@sanek4life How could the initial user registration be performed when Joomla sent the activation link to the wrong mail address? The user could have been able to perform a new registration with the correct mail address.

BTW, some users do copy/paste (with the wrong address), how would you handle this?

@sanek4life How could the initial user registration be performed when Joomla sent the activation link to the wrong mail address? The user could have been able to perform a new registration with the correct mail address.

BTW, some users do copy/paste (with the wrong address), how would you handle this?

The situation is a little different.

The user registered for a valid e-mail many years ago. Recently, he change the e-mail address in his account.

He changed the old e-mail address to a new one in his account. But he was mistaken with one character, and so when he wanted to recover the password, he did not receive a letter.

To prevent this, I suggest adding an option (in the settings) so that to change the e-mail address, the user will again be sent a confirmation link so that he can change the previously set e-mail in his account.

A link confirming the new e-mail address should be sent to the new e-mail address, and only after the user clicks the link, the old e-mail address will be replaced in his account with a new one.

I saw a similar scenario of changing the e-mail address on many forums and social networks. I suggest doing it in Joomla.

@sanek4life OK, so the situation was as follows:

• Registrated user changed own mail address and mistyped the new one.
• After a while, this user forgot the password and applied to set a new one. This kicked off a confirmation link which was sent to the wrong mail address, so it has never been received.

You think that a typo can be avoided by having a second field for confirmation? While this is true for a password field, some users do not even know how to type their address correctly. How often would this happen? Personally, I do not think that a second entry field for a mail address is worth the effort. Any user affected by such an issue could contact the administrator directly.

@gerryfrancis Another option would be to change the user's email address.

For example: Leave one field for the e-mail address (so that the user does not need to re-enter a new e-mail address) and to confirm, use sending a letter to the new e-mail address, so that the user goes into the letter and clicks the link to confirm the new Email address.

I have seen this on so many sites, I think it would be very convenient. And so we can be 100% sure that the user has changed the e-mail address to another valid e-mail address, because the user can write a non-existent e-mail address there 2 times and the CMS will not be able to verify this.

Accordingly, if the user entered a non-existent e-mail address, then the error will be written "we could not send a message to your new e-mail address. Please check the spelling of the e-mail address." So we can prevent an error when the user indicates 2 times a nonexistent e-mail address.

When registering (if specified in the site settings), the user receives a letter with a link to confirm by e-mail address. But the CMS does not provide for verification in case the user wants to change his e-mail address. The user may intentionally indicate a non-existent e-mail address there in order not to receive letters from the site. The CMS cannot verify that there is really a new e-mail address that the user entered 2 times. But what if he enters an e-mail address that doesn’t belong to him? But what if he wants to steal a user account (if the site is an online store)? We must prevent this from happening. Therefore, I suggest adding such an option to the CMS settings.

But what if he enters an e-mail address that doesn’t belong to him? But what if he wants to steal a user account (if the site is an online store)? We must prevent this from happening.

As they already have the users username and password the email address is the least of their problems

But what if he enters an e-mail address that doesn’t belong to him? But what if he wants to steal a user account (if the site is an online store)? We must prevent this from happening.

As they already have the users username and password the email address is the least of their problems

In any case, any change of the e-mail address should be in the logs (I do not know if it is now, have not yet checked the new settings on the site) so that you can see what the user originally had the e-mail and what it was changed it.

But anyway, now there is a very big problem - the lack of checking whether there is an e-mail address that the user decided to change or not.

We have an initial check when registering a user, but we do not have a check in case the user wants to change his e-mail address later. He can write any e-mail address, even which does not belong to him. Thus, we can violate the laws of any country if letters from the site come to an e-mail address that does not belong to the user.

I believe that this is a serious problem at the moment and with the applicable laws on personal data in different countries. We must prevent such a moment when the user can trick the owners of the site by indicating in this field an e-mail address that does not belong to him, and thus the site will send messages to someone else's e-mail address.

As they already have the users username and password the email address is the least of their problems

@brianteeman Main issue here if account has been stolen, then an username and password will not help.

As they already have the users username and password the email address is the least of their problems

If our site is an online store, then we can send a letter not only to the new e-mail address, but also to the old e-mail address. Or select the option in the settings - to which e-mail address a confirmation letter will be sent to change the e-mail address. This will further protect users and the site owner.

There are 2 options for setting options for changing the e-mail address:

1. If the attacker intercepted the login and password from the site, this does not mean that the attacker has access to the user's e-mail address, so the user will be able to regain access to his account on the site after hacking (if there is a letter to confirm the change of the e-mail address sent to the old e-mail address).
2. If this is not an online store, but a regular blog, then we have another danger when a user can deceive the site owners and indicate an e-mail address that does not belong to him and letters from the site will be sent to a new e-mail address, but this may violate the law and personal data in different countries. Therefore, we need an option when the user must prove that the new e-mail belongs to him.

Thus, 2 options can be made:

1. Sending a letter to the old e-mail address, for confirmation (this will be good for online stores)
2. Sending a letter to a new e-mail address for confirmation (this will be useful for news blogs)

Sorry I just dont see the problem

Sorry I just dont see the problem

But at least we should at least do some verification. For example, the user must re-enter his password so that he can change the e-mail address.

This can protect you if the session was intercepted by an attacker, but the attacker does not know the password and thus cannot change the user's e-mail.

Sorry I just dont see the problem

For example, on @facebook, in order to change some critical data in your account, you must re-enter the password for your account. You can’t just change the e-mail address there, there is a check. This is a very good solution to protect the user and site owner.

Sorry I just dont see the problem

@brianteeman Imagine next:

You are regular user (not super user) that registered on some "blabla news site"
I get your username and brutforce your PW,
I login to your account, change an email, and start use your account.
At this point you as regular user do not have a possibility to recover your account.

You do not have a way to confirm your owning rights on the lost account, to Super user, easily.

I offer 3 solutions to this problem:

1. Sending a confirmation letter to a new e-mail address (protect the site owner so that there are no problems with the law on personal data)
2. Sending a confirmation letter to the old e-mail address (will protect the user who wants to restore access to the site)
3. Re-entering the user password (protection works if the session is intercepted)

We now live in a world where you can’t just change your e-mail address without verification. Different countries have different personal data laws. Site owners can be fined if letters are sent from their site to an email that did not give consent.

I offer 3 solutions to this problem

Best offer is a pull request ?

@brianteeman I will describe another possible scenario:

Someone was able to access the user's computer (smartphone) at work (in college / school / home). You logged in to the site, but left the computer. Your colleague (brother / sister / wife / husband) decided to do something bad (or make fun of you) and went into your account settings on the site and wanted to change the e-mail. To change the e-mail, he must enter a new one and click the save button (there is no verification now). Then he presses the logout button on the site. And after 10 minutes (after an hour) when you return to your computer, someone has taken possession of your account (and if there are no surveillance cameras in the room), then you won’t be able to find out who did it.

My decision is to protect site users from such actions.

p.s. I remember how a few years ago it was on my site. a brother from one user of the site decided to make a joke about him and change his account details and then he had to write to me by e-mail in order to regain access to his account.

but what if this happens not on a regular blog, but on an online store. and the user works for example in coworking, where there are a lot of people next to you who are not even employees of the same company? it is a matter of security.

Someone was able to access the user's computer (smartphone) at work (in college / school / home). You logged in to the site, but left the computer.

Changing the email address would be the least of your problems in that case. They can change the password as well.

Changing the email address would be the least of your problems in that case. They can change the password as well.

On the contrary. They will not be able to change the e-mail and the user will be able to recover the password when he returns to his computer.

A person can be authorized on the site from his computer, but this does not mean that he is also authenticated in the e-mail and on other sites (and if from the phone, he could set up fingerprint protection for reading email)

@sanek4life I would like to point out that you have changed your argumentation from a "mistyped mail address entry" to a "potential security flaw that must be eliminated". (At least, that is what I have taken from this discussion.)

Sending a confirmation letter to a new e-mail address (protect the site owner so that there are no problems with the law on personal data)

This confirmation letter cannot be received if the mail address has been changed to an invalid one.

Sending a confirmation letter to the old e-mail address (will protect the user who wants to restore access to the site)

This confirmation letter cannot be received if the old mail address no longer exists.

Re-entering the user password (protection works if the session is intercepted)

Protection works, too, if the user would take care to regularly close/terminate the session by logging out.

a brother from one user of the site decided to make a joke about him and change his account details and then he had to write to me by e-mail in order to regain access to his account.

Sorry, but anyone who owns a user account in the Web should be aware of logging out, terminating any active session before leaving the computer. Not doing so can be compared to leaving doors and/or windows wide open at night while being asleep. Again, how often do "bad" brothers change foreign user accounts while still logged in? Oh, maybe Joomla! should make pictures of the person sitting behind the computer by using the webcam, and lock the session as soon as it finds out that it is not the same person? This is ridiculous, it seems that some people must be instructed to make use of their brain again. Carmaker Tesla reminds drivers of being responsible for any accident happening with Autopilot mode on, and guess what: Some of them move along the highway with ~80 mph using Autopilot, their eyes focused on the newspaper laid across the steering wheel! (In God we trust...)

@Quy Thanks for assigning the "New Feature" tag to this, because I do not see the problem either.