Skip to content


Subversion checkout URL

You can clone with
Download ZIP


Security flaw in facebook Wiki Example #1906

bguest opened this Issue · 2 comments

2 participants


I just want to point out that finding records via an email address and no-password for the current session seems like huge security flaw. You are relying on Facebook or other omniauth provider to verify email addresses, and although they probably do a good job, It's out of your hands. All a user would have to do to gain access to someone else's account on your website would be to change their email address on Facebook to the desired email that they wanted access too. Much better to get retrive user accounts via there uid and provider...


Can you please update the wiki? The wiki are community maintained and sometimes such things pop-up. Thanks a lot!

@josevalim josevalim closed this
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Something went wrong with that request. Please try again.