Let registrating users change email typo's.

Started by Black Tiger, December 17, 2014, 01:06:24 PM

Previous topic - Next topic

Black Tiger

I hope this is a good description for the title.

This is currently not possible and this is what can happen.
1.) A registering user can make a typo when entering the email address (yeah even twice).
2.) A registering user can give in a fake email, sees that he won't get in, regrets it and wants to change it to a valid email address.
3.) A current member can have the need to change his email address, and make a typo when entering it.

Result is that in all 3 cases, the user either has to register a new account or contact the admin (if that is possible) to fix the email address.

It would decrease an admins work, and improve SMF (IMHO) if user could fix such minor issue themselves by giving them the option to change their email address as new user and as existing user re-validating.
Greetings, Black Tiger

Illori

i am pretty sure if email activation is enabled, there is a way for users to change their email address without the admin needing to do it for them.

Black Tiger

According to Arantor and Kindred there isn't.
If there was, it would also be possible to create a mod like this.
So I hope you're right.:)

However, that mod is secondary to my feature request. I think it should be possible to change email address in any case or status (except banned).
Greetings, Black Tiger

Illori

if you can log in you can always change your email address. if you have already activated your account and can not log in then that is a very different issue.

Black Tiger

I know that, but I was talking about cases I mentioned in my feature request, possibility 1, 2 and 3 in which other statusses are used, correct?
Since Arantor says you're locked out and can't change it when having status 0 and 2 (so registering and re-activate email).
Greetings, Black Tiger

Black Tiger

Said otherwise.... if you change your email, make a typo, you cant re-activate so you can't log in to fix it. Maybe that's a better explanation?
Same goes for users who are making new registrations.
Greetings, Black Tiger

Illori

if you allow just anyone to request their email address be changed without really verifying they own the account you are just asking for the account to be hacked.

Kindred

???

What are you talking about Illori?

Black Tiger is correct.

If
a - I register with an invalid email (and activate by email is turned on by the admin)
b- I change my email to an invalid email (and require reactivation on email change is turned on by admin)

then I can not log in again until I have confirmed that email
Слaва
Украинi

Please do not PM, IM or Email me with support questions.  You will get better and faster responses in the support boards.  Thank you.

"Loki is not evil, although he is certainly not a force for good. Loki is... complicated."

Illori

Quote from: Black Tiger on December 17, 2014, 02:08:48 PM
I know that, but I was talking about cases I mentioned in my feature request, possibility 1, 2 and 3 in which other statusses are used, correct?
Since Arantor says you're locked out and can't change it when having status 0 and 2 (so registering and re-activate email).
Quote from: Black Tiger on December 17, 2014, 02:10:28 PM
Said otherwise.... if you change your email, make a typo, you cant re-activate so you can't log in to fix it. Maybe that's a better explanation?
Same goes for users who are making new registrations.

if that applies to a user that changes their email address after their account is activated. then we allow them to change their email address without being logged in, how do we verify that the user owns that email address? you cant send them an email at the invalid address they had before to tell them the email address was changed.

i read it that Black Tiger wants a user to have a self service page to change the email address after an invalid address was typed in by accident.

Black Tiger

That self service package is secondary, so let us leave that out of the feature request.
On vBulletin that was an easy thing by placing users in the "waiting confirmation" usergroup.

Back to the feature request.
Quotehow do we verify that the user owns that email address?
You don't at this moment I gues, I don't know how SMF handles that. Hackers ... well... hackers should have to guess if and which username has this revalidation status.

However I don't know how it's working on SMF. On vb, a user which had not activated (or reactivated for that matter) was able to login, but could only see the forums read-only (if read-only permissions where made for guests) or change their profile (email and password).

It would be a bit more difficult if in SMF people are indeed locked out completely during this (re)activating status. In that case it would be more of a need of a limited login request. Verification would be made by username/password.

Kindred exactly told what I ment.
Greetings, Black Tiger

Black Tiger

This is odd....
It seems what I wanted as feature request, is already present in SMF. Not here on SMF, but I've got it active on my forums the the Pro Red Theme. It can also be found in the Total Blue theme.

Not logged in, this is what I see here:
QuoteLogin with username, password and session length
And on the bigger login page, below the login fields is the "forgot password" option.

On my forums it looks like this:
QuoteWelkom, Gast. Alsjeblieft inloggen of registreren.
Heb je de activerings-mail niet ontvangen?

Translated this says:
QuoteWelcome Guest. Please login or register.
Did you not receive the activation-email?
Now the "login", "register" and "activation-email" are links.

Guess where I get when I click the "activation-email link?;)
http://www.simplemachines.org/community/index.php?action=activate

So the requested option -is- present by default. However I don't see it here on SMF, maybe it has to do with the theme on smf.org hiding it?
Seems you forgot about this function. :D
Greetings, Black Tiger

Arantor

Oh, no, I didn't forget about it, considering that when I advised you on this matter, I was looking at the code for that very function in Register.php.

Burke ♞ Knight

As far as I know, those show on every theme, as the register pages are not in most themes.

Black Tiger

Yes you said there was something in the code which was not properly displayed to the user, that's correct.
However, on some themes it seems it is more or less properly displayed.
So the user is not locked out completely, they can change the email address... so in fact I can revoke the request because it's present by default.

Or change the request to make it visible the same way in default themes?

@Burke: No it's not showing here on simplemachines.org I just checked. Unless a non-default Theme is used here.
Greetings, Black Tiger

Arantor

No, the link is not consistently displayed not is it consistently even available, but you know best about such matters of course.

Hint: it's not theme dependent as to whether it is available or shown and changing it the way you suggest (rather than the way it is implemented) risks making it a vector for attacking accounts.

Black Tiger

Quotechanging it the way you suggest (rather than the way it is implemented)
Ehmz.. I think you misunderstood my feature request. I only requested an option to change the email address for state 0 and 2 users so they could change their email in the 3 cases mentioned.

The way it's implemented is exactly what I asked for. But you and Kindred said in the mod request topic that it was not possible because users would be locked out.
But it is possible by this implemented option. Illori was correct from the beginning, and you were too. It was only not shown everywhere.

I did not suggest to change it as far as I know.
Greetings, Black Tiger

Arantor

You must have misunderstood your question then, because you were asking for the link to be made available all the time. There is a reason it is not. The form you are after is not available all the time either - for precisely the reasons I've been trying to point out.

But you know best. Good luck.

Burke ♞ Knight

Why not just have a contact form, and have them use that to get in touch with you, so you can verify that it is in fact them?
I know that there's some email forms that have it show the IP when the email is sent, so you could match that with the account's IP in the member's list in admin panel.

Black Tiger

@Arantor: I did not misunderstood my own question, this was my question:
Quoteif user could fix such minor issue themselves by giving them the option to change their email address as new user and as existing user re-validating.
Only an option for state 0 and 2 users, I don't ask anywhere for a permanent one. That was your conclusion, nothing I suggested.

I don't know best ofcourse, and you know it.
I just discovered this feature as could be concluded out of my reply with it.

But only now I understand, since you just expleined it, that even then it's not event present to state 0 and 2 users all the time.
That information is completely new to me and was not told me before either. So please don't be irritated about something I could not have known before.
I didn't even knew there was a default option which -was- even displayed, otherwise I would not have made the request.

@Burke: That's not what I want. I only wanted that users who locked themselves out by making a typo, that they could fix the typo in their email address.
Since that option is present by default, my request became obsolete.
I do have a contact form by the way.
Greetings, Black Tiger

Advertisement: