Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Implied consent for password reset #241

Open
ashleybroughton opened this issue Aug 2, 2018 · 1 comment
Open

Implied consent for password reset #241

ashleybroughton opened this issue Aug 2, 2018 · 1 comment
Labels
bug Something isn't working

Comments

@ashleybroughton
Copy link
Contributor

Should we remove this check for consent?
https://github.com/csharpfritz/CoreWiki/blob/dev/CoreWiki.Notifications/NotificationService.cs#L89-L92

It not only doesn't stop processing after the consent check fails, but if a user requested a password reset, isn't consent implied?

If it's the case of a malicious user requesting password resets, the end user probably wants to know about that.

Perhaps we should implement rate limiting for reset requests.

@erwindevreugd
Copy link
Contributor

The log string is definitely wrong and the func parameter name could be better. The idea was that you would pass in a function that would evaluate whether or not the email could be sent. For generic emails this would check the cannotify/emailvalidated values. For any essential emails (ie password reset) the idea was that this would always return true, but your suggestion about rate limiting would make sense here. Since this class needed to be uncoupled from the CoreWiki project we cannot directly access the database for this.

@csharpfritz csharpfritz added the bug Something isn't working label Aug 18, 2018
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
bug Something isn't working
Projects
None yet
Development

No branches or pull requests

3 participants