Hi, I just seal the hole by disabling the duplicated email :) Yes...the email account backward-compatibility should be rethought.
@Rimas, would you help to try out that any methods can do the bad thing again? I need to make sure the current secure level takes effect. Best wishes, Yifan >>> Yi Fan Jiang 10/11/12 6:18 PM >>> Hi Rimas, Ouch...great catch!! I'll definitely look into it. Best wishes, Yifan >>> Rimas Kudelis <r...@akl.lt> 10/11/12 6:08 PM >>> Hi Yifan! 2012.10.11 12:43, Yi Fan Jiang rašė: > I have brought OpenID to Moztrap this week, the following is the test > page for login: > > http://vm12.documentfoundation.org/openid/login/ thats awesome! > I will update the main login page to add openid support next weekend > if no critical issue found. > > Functions currently supported (testing required) > ================================================ > > * Based on EMAIL address, native login/Mozilla Persona/OpenID are all > mapped to the same user in Moztrap now, so they should be seamlessly > worked together. Those details as follows. > > - If you have a native registered moztrap user or ever used Mozilla > Persona to login, and your openid provides an exact same EMAIL of such > an account, the original user and openid user will be treated exactly > identical. > > Actually you should feel nothing changed except inputting password is no > longer needed :) Great! Except here's a critical issue for you: I have just managed to log on to MozTrap as you!!! Here's the proof: http://i.imgur.com/eF0Cl.png . In case you're wondering how I did this: I logged on to my weblog, set my email in my profile to yfji...@suse.com, and used its OpenID provider to log in to the test website. Since I don't need to proove to my weblog or the demo site that the email is indeed mine, I basically have full control over MozTrap now. So, not a good thing. This needs some rethinking. Most obvious option would be to use the OpenID URL (or whatever it is that OpenID provides as the identifier) as id when logging in using OpenID. This would also have a nice "side effect" that the user could change their primary email, and still be able to log in with the same user id and permissions. Regards! Rimas
_______________________________________________ List Name: Libreoffice-qa mailing list Mail address: Libreoffice-qa@lists.freedesktop.org Change settings: http://lists.freedesktop.org/mailman/listinfo/libreoffice-qa Problems? http://www.libreoffice.org/get-help/mailing-lists/how-to-unsubscribe/ Posting guidelines + more: http://wiki.documentfoundation.org/Netiquette List archive: http://lists.freedesktop.org/archives/libreoffice-qa/