Verify identity before automatically associating the last/currently logged in user with an invitation (BB-7733)

Issue #5523 closed
created an issue

Dear Bitbucket team,

Feature / Enhancement request: Please add a step to verify identity before automatically associating the last/currently logged in user with an invitation for a new team or a new repository.

Motiviation: Many users accept invitations received by email without noticing that they are already logged into bitbucket with a different username. Typically, they have an active login in some other tab in their browser. This is a very easy to make mistake, and the consequence is that the associations become incorret.

When used for private/confidential information, the current behavior is more or less a show stopper.

Best regards Viktor

Comments (13)

  1. Simula reporter

    Dear Marcus, Not sure why you marked this as minor. The feedback we've gotten from people here is that this is really important, almost a show stopper for private/confidential information. I've also experienced it myself, accepting an invitation received in email while accidentically being logged into bitbucket with another user accunt in another tab. The association then becomes incorrect. While cleaning up the mess, someone might have access to information that they should not have. If there is another way to avoid this from happening, please clearify.

  2. Dylan Etkin

    Hi simula,

    When you click the link from your email and you are already logged into Bitbucket it does not automatically accept the invitation.

    There is a button 'Accept' which you must click. That is the pause so you can see if you are logged in with the account you would like.

    How do you suggest we enforce that the email sent out was for one and not another of a users accounts?

    The reason it behaves the way it does is so that if you have multiple email addresses and a single BB account then you can still accept the invite.



  3. Simula reporter

    That's right, there is a button 'Accept' that must be clicked. Unless you have added a different avatar image/picture for each of your accounts, there is no visible information about which account you are currently logged into. It is easy to just click "Accept".

    In the "accept page" there is inforamtion about who sent the invitation. What's missing is more explicit information, instead of just "invited you". Would it be possible to make the information about "you" directly visible? Consider making the following directly visible: the account name and (maybe also) the email address that was used in the invitation.

  4. Log in to comment