So, currently resending emails is hidden behind magic email expiration and the user landing on the confirmation page. There is also no user feedback on how this works so the user is mostly helpless in getting a new code.

The attached patch provides the ability for users to resend their confirmation code using a new form.

There are couple rough edges though. Currently, admin users can only confirm emails, not force confirmation re-sends. Technically they can, just there's no link to the new form.

There is also no throttling on email re-sends. This is actually consistent with D6's password form but... seems less than ideal. Not a show stopper and probably OK in a follow up since to resend the emails you much be logged in and submit a confirmation form. Its just hardening, not a real abuse of functionality/security issue.

Comments

shawn dearmond’s picture

Fixed up the patch some. Try this one out. Also added a link to "resend" the email for admins. Not sure it's optimal, but it does work.

I think this could use some tests too.

shawn dearmond’s picture

Status: Needs work » Needs review
StatusFileSize
new10.43 KB

Okay, here's a patch that includes tests.

neclimdul’s picture

Status: Needs review » Reviewed & tested by the community
StatusFileSize
new9.51 KB

Changed $form['email'] to $form['#email'] in the resend confirmation form and rolled back the translation strings to using url() instead of l() per discussion on IRC and t() documentation.

This looks ready to go for me. Since the only other person going to review this is the person committing it, going to RTBC it. :)

shawn dearmond’s picture

Status: Reviewed & tested by the community » Fixed

Status: Fixed » Closed (fixed)

Automatically closed -- issue fixed for 2 weeks with no activity.