-
Notifications
You must be signed in to change notification settings - Fork 208
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Change email confirmation does not work as intended #289
Comments
Yeah, I think it should ask for approval before making such critical changes 👍 |
The problem with that is that many kids lose access to their old mail over time. Emails can be re-assigned to new owners upon inactivity or deletion, that's a real thing. So you would prevent these people from regaining access. I would recommend the following best practise method:
Please note that in order to change a mail: |
Greetings,
I have enabled 'RequireChangeConfirm' in application.php
However, it doesn't not send confirmation email to the old Email address in order to approve the changes, instead it sends to the new email.
I'm not sure if it supposed to send the confirmation email to the new one, but it shouldn't do this.
Let's imagine this scenario: Let's say someone knows my account credentials, they login to my account in the Control Panel, and deiced to steal my account by changing the email address. They can easily do that by simply filling and submitting the form in /?module=account&action=changemail
My idea is: Before changing email address, a confirmation link is sent to the old/current email address to review and approve the changes, if the account holder decided to decline the changes, then it cancels the operation and deny the changes, and vice versa
The text was updated successfully, but these errors were encountered: