Anyone can accept a share, not just the invited user
| Affects | Status | Importance | Assigned to | Milestone | |
|---|---|---|---|---|---|
| Ubuntu One Servers |
New
|
Undecided
|
Unassigned | ||
Bug Description
I received a share invitation for a folder in ubuntu one, in my registered email (of course :)), and just followed the link. After accepting the share, that was specifically saying that was shared with me, I realized the logged user wasn't me.
I'd expect to have a small check if the current logged user is not the invited user, so it would fail with a forbidden (like Google) or at least ask me if I'm sure of what I'm doing.
Also, the accept share page says that the file was shared with the invited user (me), asking me to check if that was correct and displaying me the option to accept it, making me believe I was logged in as such. I mean, I'm not used to check if I'm the logged user every time I decide to do something online. I know it's not usual to have more than one person using SSO in the same machine, but, well, that happened. :)
After a conversation with beuno, he explained that this decision of treating shares as consumable tokens was a design one. But I guess we all agree that's not good, so I'm filing this bug. :)
| description: | updated |
| description: | updated |
| affects: | ubuntuone-client → ubuntuone-servers |
| Changed in ubuntuone-servers: | |
| assignee: | nobody → Ubuntu One web team (ubuntuone-web) |
| John O'Brien (jdobrien) wrote | #1 |
| Changed in ubuntuone-servers: | |
| assignee: | Registry Administrators (registry) → nobody |
This is actually is by design since at the time a share is created this way (to an email) there is no way to know who the user (sharee) is.