1

Today I faced the following problem:

  1. I registered a new user on my Joobla 1.6 site
  2. activated the account by link from an activation email
  3. After login as the new user I've changed my email to a made up one ( foo@bar.bar )
  4. Joomla's reaction was: 'ok no problem, e-mail seems to be fine, lets save it then'

The only two things Joomla checked was whether the e-mail was written correctly and whether it was in use by a different user.

Why isn't Joomla sanding the same activation e-mail to the new e-mail in order to change it in an user's profile? Is there something I should know?

This looks as if that very important functionality was missing in the profile editing component.

How do I make it working without editing core files?

EDIT: I created a plugin which handles it: http://extensions.joomla.org/extensions/access-a-security/site-security/site-protection/18139

EDIT2:

The plugin is available on GitHub at https://github.com/WooDzu/plg_emailactivation

WooDzu
  • 4,771
  • 6
  • 31
  • 61
  • Try overriding the changing email function so that it unconfirms the user, so then the user needs to verify the email. – apscience Jul 14 '11 at 04:32
  • This is a core hack. I'm affraid I can't accept this. Also it needs another new table for activation tokens. – WooDzu Jul 14 '11 at 05:10
  • Thanks a lot @WooDzu for the plugin. It is very helpful. – S R Oct 12 '18 at 12:58

3 Answers3

2

Well if you want a way to sort this out then try this:

Write your own authentication plugin that uses the onBeforeStoreUser event. Here you check the user email validates correctly whenever they change their email address.

Should you want to you can deactivate the user's account, and then send them a new activation email with link. Have a look the com_users code to see how the registration is dealt with in terms of new users registering and the sending of the activation email. You can pretty much copy the code from there.

Example code for you plugin:

onBeforeStoreUser($user, $isnew) {
  if (!$isnew) {
    // grab code from com_users to generate activation email
    // part of the code makes an activation sequence
    // sql to inject this seq into the users account
    $db = JFactory::getDBO();
    $db->setQuery('
      UPDATE #__users
      SET activation = '.$db->quote($activation_code)).'
      WHERE id='.$user->id.'
    );
    $db->query();
    // send activation email
  }
}
Martin
  • 10,294
  • 11
  • 63
  • 83
  • Thanks Martin, I will try it then. Well, deactivating users account doesn't seem to be a good way although it might be one of plugin's parameter. By the way, if I write the plugin I will publish it on the internet. – WooDzu Jul 14 '11 at 18:20
  • That's true that deactivating users is not good, but what would be an alternative to ensuring user's validate their new email addresses? I have seen issues with Joomla not delivering activation emails before, so this is something you might want to look out for. – Martin Jul 15 '11 at 09:20
  • I was thinking about leaving old e-mail by the time an user activates his new one. Temporarily, the activation token and new email would be both stored in jos_users->activation column, as I don't want to create new table for that. – WooDzu Jul 15 '11 at 12:30
  • Hello Again I've started developing the plugin. The last one thing to be done is activating a new email which is already stored in user's params and user gets an activation link. I've faced the problem how to pass activation token back to the plugin. – WooDzu Aug 29 '11 at 12:33
  • Can't you just query the database to get the activation token? I would suggest you ask a new question as your comment above is a bit vague. Then post the link of your new question here so people may follow it should they require the same thing. I'll also have a look at answering your question. – Martin Sep 01 '11 at 09:49
  • Thanks for.your replay Martin. I've already started a new question, which is partialy solved now. Have a look at http://stackoverflow.com/questions/7236928/joomla-1-5-com-user-and-importing-user-plugins-like-joomla-1-6-and-above. Thanks – WooDzu Sep 01 '11 at 17:01
1

Maybe it would be a good thing to also validate old mail account before caring for the new one.

Explanation:

I get a user and password, I log in , I change mail from real owner to mine, I have stolen the account and now can activate it with my mail.

If we validate both old and new mails , we are assuring the new mail is valid and also the change was requested by the original owner.

Wailer
  • 11
  • 1
-1

The activation email is just that - an activation method. This is intended to satisfy user information collection laws for countries like the States, where it is necessary to have users confirm they own "this" email address when they signup. This ensures they themselves are the ones signing them up. This is the purpose of the activation emails.

Martin
  • 10,294
  • 11
  • 63
  • 83
  • 1
    I disagree. It's pretty important to ensure the email someone enters is actually a valid email that the person owns. Without sending an email to check when you change the email in the profile, you can pretend to be someone else. – apscience Jul 14 '11 at 04:25
  • Any of this applies to the context of users on your site. If for example it was in the user's best interest to ensure their email was correct, e.g. they posted something on gumtree then leave the "stupids" to put in the wrong address. On the other hand if you are PayPal for example then for security measures you would want email validation to this extent. My answer above applies to Joomla who give admins the ability to comply with law regarding email activation. In any case see my other answer :) – Martin Jul 14 '11 at 16:40