- Register at https://legalpad.wikimedia.org/
- Don't verify any email address
- Follow a URL pointing to a Legalpad document, i.e. https://legalpad.wikimedia.org/L1
EXPECTED
Since the user can't access to the Legalpad homepage (a "Must Verify Email" page appears instead) it would be logical not to grant them permissions to sign the document either.
ACTUALLY
Users that haven't verified their email addresses can sign the document.
CONSIDERATION
Following the usual policies in Wikimedia, if possible it would be good to allow view permissions to everybody, anonymous included, so they can browse and read the Legalpad docs. However, only those with verified email address should be able to sign them.