Closed
Bug 584845
Opened 14 years ago
Closed 14 years ago
/z/ Email change tokens are not invalidated for deleted/anonymized users
Categories
(addons.mozilla.org Graveyard :: Public Pages, defect)
Tracking
(Not tracked)
RESOLVED
DUPLICATE
of bug 558511
People
(Reporter: dchanm+bugzilla, Unassigned)
References
Details
This bug is for the code at https://preview.addons.mozilla.org/z/en-US/firefox/ The email change code generates a base64 encoded token with userid, email, and timestamp and a hash of the token. The token/hash pair are valid after a user deletes their account. This allows a user put their account in an inconsistent state; valid e-mail, no other identifying information and "deleted" set to true. A potential fix is to make emailchange check for <UserProfile>.deleted http://github.com/jbalogh/zamboni/blob/master/apps/users/views.py#L138 STR 1. Edit profile and change your e-mail 2. Delete your account 3. Click on the email address change e-mail There may be a delay while waiting for the delete to propagate. When done successfully, your user profile will have no first/last/nickname and have the updated e-mail. Not really much a user can do with this since the /z/ login page checks for the deleted status and prevents login. However you can reset your password and login through the non /z/ pages.
Updated•14 years ago
|
Status: NEW → RESOLVED
Closed: 14 years ago
Resolution: --- → DUPLICATE
Assignee | ||
Updated•8 years ago
|
Product: addons.mozilla.org → addons.mozilla.org Graveyard
You need to log in
before you can comment on or make changes to this bug.
Description
•