-
Notifications
You must be signed in to change notification settings - Fork 15
-
Notifications
You must be signed in to change notification settings - Fork 15
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Error adding a venue admin if user does not exist #461
Comments
GDPR concerns aside for a moment, this definitely used to work, in exactly the way you describe @CHTJonas - the invited email address showed up under 'Pending Admins' and the person was emailed to suggest they sign up. As soon as a user account was created with the right email address, it all hooked up and they got society/whatever admin rights immediately. As for GDPR - the only people who can use this approach to add a new admin are existing admins. So they have to be not just registered users (not just any random internet bot), but registered users that someone already trusts IRL to be sensible. I think the risk of abuse is thus sufficiently low...? (No criticism for giving it consideration though!) |
Fab ok - I've removed the GDPR tag. Maybe adding new admins to shows could be something that only users who have confirmed their email address can do? |
That seems sensible. Possibly even could go further - need to have a confirmed email address before one can get admin powers for a show/society/venue in the first place? Though in practice I think there's a pretty simple 'chain of trust' that goes on with entity administration, so it's really pretty low risk in general, confirmed email or not. |
Sentry issue: CAMDRAM-WEB-9V |
Attempting to add a new admin for a show/venue/society with an unregistered email address returns a HTTP 500 error.
This should probably send a link to the email and invite that person to register a user account, or similar. Possible slight GDPR concerns here as someone could in theory abuse this to find valid email address.
The text was updated successfully, but these errors were encountered: