@Findus23 opened this Issue on October 4th 2018 Member

Related to https://github.com/matomo-org/matomo/issues/2932 and https://github.com/matomo-org/matomo/issues/6125 (the latter could maybe also be added in the same change)

At the moment every Matomo user could change their E-Mail address to everything they want without any verification (apart from syntax, see https://github.com/matomo-org/matomo/issues/11796). This allows every Matomo user to send an unlimited amount of (for them) SPAM E-Mails to anyone without them ever opting in to receiving them.

When someone tries to change their email address (after confirming their password; https://github.com/matomo-org/matomo/issues/2932) the change should only be saved if the user was able to confirm an link in a sent mail.
In addition an email should be sent to the old email address informing them that they are loosing access to the account (and to inform an admin if they don't know about the change)

@tsteur commented on October 4th 2018 Member
@Findus23 commented on October 4th 2018 Member

@tsteur The only issue I forgot to cross-link :slightly_smiling_face:

Powered by GitHub Issue Mirror