Welcome to OGeek Q&A Community for programmer and developer-Open, Learning and Share
Welcome To Ask or Share your Answers For Others

Categories

0 votes
898 views
in Technique[技术] by (71.8m points)

python - django-allauth: Confirmation Email (with Token) for changing primary mail address

I am currently testing django-allauth for one of my applications.

So far it seems to be a very good third party package.

One thing is concerning me - the workflow of adding new Email Addresses / Changing primary.


Let me explain:

Imagine someone gets to access to your account for a brief moment; you could be in the restroom and still be logged in.

A new Email is being added by this "rogue person" and verified.

Now he is able to just change it to "Primary" and delete your old Email.

He has now full access to the account, since "Forgot your password" will work with the new Primary mail.


Is there a good way to prevent such behaviour?

e.g. when changing to a new primary mail address this step has to be confirmed first via an email token

or:

Adding a new email addresses requires an password input first.


与恶龙缠斗过久,自身亦成为恶龙;凝视深渊过久,深渊将回以凝视…
Welcome To Ask or Share your Answers For Others

1 Reply

0 votes
by (71.8m points)
等待大神答复

与恶龙缠斗过久,自身亦成为恶龙;凝视深渊过久,深渊将回以凝视…
OGeek|极客中国-欢迎来到极客的世界,一个免费开放的程序员编程交流平台!开放,进步,分享!让技术改变生活,让极客改变未来! Welcome to OGeek Q&A Community for programmer and developer-Open, Learning and Share
Click Here to Ask a Question

...