Limit pending email verifications #4571
Conversation
gratipay/models/participant/email.py
Outdated
| @@ -106,6 +103,16 @@ def validate_email_verification_request(self, c, email, *packages): | |||
| if not all(email in p.emails for p in packages): | |||
| raise EmailNotOnFile() | |||
|
|
|||
| unverified_email = c.one(""" | |||
| SELECT address | |||
There was a problem hiding this comment.
A user could repeatedly add an email + remove it to circumvent this restriction, no? The throttling strategy we use will have to rely on previous state (as you've mentioned in the ticket description)
There was a problem hiding this comment.
We need to start also thinking about not deleting email addresses, because when we start handling bounces and complaints (#4284) we'll want to retain that info for a given email address even if one participant removes it and another (or the same) adds it again. Hmm ...
There was a problem hiding this comment.
A user could repeatedly add an email + remove it to circumvent this restriction, no?
Eureka! Turns out it makes the most UX sense to disallow removing emails when verification is pending, to properly communicate the reality that the pending verification still exists. But, if we truly disallow removing emails when verification is pending, then we'll have closed the repeatedly-add-and-remove loophole. Violà!
Proceeding on that basis in #4579 ...
There was a problem hiding this comment.
Umm, what if a person mistakenly enters a wrong email address?
There was a problem hiding this comment.
Turns out it makes the most UX sense to disallow removing emails when verification is pending, to properly communicate the reality that the pending verification still exists.
This is also a security risk, as far as I can tell. If we don't allow canceling verification requests - a mistake in entering a user's email could result in a malicious user taking over their account.
|
Alright, after wrestling to rebase this onto #4572 I think the way to architect this is to rename When a participant adds an email address we file the address in When a participant completes a verification we link to it in When a participant removes an email address we null out the verification in We link to We link to |
|
Something like that, anyway. :) |
chadwhitacre
force-pushed
the
redo-throttling
branch
from
11be3e0
to
20cb963
Compare
|
I've kicked out #4573 to persist email verifications. Once done will revisit here to see about constraining based on past verifications. |
Remove security.spt.
By moving the `kw` assignment into a conditional block we ended up depending on previous iterations of the loop to assign `kw` in the no-doc case. Had the no-doc case been first, we would've hit a NameError.
Handles missing doc in npm change stream
TestNotifyParticipants uses QueuedEmailHarness
chadwhitacre
force-pushed
the
redo-throttling
branch
from
20cb963
to
a9e1faf
Compare
|
Working up a ttw test so we can get the user requirements here.
|
chadwhitacre
force-pushed
the
redo-throttling
branch
from
a9e1faf
to
649da48
Compare
Persist email messages
chadwhitacre
force-pushed
the
redo-throttling
branch
from
649da48
to
55e5d5d
Compare
chadwhitacre
force-pushed
the
redo-throttling
branch
from
55e5d5d
to
730806f
Compare
|
Alright this is a mess. First of all the email listing should be styled like our other listings (homepage, search page, social profiles, etc.).
|
|
And after this PR we don't even want UI to add another email address when there is a pending verification. |
|
But how does this interact with bulk npm claiming? We shouldn't allow interaction there either if the user has a pending verification. |
|
But of course we need to protect against multiple verifications in the Python/API layer and not just in the JavaScript/UI. |
|
And what about the case where someone legitimately enters a wrong address? They shouldn't be able to remove pending verifications either (UI and API). That's bound to generate some confusion. "I entered the wrong email and now I can't remove it or submit my correct email." It'll have to be a support request with an admin intervention to undo their condition. |
|
Are you trying to prevent people from |
|
|
I'm not sure how to understand these as mutually exclusive. Did our recent slack chat (archiving stuck 😞 ) clarify this? |
|
Closing in favor of #4579. |
← Persist email verifications (#4573) — Support queuing emails without participants (#4548) →
Fixes #4557.
Todo