This repository has been archived by the owner on Apr 28, 2020. It is now read-only.
Locked status for UserEmail and UserPhone #224
Milestone
Comments
|
Locking should be a client app concern, ideally in the primary app (Funnel or Hasjob). Closing this ticket. |
Sign up for free
to subscribe to this conversation on GitHub.
Already have an account?
Sign in.
UserEmailandUserPhoneare considered verified data, in that the record exists only if there is a verified link to a user (related: #178). This verification is used to prevent a competingUserEmailClaimorUserPhoneClaimfrom being created.However, email claims are still possible in Hasjob (new job post) and Boxoffice (new order or assignee), as those apps prioritise documents over user principals (see #220). This can be a nuisance for a user who is the target of abuse, or who happens to have a common name email address that others mistakenly assume is theirs (as happens often to @kushaldas).
UserEmailandUserPhoneshould have an optional flag namedlockedthat prevents such email claims from being created unless the user is logged in.There is a related but distinct issue with unwanted email/SMSes to someone who has no interest in creating an account, much less locking it. A solution is briefly discussed in hasgeek/listman#8 but merits a separate ticket.
Caveats:
What happens if there is a hard bounce of email? If the record is removed as per Removing emails from accounts #135 and Remove email on hard bounce #160, the locked status goes away as well. There is no equivalent workflow for hard bounce of SMS, unfortunately, as phones are by definition only intermittently reachable.
Does the locked status apply for password reset/account recovery emails? Refusing to send an email/SMS may totally lock the user out. Perhaps this should be an account-level lock (2FA, security questions, etc) instead of an email/phone lock.
The text was updated successfully, but these errors were encountered: