Come together with the global Drupal community in Rotterdam, 28 Sept – 1 Oct 2026. Sessions, contribution, connection, and Early Bird savings until 8 June.See this comment
Come together with the global Drupal community in Rotterdam, 28 Sept – 1 Oct 2026. Sessions, contribution, connection, and Early Bird savings until 8 June.See this comment
Comments
Comment #1
gengel commentedThe case described here:
http://drupal.org/node/536272#comment-1917084
Depends on (1) a user changing their e-mail address to an e-mail address which she/he does not own and (2) Salsa Supporters being subsequently installed on the site.
There are a few solutions:
Comment #2
codewatson commentedJust a quick note, this is not just an existing site/drupal user issue. Any user, whether created before or after the module is installed, can change their email address with the possibility of it switching their account to one that doesn't belong to them!
EDIT:
After reading the other thread, perhaps the best thing to do is a verification email of some sort. Would probably also need some sort of administrator manual verification.
Another option would be to have them use salsa's password set feature, then have them enter the password that gets sent to them into a drupal field, or as their drupal password before their account is accessible? We could keep their passwords synced as well that way, so if they change their drupal password it changes the one stored in salsa, to avoid confusion?
Comment #3
gengel commentedThe work-around I've settled on for now is to check for the presence of the Email Change Confirmation module. If the module is present, it forces an e-mail security check much like the user registration e-mail. Otherwise, it forbids e-mail address changes entirely.
This isn't perfect - it still doesn't force e-mail verification during registration, for example - but as long as the admin knows what they're doing, it should handle most cases.
Comment #4
gengel commented