Notification if Account Request is a Duplicate
I have a number of people who only upload a file once, maybe twice a year. They often don't remember their login or don't realize they made one last year. They then either don't see or can't be bothered to reset their password and simply request a new account, frequently using the same login name that they already have. I then go in (also, not knowing they already have an account) to approve the account. Then I get two messages pop up in the corner, one that tells me the account already exists and one that tells me that an email has been sent to the requestor.
I'd like to request that the system not allow a user to request a user name that already exists.
or
I'd like to request that the system notify me as I'm looking at the request that it is a duplicate request and not let me approve it.
These would also fix the issue where the system sends the "Approved" email but actually doesn't approve the new login - so if that person tries to login with their new accounts password, it won't work because Cerberus still has the old password.
I do not want it to automatically update the password :)
Thanks for listening.
Steve
-
Hey Steve,
Thank you very much for the feedback. I can understand your frustration. Notifying someone that a username exists is not done because it isn't a good idea to inform a potential attacker of a username. Just to be sure that I fully understand your request, are you saying that it allows you to add a user with the same username as another user when you click "Accept request"? When you try to approve a user account request with a username that already exists, you should receive an error. Are you not seeing this error?
0 -
I totally get the reason you don't do the "username already exists". I knew it was a bad idea as I wrote it and I'm frequently pleased at your handling of security. It was a test? Yeah. I'll go with that.
I did see the error - but also a notification that it sent the email to the requestor ...ok denying ... the account.
I did not realize that the "Success" of an email being sent is actually sending a "Denied" message even though I hit Approve.Anyway, what I'd like to see something like this when I go to approve the account rather than a notification after. That way I can look up the existing account and call the person directly. If it linked to the existing user (because I want to use that phone number not the one in the new request) that'd be even better.
This is, of course, just a minor inconvenience now that I know it's actually sending a Denied email.
Steve
0 -
Thanks for the additional information, Steve. These conversations are great, and really help us and the rest of the community brainstorm on ways to improve the product. I can take this feedback to our product management team and see if there is anything we can do to notify admins sooner that an account exists already. If you have any other feedback, please feel free to share it!
0
Please sign in to leave a comment.
Comments
3 comments