Steps to reproduce the issue

Contacts -> Single Contact, Mail Options -> "Send Copy to Submitter" set to "Hide", but the checkbox shows anyway, and mail is allowed to be sent anyway

Expected result

• No checkbox should be shown
• if set to "hide", no email should be sent even if the checkbox was shown and used
• if set to "hide", no email should be sent even if malicious actor submitted with the checkbox parameter present

Actual result

Checkbox is shown, email is sent

System information (as much as possible)

Joomla 3.6.3

Additional comments

I notice in components/com_contact/views/contact/tmpl it does:

<?php if ($field->name === 'contact_email_copy' && !$this->params->get('show_email_copy')) : ?>
<?php continue; ?>

...but if I echo $field->name it shows as "jform[contact_email_copy]". Just wanting to make the checkbox go away, I changed this to:

<?php if ($field->name === 'jform[contact_email_copy]') : ?>
<?php continue; ?>

...and that worked. I also commented out the final section in components/com_contact/controllers/contact.php to prevent mailing a message in any circumstances.

Spammers have been using this form as an open relay.