Port Multiple Email Addresses to Drupal 7 [#998440]

Description

If someone guesses your password, steals your cookies from an unsecured wireless network, uses a computer you're logged into, or otherwise gains unauthorized access to your account, they can change your password and email address, and you will be unable to regain access to your account. To prevent this, we would like a module that can make it so that email addresses cannot be modified, only added. This way, if your account is hacked, you can still use the "password reset" feature and use the one-time login link to regain control of your account.

To do this, email addresses will need to turn into a multi-value field, with only the current email address the one typically used, except in the case of password resets. This should be done by a contributed module - please see the module developers guide for details. This module should probably:
a) Add a multi-value text field to users that will hold old email addresses.
b) Make sure in the field validate callback that this can only get new items - old items can never be removed.
c) Add a widget that only displays the emails does not allow any changes.
d) When the user email is changed, then add the original one to this new field.
e) Amend the user password reset functionality to send emails to the past emails as well. Also, invalidating all sessions on password change looks logical -- just make sure the current session is not dropped.

Deliverable

The deliverable should be a contributed module for Drupal 7 that does what the description above indicates.

Resources

Module developers guide
Please feel free to ask on IRC (#drupal-gci, #drupal-contribute, or #drupal) if you have any questions!

Primary contact

chx, either on drupal.org or on IRC.

Please post all your work to the drupal.org issue, http://drupal.org/node/998440. Thanks!

Comment	File	Size	Author
#6	multiple_email.tgz	2.43 KB	dmitrig01
#4	d7_port.patch	45.86 KB	dmitrig01
#4	multiple_email.tgz	2.18 KB	dmitrig01

Comments

Comment #2

dmitrig01 commented 19 December 2010 at 03:43

Assigned:

Unassigned

» dmitrig01

Comment #3

mstrelan commented 19 December 2010 at 05:19

Perhaps when the email address is changed it should send an email to the old email address notifying the recipient of the change. This way the owner of the hacked account will know of it instantly and can potentially stop the hacker before they do any damage.

Comment #4

dmitrig01 commented 19 December 2010 at 08:53

Title:	Create a module to prevent complete loss of access to a hacked user account	» Port to Drupal 7
Project:	Google Code-in	» Multiple Email Addresses
Version:		» 6.x-1.x-dev
Status:	Active	» Needs review

Status	File	Size
new	multiple_email.tgz	2.18 KB
new	d7_port.patch	45.86 KB

I've completely rewritten the module for the GCI task for the Druapl 7 version, included the port as a patch, as well as a tgz file of the whoel module.

Comment #5

chx commented 19 December 2010 at 08:55

Note that this module is a bit more / different than the original but the original did not do anything with the emails either so the difference is not that big IMO.

Comment #6

dmitrig01 commented 19 December 2010 at 09:40

Status	File	Size
new	multiple_email.tgz	2.43 KB

with changes

Comment #7

webchick

she/they

English

Vancouver 🇨🇦

commented 6 January 2011 at 17:19

Title:

Port to Drupal 7

» Port to Multiple Email Addresses to Drupal 7

Re-titling so it looks nice in my list of modules running on d.o that need to be ported to D7. :)

Comment #8

shawn dearmond commented 11 January 2011 at 19:51

Status:

Needs review

» Needs work

Now that I've rolled a full release, the D7 port should be updated to reflect all the changes.

Comment #9

cor3huis commented 31 January 2011 at 16:24

BUMP, IMHO It would be good to then just release a beta for the Drupal 7 version (release early, release often)

Comment #10

shawn dearmond commented 21 February 2011 at 02:44

Here's a question: How is the Drupal 7 port of this module different from the Email Field module?

http://drupal.org/project/email

I suppose the Email Field module doesn't do stuff like email confirmation, but do you think this warrants a whole separate module? Maybe the D7 port can just add migration and a few extra functions (like confirmation) to the Email Field module?

What do you think?

Comment #11

cor3huis commented 21 February 2011 at 14:47

@Shawn DeArmond, If thought of bumping the issue since the D7 patch was already made and the D6 version was already working and as I understood it is in use by the main drupal.org site. A D7 release of the module could be made using the patch. Being pragmatic ;) therefore IMHO it would be good to just release D7 version then as is regardless usability already in other D7 modules.

Also one of big reasons to have it working the Mailalias (http://drupal.org/project/mailalias) module is now deprecated in favor of (http://drupal.org/project/multiple_email) therefore if there would be no D7 version of the multiple_email module. Listhandler and other dependable modules functionality would be at risk if there now all of a sudden are no alternatives :( to Mailalias.

If http://drupal.org/project/multiple_email would be depreciated also in favor of http://drupal.org/project/email that also would be fine by me as long as this module provides the functionality as in either MailAlias or multiple_email modules. The http://drupal.org/project/email look somewhat heavy for the replacement task however.

Note that from this page http://drupal.org/node/1006924#drupal-7 I understood the Drupal site needs this module to be ported to D7 asap. Therefore my plea to just release a D7 version, regardless the quality. If module is not released it is unlikely users will test and improve it.