Verify changed email address - 01/06/2003 9:00 PM
In 6.2, the email address used for registering is verified, if email verification is enabled in the config settings.
The way this works is:
A random string is placed in the user's U_Approved column, and the user is emailed a link containing that string. If he doesn't visit the link within 24 hours, his profile gets deleted. If he visits the link, his U_Approved column gets changed to "yes" or "no", depending on whether admin approval is required for new registrations.
This procedure ensures that the email address provided is valid, that the user can receive email at at that address, and that he was the one who used that email address to register.
But after the user's registration has been verified (and approved, if applicable), there's nothing to stop him from changing his email address to something bogus.
It wouldn't be practical to use exactly the same procedure for verifying changed email addresses, since that could easily result in the accidental deletion of users who been registered for a long time.
But I think that if email verification is enabled, then some kind of verification should be done on a changed email address.
Suggestions?
The way this works is:
A random string is placed in the user's U_Approved column, and the user is emailed a link containing that string. If he doesn't visit the link within 24 hours, his profile gets deleted. If he visits the link, his U_Approved column gets changed to "yes" or "no", depending on whether admin approval is required for new registrations.
This procedure ensures that the email address provided is valid, that the user can receive email at at that address, and that he was the one who used that email address to register.
But after the user's registration has been verified (and approved, if applicable), there's nothing to stop him from changing his email address to something bogus.
It wouldn't be practical to use exactly the same procedure for verifying changed email addresses, since that could easily result in the accidental deletion of users who been registered for a long time.
But I think that if email verification is enabled, then some kind of verification should be done on a changed email address.
Suggestions?