Email verification link of a deleted account enables automatic login

[bajiat]

From @saralavanip on January 25, 2017 16:53

Steps

1. Visit https://staging.apinf.io (version 0.39.0)
2. Create account 1 (eg. with email address: test1@test.com)
3. Open email and click on account 1 verification link
4. Visit https://staging.apinf.io
5. Login as admin and delete the above added account
6. Logout
7. Create another account 2 (eg. with email address: test2@test.com)
8. Open email and click on account 2 verification link
9. Repeat step 3

Findings

• Click on email verification link of a deleted account, enables automatic login to the latest active account.
• Displays error message 'Verify email link Expired'

Screenshot

Copied from original issue: Digipalvelutehdas/APIKA#297

[55]

@saralavanip I've tried twice and couldn't reproduce it.
Please, try one more time and let me know if it's still reproducible.
@apinf/developers guys, if somebody can also test it out, will really appreciate it.

[brylie]

I think steps 7 and 8 are not central to this bug report, and can be ignored.

[brylie]

When clicking on an email verification link that has already been used, I get a notification "Verify email link expired":

[bajiat]

If I log out after step 8 and then click the verification link for user 1 (step 9), I'm not logged in, I just get an error message about expired verification email.

If I don't log out after step 8 and click the verification link for user 1, I go to the APInf UI as current logged in user (user 2 the one created in step 7) plus get a message about expired verification message.

@saralavanip Please check what you were actually trying to test.

[marla-singer]

@NNN I think the main idea is in 5 step
Login as admin and delete the above added account