Problem/Motivation
Currently, when a new user regsiters for a Drupal account the details are sent to the users supplied email address. This provides a basic mechanism that confirms the user is at that email address. However, once registered, users are permitted to change their email address without further confirming that the user is in fact at that email address.
Possible implications
- A user can change their email address to be that of an unsusspecting third party as no confirmation of change is required. Using a second Drupal account (with it's email address also faked using the same method) the first user is then able to send anonymous malicious messages to the unsusspecting third party
- A slow method for sending spam but exploitable none the less
Proposed resolution
Add a mechanism (similar to reset password) that:
- Sends an E-mail to the new address requiring the verification of the new address (similar to register confirmation).
- Sends a notification E-mail to the old address.
- Allow the site builder to customise both messages at
admin/config/people/accounts - Provides an update path to set the default behaviour and messages content.
- Write tests.
Remaining tasks
None.
User interface changes
New UI additions to admin/config/people/accounts:
API changes
New controller used for mail changing: \Drupal\user\Controller\MailChangeController
Data model changes
New schema for configs user.settings and user.mail.