Opened 4 years ago

#2267 new improve feature

Do not allow to delete account without signing

Reported by: leoalone Owned by:
Priority: critical Milestone: unassigned
Component: BW Signup Keywords:


It is currently possible to delete account even without confirming.
This lead to possible problems when someone accidentally leaves the session on and someone use it to maliciously delete the account.
Adding a request for the password would render more difficult this act.

However there is the possibility that the attacked user had left not only the BW session but also the email one, so the attacker could simply logout, then ask the password via email and use it. So I would also, if possible now, else for next release, set a block so if one has asked to reset the password in the last 3 months is inhibited to ask deletion, but can ask only setting to inactive.

Change History (0)

Note: See TracTickets for help on using tickets.