You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
I just want to point out that finding records via an email address and no-password for the current session seems like huge security flaw. You are relying on Facebook or other omniauth provider to verify email addresses, and although they probably do a good job, It's out of your hands. All a user would have to do to gain access to someone else's account on your website would be to change their email address on Facebook to the desired email that they wanted access too. Much better to get retrive user accounts via there uid and provider...
The text was updated successfully, but these errors were encountered:
I just want to point out that finding records via an email address and no-password for the current session seems like huge security flaw. You are relying on Facebook or other omniauth provider to verify email addresses, and although they probably do a good job, It's out of your hands. All a user would have to do to gain access to someone else's account on your website would be to change their email address on Facebook to the desired email that they wanted access too. Much better to get retrive user accounts via there uid and provider...
The text was updated successfully, but these errors were encountered: