Skip to:
Content

Opened 8 years ago

Closed 4 years ago

#2265 closed enhancement (fixed)

Re-validate Email Address when edited.

Reported by: windhamdavid Owned by: boonebgorges
Milestone: 2.1 Priority: normal
Severity: normal Version:
Component: Core Keywords: has-patch
Cc: raven@…

Description

require users to revalidate an email address via an activation link when edited in the profile ~ requested in this comment

Attachments (3)

revalidation.diff (7.8 KB) - added by j.conti 4 years ago.
patch for revalidation
revalidation-2.diff (7.8 KB) - added by j.conti 4 years ago.
Revalidation with fixed bug
2265.03.patch (6.0 KB) - added by boonebgorges 4 years ago.

Download all attachments as: .zip

Change History (15)

#1 @cnorris23
8 years ago

There's code for WPMU to email super admins on an address change that you might be able to utilize/repurpose.

While I like the idea, it definitely needs to be something that remains optional. Preferably, through BP options in the dashboard, but at the very least through a hook/filter. I run a site now, where I certainly wouldn't want this feature in order to stay as unobtrusive as possible. While it's not ideal, if the user wants to change their email to a non-existent email, then that's their prerogative.

I might look into making this plugin.

@j.conti
4 years ago

patch for revalidation

#2 @j.conti
4 years ago

  • Severity set to normal

Hi,

Here there is a patch for this, this is a first patch to be commented.

At this time, there is no option for activate or deactivate the revalidation, really i don't know if it is necessary.

The email revalidation text is not the final one, it has to be modified, so its a temporal text waiting for an ideas. It is directly taked from WordPress Multisite Super Admin email revalidation.

Last edited 4 years ago by j.conti (previous) (diff)

@j.conti
4 years ago

Revalidation with fixed bug

#3 @j.conti
4 years ago

I'm sorry,

The good one is revalidation-2.diff

revalidation.diff has a bug (has a inherited code of WordPress Multisite

self_admin_url

#4 @j.conti
4 years ago

  • Keywords has-patch added

#5 @bi0xid
4 years ago

  • Cc raven@… added

#6 @boonebgorges
4 years ago

  • Milestone changed from Future Release to 2.1

Thanks, j.conti. Unlike WPMS, we don't have a GUI for writing a custom email notification, so I don't think we need all the string swapping (###ADMIN_URL### etc). There are also some coding standards issues, but it should be fairly easy to clean this up for 2.1.

#7 @j.conti
4 years ago

Hi boonebgorges, yes thats the reason that I said that the email text has to be modified, and it's a temporal text :)

Now I've see that there is some typo errors :S

I'll look your corrections about coding standards issues, I suppose that I used some WordPress code instead of BuddyPress code.

Thanks a lot

#8 @boonebgorges
4 years ago

Hi boonebgorges, yes thats the reason that I said that the email text has to be modified, and it's a temporal text :)

Ah yes, it's just temporary. Got it :)

I'll look your corrections about coding standards issues, I suppose that I used some WordPress code instead of BuddyPress code.

Mainly just indentation and whitespace. Also, instead of hooking bp_user_update_email() to 'init', it's better to use 'bp_actions' (so that we know BP is completely loaded).

Thanks again!

#9 @j.conti
4 years ago

Oh, ok.

I hooked to init becasue wp_redirect breaks the page load, but maybe hooking it to bp_actions, it fix the problem. I don't test it.

#10 @boonebgorges
4 years ago

2265.03.patch is a refresh with the following changes:

  • The "you have a pending message" notice is moved out of the template (which may be overridden or unavailable in some themes) and into a function hooked to 'bp_before_member_settings_template'
  • Cleaned up some wording
  • Code standards, etc
  • Removed direct calls to $wpdb and cleaned up some logic
  • Use bp_core_add_message() instead of URL params for success/failure messages

I think this is a solid change - it will prevent people from making mistakes, and may prevent certain kinds of account hijackings. Would like to get feedback from the core team on it before proceeding.

#11 @r-a-y
4 years ago

At a glance, looks good.

Two minor things:

1) The hash - Perhaps use wp_hash() instead of md5()?

2) Options vs. user meta. Instead of:

bp_update_option( bp_displayed_user_id() . '_new_email', $new_user_email );

Perhaps record in user meta?

#12 @boonebgorges
4 years ago

  • Owner set to boonebgorges
  • Resolution set to fixed
  • Status changed from new to closed

In 8560:

When a user changes her email address, require email verification of the new address

This feature, built into WordPress MS by default (when updating one's profile
via the Dashboard), ensures that new email addresses are valid and not
mistyped, helping to avoid unintentionally locked-out accounts.

Fixes #2265

Props j.conti for an initial patch

Note: See TracTickets for help on using tickets.