typonaut
commented
4 years ago Confirmed this with the herokuapp hosted online demo, as well as my locally running app.
Closed typonaut closed 4 years ago
typonaut
commented
4 years ago Confirmed this with the herokuapp hosted online demo, as well as my locally running app.
slyapustin
commented
4 years ago Thanks, I'll update the demo project. Closing this issue as it's not related to the Django-classified itself.
social_auth, as configured in the demo project, appears to have a huge security hole in it.
Once you have verified a new user with a URL link (user verified via email address, not social media), anyone using the email address of that user can log-in to their account using any password.
I've checked this a number of times using different browsers (to ensure it wasn't a cookie issue) and deleting the project database and setting-up from scratch.