something like this would be better for someone submitted register form with a wrong email address…
my previous user database is not require email verification, many of users input wrong email, now i want to force all of them do verification but give them a chance to edit email before they can login.
Whenever you change the email address in this dialog, another confirmation email will be sent. It looks like a way to do email bomb attack…
Discourse identified a user by email. It’s hard to change email address when you are not a user (when you don’t have an identity). Looks like by design IMO.
However, as an logined user, you may change your email address. Or whatever, sign up again with right email address. Taken username is under control of admins. A registered user may talk to staffs to tweak it.
“email bomb attack” thing could make by normal register too. if there is access rate limit for register, just do same thing for confirmation email resent.
event inactive user has identity. they try login using username or previous email, and a password. they can be used for auth.
my users is imported, which is not require confirmation before, lots of users inputed wrong email address. let every of them contact admin is impossible.
People very rarely make that mistake though, so why add cognitive load to the vast majority of users to cover that edge case? I think it’s better to just let users change their emails afterwards.
I definitely agree with you. One thing we could and should do is detect common email typo errors, like gnail.com or similar. That’d be helpful. Question is, what’s a common typo…
Consider checking out this for email address typos:
they can’t change their emails afterwards… inactive user is now allowed to login in discourse.
and, most of big services give change for correct their email address.
for example, twitter.
I implemented a plugin for my website use.
https://github.com/zh99998/discourse-email-verify
notice:
I didn’t do i18n since all my users are Chinese.
there is a know security problem, this api can be used to change other user’s email.
Yes, you can - you can change your email after a successful signup.
If you entered the wrong email, you can signup with the correct email and ask an admin to delete the other account and change your username.
I do think this is a good idea, we may add it to the 1.6 roadmap.
We don’t get many typoed emails but do get quite a lot of people who try to register with phony email addresses first (for privacy or spam reasons I guess). Then after they realize it doesn’t work, they re-register with a working email. Biggest problem is they then have to come up with another username since their preferred one is now taken so they pick something like username1 or username123. Makes for a lot of ugly usernames. The sign up flow could be a lot better here though.
Maybe the copy could use a “a registration token will be sent to you at this address” type of message in addition to the default
Never shown to the public
?
I really feel that’s so obvious that it doesn’t need to be said.
For example, mailgun does this:
Please activate your account to start sending emails. We sent an activation email to name@example.com. Resend activation. Update email address.
That’s true for you and me, but Normal People might not get it. It seems stupid, but I think lots of people don’t know to make those assumptions.
That’s a great point, given that people who are likely to use Mailgun is a superset those you expect to use Discourse.
OTOH:
