- Affected App
- WoltLab Suite Forum
When you mention someone, the link that is created includes your token key.
The problem is when someone follow the link he is logged on the first user's account (because of the token). Therefore, the second user have all rights of the first (if he his an administrator, you imagine the disaster...)
So I think you should considered an account as connected only if he has a SESSION variable and that the token is OK with the session.