Open alastairs opened 11 years ago
I'm starting to wonder if this is even desirable behaviour: any fix we put in will surely open the door to account hijack exploits.
Perhaps the fix is provide a "delete account" option, or perhaps a way of requesting the combination of two accounts so that we can do it ourselves. That would make this a piece of functionality for the admin area rather than for our users.
This basically disappears if we hide the login functionality for everything but those things that require it (I.e. session submission).
Repro
Expected
Actual