Email verification link unauthorized if someone (else) is logged in

[telkins]

• Fortify Version: 1.7.11
• Laravel Version: 8.38.0
• PHP Version: 8.0.3
• Database Driver & Version: n/a

Description:

Not sure if this is an error or, if it is, how big of a deal it is, but I noticed while testing email verification that if I click on the link in the mail and it opens up the app where a different user is logged in, then I'm met with an "unauthorized" response.

Perhaps this is intended, too...I'm just not sure. I can imagine arguments supporting either way.

Steps To Reproduce:

Create a basic laravel app with auth scaffolding and email verification enabled. Register two users. Verify email for one of them. Remain logged in as the email-verified user. Follow the verify-email link for the unverified user. Unauthorized.

Again, I'm not sure if it's really an issue, and even if it is, I'm sure it's not happening too often "in the wild", but I thought I'd bring it up. 🤓

Let me know if I can help...

[driesvints]

This is intended. You're expected to be logged in as the correct user.