Hello,
I recently noticed this: unless I'm mistaken, if a user creates an account with :confirmable and with the wrong email (eg: typo), the (wrong) person receiving the email will be able to get access to the account by clicking on the confirmation link, without having to know the password of the account (essentially, the link authenticates the user).
I would like to work around this risk; I thought about doing this:
- verify that the confirmation token belongs to the currently logged user (if logged)
- require login/password then verify that the confirmation token belongs to the user (if not logged)
Did anyone already implement something similar? I believe subclassing the confirmation controller would be the way to go.
As well, is there anyone with good reasons /not/ to implement something like that?
Feedback most welcome!
thanks,
-- Thibaut