I successfully installed and tested this module with Drupal 5.1. It seems to work, but perhaps too well.

You can enter in any e-mail address as the "From" address. I don't see why it shouldn't just use the e-mail address of the user who is authenticated, rather than letting them spoof someone else's e-mail so easily. Sure, they're sending your content, but they can also type in any threatening or obscene message, which will come from your site using a forged e-mail address.

I see from the access control that one could also allow anonymous users to send e-mail, and they would of course need to enter a from address. I can't think of a reason why you would want people to anonymously e-mail through your Drupal site, but perhaps there is a valid use.

I would suggest adding a setting to disable entry of the from address, and just display the authenticated user's address in place of the from e-mail input box.

Comments

Allie Micka’s picture

I'm accepting patches :)

dww’s picture

I can't think of a reason why you would want people to anonymously e-mail through your Drupal site, but perhaps there is a valid use.

I'm building a newspaper site where only editors/staff login. Everyone else is anonymous, all the time. But, we want to let people email articles on the site to people they know.

So, sure, you could add such a checkbox, but it should definitely only be a setting, not a permanent change to the module.

That said, it's a valid concern about forged emails and nasty content in the message. So, if we're going to add a checkbox to disable the from address, I'd also like to see a checkbox to disable the custom message field when sending. ;)

DuaelFr’s picture

Status:Active» Closed (won't fix)

This version of Send is not supported anymore. The issue is closed for this reason.
Please upgrade to a supported version and feel free to reopen the issue on the new version if applicable.

This issue has been automagically closed by a script.