Email verification workflow does not check for email doublet

User signs up with email verification and instead of entering the code to verify the user changes the email address again. Here the new email address is not checked and the user is able to enter a email address from another user which is already in the system. When entering the new code, the workflow goes into an endless loop. I suggest to make the same checks at this level of the sign up process as when entering the email address for the first time.

Hello @MartinSeeger

Not sure I follow. Could you please elaborate a bit more with screenshots perhaps?

Are you asking for guidance or are you sharing a fix that you applied and are pointing it out to the Canvas team for improvement on the default logic?

Hello Carlos,

I suggest that the Canvas team should improve this, because it is security sensitive. I guess it is not a big deal but important to do.

So during sign up a user has the opportunity to resend the verification code per email. And in this situation the user is able to change the email address again. But this time the email address is not checked again. Therefore, if this email is already in use by someone else a problem will arise. In fact, when the user inputs the code which was send to the new email address the application resides in an endless loop.

I hope this clarifies it.

Best,
Martin