Closed
Bug 824720
Opened 12 years ago
Closed 10 years ago
Allow / deny actions to unverified email users
Categories
(Marketplace Graveyard :: General, defect, P3)
Tracking
(Not tracked)
RESOLVED
INVALID
People
(Reporter: kumar, Unassigned)
References
Details
(Whiteboard: u=patron c=pmt p=1)
When a user logs in with an unverified email (bug 794634) we should only allow access to certain views like installing / purchasing apps. We should deny access to other views that would work better with a verified email (such as submitting apps). Details on what to allow/deny TBD.
|
Reporter | |
Updated•12 years ago
|
Blocks: marketplace-payments
Depends on: 794634
|
||
Updated•12 years ago
|
Priority: -- → P3
Whiteboard: u=patron c=pmt p=1
|
||
Comment 1•11 years ago
|
||
Kumar, any updates on this on what we need?
|
|
Reporter | |
Comment 2•11 years ago
|
||
A good start would be to deny unverified accounts from accessing the devhub and submitting an app. However, we only accept unverified accounts on B2G so this scenario would only happen when someone is spoofing headers to do something malicious with an anonymous email.
|
|
Reporter | |
Comment 3•11 years ago
|
||
I meant spoofing the post params not spoofing headers. like this: https://github.com/mozilla/zamboni/blob/master/media/js/mkt/login.js#L47
|
||
Comment 4•11 years ago
|
||
With the advent of Fireplace, is it agreeable that: - The consumer APIs should be available to unverified emails - Non-consumer APIs, developer pages, and reviewer/admin/lookup pages should not be available to unverified emails I'd even go so far as to say that we should be universally blocking unverified emails and only allowing them with shared secret authentication on the API (which is already applied to all consumer APIs). Heyna or no?
|
|
Reporter | |
Comment 5•11 years ago
|
||
IMO: > - The consumer APIs should be available to unverified emails Agreed > - Non-consumer APIs, developer pages, and reviewer/admin/lookup pages should > not be available to unverified emails Agreed > > I'd even go so far as to say that we should be universally blocking > unverified emails and only allowing them with shared secret authentication > on the API (which is already applied to all consumer APIs). Heyna or no? I'm not sure what this implies; it's important to me that the above access restrictions are met.
|
|
||
Comment 6•11 years ago
|
||
(In reply to Kumar McMillan [:kumar] from comment #5) > IMO: > > > - The consumer APIs should be available to unverified emails > > Agreed > > > - Non-consumer APIs, developer pages, and reviewer/admin/lookup pages should > > not be available to unverified emails > > Agreed > > > > > I'd even go so far as to say that we should be universally blocking > > unverified emails and only allowing them with shared secret authentication > > on the API (which is already applied to all consumer APIs). Heyna or no? > > I'm not sure what this implies; it's important to me that the above access > restrictions are met. I agree with everything kumar said :)
|
||
Comment 7•10 years ago
|
||
I think this bug will eventually obsolete when we move to Firefox Accounts and all emails will be verified.
|
||
Comment 8•10 years ago
|
||
Firefox Accounts
Status: NEW → RESOLVED
Closed: 10 years ago
Resolution: --- → INVALID
You need to log in
before you can comment on or make changes to this bug.
Description
•