Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Sending email change request activates user without password #4226

Tam opened this issue May 7, 2019 · 1 comment


None yet
2 participants
Copy link

commented May 7, 2019


If an email is changed on a pending user and the user clicks the confirmation link, their accound is activated without them having set a password.

Idealy the confirmation link would either keep the users status and simply change their email, or act as an activation email and redirect the user to the set password page.

Steps to reproduce

  1. Ensure "Verify email addresses?" is checked in user settings
  2. Create a pending user, don't activate it
  3. Change the users email (as a non-admin user)
  4. Click the confirmation link in the on the new email

Additional info

  • Craft version: Craft Pro 3.1.25
  • PHP version: 7.3.4
  • Database driver & version: PostgreSQL 11.2

This comment has been minimized.

Copy link

commented May 8, 2019

By clicking the link, they have shown that they own the email address, thus their email has been verified. Little awkward because they didn’t have a chance to set a password, but they can always go through the Forgot Password workflow.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.