Closed Bug 433812 Opened 16 years ago Closed 16 years ago

Add "reject this" link to registration email

Categories

(addons.mozilla.org Graveyard :: Administration, enhancement)

Product:
addons.mozilla.org Graveyard
Component:
Administration
Type:
enhancement
Priority:
Not set
Severity:
normal

Tracking

(Not tracked)

Status:
RESOLVED WORKSFORME

People

(Reporter: timeless, Unassigned)

Details

I just got this via email:
Welcome to Firefox Add-ons.

Before you can use your new account you must
activate it - this ensures the e-mail address you
used is valid and belongs to you.
To activate your account, click the link below or
copy and paste the whole thing into your browser's
location bar:

https://addons.mozilla.org/en-US/firefox/users/verify/1364892/...

Once you successfully activated your account, you
can throw away this e-mail.

Thanks for joining Firefox Add-ons
-- Firefox Add-ons Staff
--

It appears to be me, however there was only one link to click, no way for me to complain that the link was not requested. I clicked the link and instantly someone else's password for my email address was active.

I did not ask for the account (at least, I don't remember asking for it). But the email provides no way for someone to investigate the "registration" other than clicking on the link, by which time, the damage is done.
btw, if you don't have sufficient logging to remember all account details (original first/last name, registrant ip address, etc.) please let me know, i'll file a bug asking you to ensure that the next version retains such information.
I think it's pretty standard practice that if you didn't request an account, you don't click on the link confirming that you did request the account.
Severity: blocker → minor
OS: Windows XP → All
Hardware: PC → All
Version: 3.0 → 3.2
I agree with Justin. However, what we may need to do is add a maintenance job that will expire new user registrations after a little while (2 days?). We have quite a bunch of unverified user accounts that just take away space and block nicknames, but don't serve any purpose because nobody can log in before confirming their account.
it may be standard practice somewhere else, however bugzilla's standard practice has been two links. one to affirm and one to reject.

i'm also used to this from other good services on the web.

but yes, auto expiring is also a good thing (bugzilla tokens expire after a couple of days, in this case if you don't have a reject option then 2 days is a good maximum).
Severity: minor → enhancement
Summary: Add-ons registration email is unacceptable and enables phishing → Add "reject this" link to registration email
Bug 444010 cleans up inactive accounts and we have recaptcha to prevent a bot from creating thousands of users.  I think we should move on.
Status: NEW → RESOLVED
Closed: 16 years ago
Resolution: --- → WORKSFORME
Product: addons.mozilla.org → addons.mozilla.org Graveyard
You need to log in before you can comment on or make changes to this bug.