New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Why send activation email on user update? #546
Comments
How do you see the purpose of activation email? Usually it is used to check if given email is functional. Having users with unusable emails can lead to many problems. Following this logic, if user changes their email, you might want to confirm that it is working properly - hence the activation link. Hope that answers your concern. |
Right. That makes sense when the email is changed. But a user may be updated without changing their email. But to accommodate the general case, wouldn't it make sense to send an activation email only if the email field is changed? |
@dekoza the issue raised by @akhayyat did not exist in previous versions of Djoser, but was modified in this commit: The case when a user changes his/her email is addressed in the UserSerializer here: Line 24 in d12091c
I don't really see why we would send a confirmation email after each update, and got this issue flagged after it was reported by some of our users following an update of djoser version So in any case, it could make sense to use a different settings like "SEND_ACTIVATION_ON_UPDATE" to maintain backward compatibility and only enable this behaviour for those who want it |
Thanks @akhayyat, thanks @tartieret! I agree in general with your comments. I think we should improve this behaviour. |
Following the commit mentioned above it seems that #430 is related to this issue. |
I would suggest one of two things:
Since I don't think the current behavior is useful to anyone (sending account activation email on updating any user attribute), I'd vote for option 1 until a pull request for option 2 is available. Here is the default activation email for reference:
|
I am facing this issue as well. I am looking at the way allauth does this and it adds the new, updated email as an unverified address on the account until the user clicks on the link in the email they get when they change it. Until that happens, the primary email associated with the account (the original email address) is the one the account uses. Then, when they confirm the new address by clicking on the link in the email they get, the new email is verified and becomes the primary. I think that flow makes the most sense to me. Any other updates to the user's profile don't cause any emails to be sent. There is another use case that I am struggling with in this area though and that is when the user has signed up but not clicked the activation link in the email yet. If they just try and log in, it fails - but not with "inactive_account" as you'd expect - it fails with "invalid_credentials", here:- Line 126 in d12091c
So that's one thing - but I tend to think that really, if they haven't activated their account yet, trying to log in should really cause the activation email to be resent. Again, this is how allauth does it and it does seem to make sense. Otherwise, if the user has lost (or didn't get) their activation email, they're now stuck and can't access their account, no matter what they do. I appreciate that this last thing is a separate issue though, so feel free to ask me to log this as such and we can keep this ticket on track. |
The initially-described behaviour doesn't happen on |
I did overwrite def send(self, to, *args, **kwargs):
if not self.context['user'].is_active:
super().send(to, *args, **kwargs) |
Any plans to release this? |
If sending activation emails is enabled (
SEND_ACTIVATION_EMAIL == True
), updating a user currently sends an activation email!https://github.com/sunscrapers/djoser/blob/master/djoser/views.py#L148:
What's the purpose of sending an activation email with an activation link in this scenario (updating a user)? The account is already activated, and will remain activated after the update. A confirmation email would be understandable, but an activation email is puzzling.
The text was updated successfully, but these errors were encountered: