Require email verification when changing email address. #13533
Labels
c: Security
For issues that make Matomo more secure. Please report issues through HackerOne and not in Github.
c: Usability
For issues that let users achieve a defined goal more effectively or efficiently.
Milestone
Comments
Findus23
added
c: Security
|
Slightly refs #13321 :) |
|
@tsteur The only issue I forgot to cross-link 🙂 |
This was referenced May 24, 2019
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Related to #2932 and #6125 (the latter could maybe also be added in the same change)
At the moment every Matomo user could change their E-Mail address to everything they want without any verification (apart from syntax, see #11796). This allows every Matomo user to send an unlimited amount of (for them) SPAM E-Mails to anyone without them ever opting in to receiving them.
When someone tries to change their email address (after confirming their password; #2932) the change should only be saved if the user was able to confirm an link in a sent mail.
In addition an email should be sent to the old email address informing them that they are loosing access to the account (and to inform an admin if they don't know about the change)
#6125
The text was updated successfully, but these errors were encountered: