Different userURL still shows the form

[sebsel]

In my testing, when I used a different userURL, the form seems to accept it. Of course, the password will not match etc, so there will be no signed code, but maybe we can display the username, or, since we only support one, check for a valid one before showing the form?

After thinking about it: maybe we should not give away that information? The genuine user will not be in this situation, only when people will fiddle with the params.

On the other hand: what happens with https vs http / if the user changes his URL?

[Zegnat]

[…] maybe we can display the username, or, since we only support one, check for a valid one before showing the form?

I would be tempted to just throw an error for an invalid me parameter when it doesn’t match the user’s expected URL. Maybe extend the check for “is it a valid URL” to “is it the URL we expect”?