Closed
Bug 1090370
Opened 10 years ago
Closed 8 years ago
User can Sign in to MP-stage with an account that was already deleted in Lookup Tool
Categories
(Marketplace Graveyard :: Admin Tools, enhancement, P4)
Tracking
(Not tracked)
RESOLVED
WONTFIX
People
(Reporter: vcarciu, Unassigned)
Details
(Whiteboard: [marketplace-transition])
Prerequisites: Build identifier: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:36.0) Gecko/20100101 Firefox/36.0 Steps to reproduce: 1. Sign in to MP-stage with an admin account(https://marketplace.allizom.org) 2. Click “Lookup Tool” link option from the bottom of the page 3. Search for an account 4. Click “Delete User” button 5. Use the deleted account to sign in MP-stage Expected results: User cannot sign in Actual results: User is signed in and can execute operations in MP – stage homepage Please see screencast for this bug : http://screencast.com/t/TmhNyNsNEL1f
Comment 1•10 years ago
|
||
is the user the same as before - i.e. its the deleted one? Or is a new user created (as expected) when the user logs in anew. What does lookup show for that email address after logging in?
Reporter | ||
Comment 2•10 years ago
|
||
Yes, it is the deleted one . Lookup is showing that the account is deleted.
Comment 3•10 years ago
|
||
Login should check the soft deletion of a user, if its happened, raise a warning and prevent the login.
Severity: normal → enhancement
Priority: -- → P4
Comment 4•10 years ago
|
||
(In reply to Andy McKay [:andym] from comment #3) > Login should check the soft deletion of a user, if its happened, raise a > warning and prevent the login. severity: enhancement? You shouldn't be able to use a deleted account - who knows what other issues it would cause when it comes to emails, installs, purchases.
Updated•10 years ago
|
Target Milestone: 2014-10-28 → ---
Comment 5•10 years ago
|
||
User deletion when the credentials live with Persona or FxA seems odd to me. If we hard-deleted an account that would mean we also would need to delete things associated with that user (reviews, apps, etc). But if the user still has their FxA or Persona account they could simply log in again and start over. We soft-delete users however. How should soft-deleted users be treated differently? Should we even have the ability to delete users? When do we do it and what's the purpose? Perhaps we want something more like a blacklist where a user known by a certain email can no longer log in?
Comment 6•10 years ago
|
||
there are two use cases here: 1) Mozilla deleting a user account. In this case its normally because they're spamming - but their reviews aren't currently deleted (bug 889906). A blacklist would be useful, though spammers normally switch email addresses regularly so it may not be of much use. Bug 889906 would be more useful than a blacklist imo. 2) The user deleting their own account. It seems right that a user, if they choose, should be able to delete their account. Whether we soft delete, anonymise, and keep some details for audit purposes is up to us, but effectively saying you can't ever close an account once created seems wrong to me. After deleting if the same email address logs in again we should create a new account.
Updated•8 years ago
|
Status: NEW → RESOLVED
Closed: 8 years ago
Resolution: --- → WONTFIX
Whiteboard: [marketplace-transition]
You need to log in
before you can comment on or make changes to this bug.
Description
•