How to require authentication when confirming?

15 views
Skip to first unread message

Thibaut Barrère

unread,
Jun 7, 2013, 4:32:20 AM6/7/13
to plataforma...@googlegroups.com
Hello,

I recently noticed this: unless I'm mistaken, if a user creates an account with :confirmable and with the wrong email (eg: typo), the (wrong) person receiving the email will be able to get access to the account by clicking on the confirmation link, without having to know the password of the account (essentially, the link authenticates the user).

I would like to work around this risk; I thought about doing this:
- verify that the confirmation token belongs to the currently logged user (if logged)
- require login/password then verify that the confirmation token belongs to the user (if not logged)

Did anyone already implement something similar? I believe subclassing the confirmation controller would be the way to go.

As well, is there anyone with good reasons /not/ to implement something like that?

Feedback most welcome!

thanks,

-- Thibaut

Boris Tuman

unread,
Jun 7, 2013, 9:26:03 AM6/7/13
to plataforma...@googlegroups.com
It sounds like routing them to the login screen might do the the trick. 

Thibaut Barrère

unread,
Jun 10, 2013, 2:46:14 PM6/10/13
to plataforma...@googlegroups.com
Hi Boris,


It sounds like routing them to the login screen might do the the trick.

thanks, it's a nice idea - will try that and report back with a snippet if I can get it right.

-- Thibaut
Reply all
Reply to author
Forward
0 new messages