Posted by PN on June 23, 2011 at 11:56pm
2 followers
Jump to:
| Project: | Email Change Confirmation |
| Version: | 6.x-1.4 |
| Component: | Miscellaneous |
| Category: | support request |
| Priority: | normal |
| Assigned: | Unassigned |
| Status: | active |
Issue Summary
Hello,
I have a question about the functionality of this module. Say for instance a user changes their email address, but makes a typo in doing so. If the typo email address happens to be valid, then the change confirmation email would be sent to someone else. If this person clicks the link in this email they would be sent to the site with a message stating that the email address has been changed to their email address. Since the account is now linked to this person's email address, couldn't they request a new password and gain access to the account? Is there anything this module does to prevent this?
Thank you for your time,
Paul
Comments
#1
Actually you do bring up a valid point. The module was based on a patch to core as discussed in #85494: Verify changing user email addresses and that initial implementation supported a user being able to verify the changed email via the confirmation link in email without being logged in.
I suppose it makes sense to force the user to be logged in before accepting the confirmation link click.