Don't allow users to enter a from e-mail address
| Project: | Send |
| Version: | 5.x-1.x-dev |
| Component: | Miscellaneous |
| Category: | feature request |
| Priority: | normal |
| Assigned: | Unassigned |
| Status: | active |
Jump to:
I successfully installed and tested this module with Drupal 5.1. It seems to work, but perhaps too well.
You can enter in any e-mail address as the "From" address. I don't see why it shouldn't just use the e-mail address of the user who is authenticated, rather than letting them spoof someone else's e-mail so easily. Sure, they're sending your content, but they can also type in any threatening or obscene message, which will come from your site using a forged e-mail address.
I see from the access control that one could also allow anonymous users to send e-mail, and they would of course need to enter a from address. I can't think of a reason why you would want people to anonymously e-mail through your Drupal site, but perhaps there is a valid use.
I would suggest adding a setting to disable entry of the from address, and just display the authenticated user's address in place of the from e-mail input box.
#1
I'm accepting patches :)
#2
I can't think of a reason why you would want people to anonymously e-mail through your Drupal site, but perhaps there is a valid use.
I'm building a newspaper site where only editors/staff login. Everyone else is anonymous, all the time. But, we want to let people email articles on the site to people they know.
So, sure, you could add such a checkbox, but it should definitely only be a setting, not a permanent change to the module.
That said, it's a valid concern about forged emails and nasty content in the message. So, if we're going to add a checkbox to disable the from address, I'd also like to see a checkbox to disable the custom message field when sending. ;)