launchpad-dev team mailing list archive

Thread
Date

Re: Fwd: [Fwd: Quickly and Launchpad]

To: Robert Collins <robert.collins@xxxxxxxxxxxxx>
From: Martin Pool <mbp@xxxxxxxxxxxxx>
Date: Sat, 26 Jun 2010 07:58:02 +1000
Cc: Didier Roche <didrocks@xxxxxxxxxx>, William Grant <wgrant@xxxxxxxxxx>, Launchpad Community Development Team <launchpad-dev@xxxxxxxxxxxxxxxxxxx>
In-reply-to: <AANLkTinZodGnPXHwIiWNuAq0wqPqbhqzAKvyeLW_BPZp@mail.gmail.com>
Sender: martinpool@xxxxxxxxx

On 25 June 2010 21:54, Robert Collins <robert.collins@xxxxxxxxxxxxx> wrote:
> I like the idea of sending emails when important account settings are
> changed: it helps with:
>  - cross site attacks
>  - apis that permit changing such settings
>  - screen scraping via embedded browser instances
>
> and possibly more.
>
> Its also nonintrusive and straightforward, and we could include a
> confirmation token in the email people get sent too, if we felt thats
> needed.

Yes, I think sending email to the old/most trusted address is the best
practice here.

Adding a confirmation click (and I note your "if") does somewhat get
in the way of doing things, well, quickly.  I think generally the rule
should be that we require it for API changes when we require it for
changes through the web interface.

-- 
Martin

References

Fwd: [Fwd: Quickly and Launchpad]
From: Jonathan Lange, 2010-06-24
Re: Fwd: [Fwd: Quickly and Launchpad]
From: Martin Pool, 2010-06-25
Re: Fwd: [Fwd: Quickly and Launchpad]
From: Martin Pool, 2010-06-25
Re: Fwd: [Fwd: Quickly and Launchpad]
From: Didier Roche, 2010-06-25
Re: Fwd: [Fwd: Quickly and Launchpad]
From: William Grant, 2010-06-25
Re: Fwd: [Fwd: Quickly and Launchpad]
From: Didier Roche, 2010-06-25
Re: Fwd: [Fwd: Quickly and Launchpad]
From: William Grant, 2010-06-25
Re: Fwd: [Fwd: Quickly and Launchpad]
From: Robert Collins, 2010-06-25