was an address never before presented to groups.io - two emails were received but not as you describe. One was the group welcome message (implying the membership process was complete) and the second was a dual function message:

Subject: Confirm your join-ken-eng@... email address

Body (my italics and links stripped):
Hello,

Thank you for your interest in the https://KENT-ENG.groups.io/g/all-Kent group at Groups.io. If you did not request or do not want to join all-Kent@KENT-ENG.groups.io, please ignore this message.

If you only want to send and receive messages from all-Kent@KENT-ENG.groups.io, reply to this email to confirm your email address and activate your membership.

Messages will be sent to you at join-ken-eng@...
Send messages to all-Kent@KENT-ENG.groups.io
If you want to use the resources and read messages on the website, please click on the link below to confirm your email address, set up a password, and choose other subscription settings:

Confirm account


Cheers,
The Groups.io Team
I know there's a list showing the complete sequence someplace, both with an account and without, as well as restricted group or not.
Malcolm Austen: 
If it still represents the actuality then it would be interesting to see. My report concerned an unrestricted group BTW.

Malcolm.


Sandi D <sandi.asgtechie@...>
 

On Fri, Jan 29, 2021 at 06:40 AM, Malcolm Austen wrote:
Malcolm Austen: 
...That seems to say that if person A is already a member of one group (and therefore has an account) then person B (a baddie) can, by spoofing the sending address, subscribe person A to arbitrary numbers of other groups.
 
We had a similar scenario last week, with person B subscribing person A to our group. 

Both "goodies". Person A, forwarded a privately sent email on how to join from our group Home page to Person B. Person B thought she needed to enter Person A's name and email address instead of her own. Person A was then approved by the Co-Owner because the Co-Owner had sent the private email to Person A. So Person A became a member without any action on her part to join and Person B was confused as to why she couldn't access the group! 

In the end, I left Person A as a member (I changed her setting to Special Notice Only) and emailed her privately asking her if she wanted to be removed. Have heard nothing back from her.

I also sent a direct group invite to Person B and another private email detailing the situation and what she needed to do in order to join, hopefully this time made easier by the direct invite. 

Then had to email the Co-Owner (she is not GIO savvy, but she is in control of who she invites and who is accepted) about what happened, why it happened and how I was resolving it.

Trying to explain this to all parties concerned about took up a lot of time and a flurry of emails over 2 days. 
 
--
Sandi Dickenson


Malcolm Austen
 

As this seems to be opening a bigger can of worms than I had appreciated, lets stop this here and I'll raise the two items separately. My second point will reappear in [GMF] for some kicking around before it comes back to [beta].

Malcolm.

-- 
Malcolm Austen <malcolm.austen@...>

On 28/01/2021 22:04:01, Malcolm Austen <malcolm.austen@...> wrote:

First a minor bug in some text ... when I initiate the joining process (with a dummy but valid) address, the web page https://kent-eng.groups.io/g/all-Kent/joined says :
Look for a message from Groups.io with the Subject: "Confirm Your Groups.io Account"

However, the message received actually has the subject line:
[KEN] Confirm your join-ken-eng@... email address

Can these please agree with each other?

And then issue two which I'm sure has been discussed before ... the message sequence is all wrong. First I get a welcome message (and the owner is told I have joined the list) and then I get a second email asking me to confirm my request to join the list. (In reality I think these three messages are all sent at the same time and the exact arrival order is unpredictable.) The welcome message should and must not go out until the confirmation process has completed. It's not right for the member to still be in [NC] status when both they and the owner have been informed they have joined the list.

I am happy that the owner should be informed of the application but I feel strongly that the sequence should be:
1. user applies to join
2. user is asked to confirm and owner is informed of the application, user set [NC]
If (and only if) user does confirm then
3. [NC] is removed, user is sent welcome message and owner is informed  of completion

Keep safe, Malcolm.

-- 
Malcolm Austen <malcolm.austen@...>