A user can claim any address and even if they don't verify it, that still blocks someone else from trying to claim it. This can be fixed in auth.py like:
- if M.EmailAddress.query.get(_id=new_addr['addr']): + if M.EmailAddress.query.get(_id=new_addr['addr'], confirmed=True):
However this leads to another problem, if multiple users have the same email address claimed (but not verified). One user sees a "verify" link, but the other sees "Unknown addr obj firstname.lastname@example.org", on the preferences page.
There probably are more issues when it gets to verification, too.
Log in to post a comment.