Skip to content

Require email verification when changing email address. #13533

New issue
New issue
Open
Open
Require email verification when changing email address.#13533
Labels
c: SecurityFor issues that make Matomo more secure. Please report issues through HackerOne and not in Github.c: UsabilityFor issues that let users achieve a defined goal more effectively or efficiently.
Milestone
For Prioritization
@Findus23

Description

@Findus23
Findus23
opened on Oct 4, 2018

Related to #2932 and #6125 (the latter could maybe also be added in the same change)

At the moment every Matomo user could change their E-Mail address to everything they want without any verification (apart from syntax, see #11796). This allows every Matomo user to send an unlimited amount of (for them) SPAM E-Mails to anyone without them ever opting in to receiving them.

When someone tries to change their email address (after confirming their password; #2932) the change should only be saved if the user was able to confirm an link in a sent mail.
In addition an email should be sent to the old email address informing them that they are loosing access to the account (and to inform an admin if they don't know about the change)
#6125

Metadata

Metadata

Assignees

No one assigned

    Labels

    c: SecurityFor issues that make Matomo more secure. Please report issues through HackerOne and not in Github.c: UsabilityFor issues that let users achieve a defined goal more effectively or efficiently.

    Type

    No type

    Projects

    No projects

    Milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions