I successfully installed and tested this module with Drupal 5.1. It seems to work, but perhaps too well.
You can enter in any e-mail address as the "From" address. I don't see why it shouldn't just use the e-mail address of the user who is authenticated, rather than letting them spoof someone else's e-mail so easily. Sure, they're sending your content, but they can also type in any threatening or obscene message, which will come from your site using a forged e-mail address.
I see from the access control that one could also allow anonymous users to send e-mail, and they would of course need to enter a from address. I can't think of a reason why you would want people to anonymously e-mail through your Drupal site, but perhaps there is a valid use.
I would suggest adding a setting to disable entry of the from address, and just display the authenticated user's address in place of the from e-mail input box.
Comments
Comment #1
Allie MickaI'm accepting patches :)
Comment #2
dwwI can't think of a reason why you would want people to anonymously e-mail through your Drupal site, but perhaps there is a valid use.
I'm building a newspaper site where only editors/staff login. Everyone else is anonymous, all the time. But, we want to let people email articles on the site to people they know.
So, sure, you could add such a checkbox, but it should definitely only be a setting, not a permanent change to the module.
That said, it's a valid concern about forged emails and nasty content in the message. So, if we're going to add a checkbox to disable the from address, I'd also like to see a checkbox to disable the custom message field when sending. ;)
Comment #3
DuaelFrThis version of Send is not supported anymore. The issue is closed for this reason.
Please upgrade to a supported version and feel free to reopen the issue on the new version if applicable.
This issue has been automagically closed by a script.