Post in Admin Modification of Group Members' Email Addresses
The use-cases in my earlier post http://groupserver.org/r/post/10ivxKPYyOLw1VIkFgngAN are all based on typical requests, relating to email addresses, that we get at <email obscured>>. In summary we have: 1. Adding an email address, because the old address is bouncing (and is now unverified), 2. Altering a users message-delivery settings, 3. Correcting an incorrect (unverified) email address, and 4. Reverifying a message that has become unverified because of a temporary situation. (I am quite surprised that they can be pared down to those four, but there you have it.) The nice thing about three of the use-cases (1, 3 and 4) is they all are deal with unverified email addresses! I propose the following rules for editing email addresses. * A group administrator or site administrator can only alter a member's global email settings if — and only if — the member has *no* verified email addresses. All an administrator can do is - Add a new address, and - Send out a verification message for an unverified address. This rule will allow the administrator to carry out use-cases 1, 3 and 4, but prevent account hijacking. * A group administrator can alter the *delivery* settings of any member of the group that he or she administers. This rule should allow the administrator to carry out use-case 2. I cannot see any huge security holes in this proposal. Can anyone else? Have I left any use-cases out?
This site is provided by OnlineGroups.Net, where you can start your own free online groups site, using the open source web-based mailing list manager GroupServer.