Problem/Motivation
Currently, when a new user registers for a Drupal account the details are sent to the users supplied email address. This provides a basic mechanism that confirms the user is at that email address. However, once registered, users are permitted to change their email address without further confirming that the user is in fact at that email address.
Possible implications
- A user can change their email address to be that of an unsuspecting third party as no confirmation of change is required. Using a second Drupal account (with it's email address also faked using the same method) the first user is then able to send anonymous malicious messages to the unsuspecting third party
- A slow method for sending spam but exploitable none the less
Proposed resolution
Add a mechanism (similar to reset password) that:
- Sends an E-mail to the new address requiring the verification of the new address (similar to register confirmation).
- Sends a notification E-mail to the old address.
- Allow the site builder to customise both messages at
admin/config/people/accounts - Provides an update path to set the default behaviour and messages content.
- Write tests.
This new mechanism is bypassed if the e-mail address is changed by a user with the "administer users" permission.
Remaining tasks
- #279.1: Fix AccountForm->function flagViolations() to avoid hard-coded reference to 'administer users' permissions using code in #284
- #279.2: Seems to be fixed as well as possible right now given limitations of other issues. Raise a follow-on issue to tidy up once other issues have been fixed.
- #279.6: Add a test - see further explanation in #284
- Fix tests - note the suggestions in #289.
- Release note snippet for IS.
- Security review.
- Usability review.
User interface changes
New UI additions to admin/config/people/accounts:
New confirmation message (warning) when user changes e-mail address:
Default text of the generated e-mail (some elements will vary):
alice,
A request to change your email address has been made at Drupal Usability. You
need to verify the change by clicking on the link below or copying and
pasting it in your browser:http://drupalux.lndo.site/user/mail-change/2/alice%40example.org/1542687...
This is a one-time URL, so it can be used only once. It expires after one
day. If not used, your email address at Drupal Usability will not change.
After using the one-time link, the user is redirected to the site's home page, with the message (info)
Your email address has been changed to alice@example.org.
API changes
New controller used for mail changing: \Drupal\user\Controller\MailChangeController
Data model changes
New schema for configs user.settings and user.mail.
Release notes snippet
@todo