On 12/19/06, Matthew Eernisse <[EMAIL PROTECTED]> wrote:
1. Change the security model to allow subscriptions to be added to unactivated accounts. This is arguably less secure than what we have now, although I wonder what practical problems it actually presents (i.e., malicious people could add lots of subscriptions for an un-activated account).
this would only be a concern if an attacker could add subscriptions to any arbitrary un-activated account. this can't happen in the workflow you described.
Obviously the ideal option from the user's perspective is just to allow them to create their account and have the new subscription waiting for them when they first log in after activating the account through e-mail, but I see where this has security implications we need to consider.
agree, but i can't think of any real security issues. _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ Open Source Applications Foundation "Design" mailing list http://lists.osafoundation.org/mailman/listinfo/design
