• r

    rp

    9 months ago
    Idk if it's obvious. But I could sign up with any email even if the invite wasn't sent to that email, and then get added to the invitee's "team" (or whatever structure in the app). So it's a bit weird for sure.
  • i

    infrequent_emu

    9 months ago
    eh... that one relies on the email getting broken into, so it's basically the same as making an account and changing the email of the account
  • r

    rp

    9 months ago
    Yea. But a secure system would allow that only if the new email can be veriried
  • r

    rp

    9 months ago
    verified*
  • r

    rp

    9 months ago
    via a OTP or link sent to it
  • i

    infrequent_emu

    9 months ago
    so lets say that you are dumb and you allow anyone to register their active directory as an identity backend. I register mine and make an account on it for newEngineersName@supertokens.io and ask to be added to your internal groups
  • r

    rp

    9 months ago
    Yea. That would be terrible.
  • i

    infrequent_emu

    9 months ago
    or fun, depending on which side you are on
  • r

    rp

    9 months ago
    haha..
  • r

    rp

    9 months ago
    Talking about the invite system, when we do make one, I don't think we would allow a user to sign up with a diff email than what was used to generate the invite link. If someone really wants to do that, they could ask the invitee to generate a new link to the desired email address.