first answer

author https://id.koumbit.net/anarcat <https://id.koumbit.net/anarcat@web>

Mon, 15 Sep 2014 20:27:44 +0000 (16:27 -0400)

committer admin <admin@branchable.com>

Mon, 15 Sep 2014 20:27:44 +0000 (16:27 -0400)
author https://id.koumbit.net/anarcat <https://id.koumbit.net/anarcat@web>
Mon, 15 Sep 2014 20:27:44 +0000 (16:27 -0400)
committer admin <admin@branchable.com>
Mon, 15 Sep 2014 20:27:44 +0000 (16:27 -0400)
diff --git a/doc/bugs/notifyemail_fails_with_some_openid_providers.mdwn b/doc/bugs/notifyemail_fails_with_some_openid_providers.mdwn

index dd5016619588e2d177efcdc7e521187b876d5c24..91aeda453b88d27c2c265b0f34aaa676dc08bf63 100644 (file)
--- a/doc/bugs/notifyemail_fails_with_some_openid_providers.mdwn
+++ b/doc/bugs/notifyemail_fails_with_some_openid_providers.mdwn
@@ -89,3 +89,7 @@ Any other ideas? --[[anarcat]]
  >>> willing to send notifications to a verified address?
  >>>
  >>> --[[smcv]]
+>>>
+>>>> hmm... true, that is a problem, especially for hostile wikis. but then any hostile site could send you such garbage - they would be spammers then. otherwise, you could ask the site manager to disable that account...
+>>>>
+>>>> this doesn't seem to be a very big security issue that would merit implementing a new verification mechanism, especially since we don't verify email addresses on accounts right now. what we could do however is allow password authentication on openid accounts, and allow those users to actually change settings like their email addresses. however, I don't think this should be blocking that functionality right now. --[[anarcat]]
author	https://id.koumbit.net/anarcat <https://id.koumbit.net/anarcat@web>
	Mon, 15 Sep 2014 20:27:44 +0000 (16:27 -0400)
committer	admin <admin@branchable.com>
	Mon, 15 Sep 2014 20:27:44 +0000 (16:27 -0400)