YellowGrass

Add interface to submit profile merge requests

feedback-oct-2025/issue1
In the context of automating common support requests, it would be good to add forms/pages where people can submit profile merge request, or actually perform a profile merge themselves when the user can verify ownership of both profiles.

Challenges/solutions

Merge requests may only performed by submitter when we are sure he/she is the owner of the identity represented by both profiles

  • Generate a unique and expiring email verification link, sent to the email addresses of the targeted profiles for which the submitter is not logged in
    • Generate and send 2 email verification links when there is no user account, or when the submitter is not a logged in user
    • Verification links are not needed for accounts for which the submitter can log in successfully

Prevent merge request spam (identity owner receiving merge request emails repeatedly)

  • Require Captcha for both logged in and not logged in users
  • Limit number of non-expired merge requests for the same profile

For cases where ownership cannot be verified (e.g. no access to old email anymore), the merge request should be reviewed by the system administrators

  • As always, we should be careful when reviewing and accepting merge requests because of social engineering

Detect duplicate accounts and suggest merging to profile owner.

  • When a person logs in or displays his/her profile, check for possible duplicate accounts and present merge wizard
    • a duplicate profile often has a key (id) being the prefix of the other key.
  • Don’t ask again when the user refuses to merge (e.g. in case of false positive)

From the account (logged in user), the user can instantiate a new merge request by entering the key or URL of the secondary profile to be merged into their account.
When this resolves to another identity successfully, send out the merge-verification-email to all of the email addresses of the secondary identity.
The verification email has a “secret” link to open the merge-wizard-page (expires in 12h). To access the merge-wizard-page, one needs to log in (or already be logged) with the user account of the main account of the merge request (we should not expose these details).

When logged in the submitter has the following controls:

  • which general profile to select (this also controls the duplicate conf specific profiles te choose), show preview of these profiles
Submitted by Elmer van Chastelet on 29 November 2018 at 09:15

Issue Log

On 16 October 2025 at 15:19 Elmer van Chastelet tagged feedback-oct-2025

Log in to post comments