I am a bit confused by the process when an admin changes a users email address.
Some things I just don’t understand, and there is one bug, (that is why I’m posting this in bug and not in support)
- According to this pull request it should work like this.
When admin changes a user’s email from the preferences page of that user:
- The user will not be sent an email to confirm that their email is changing. They will be sent a reset password email so they can set the password for their account at the new email address.
- The user will still be sent an email to their old email to inform them that it was changed.
#1 I do not understand why a password reset email is being sent (“so they can set the password for their account”). They don’t need to change their password? And the user experience is confusing - the user does not expect an password reset email, and there is no accompanying text, it just says “Somebody asked to reset your password on [name of forum]”.
#2 That password reset email is sent to the old address instead of the new email address.
Even though the user email is updated in update_user_email
on line 46, the @user
object is not reloaded and still contains the old email address.
#3 If the admin is the acting user, and the user that is acted upon is not staff, there is no confirmation email sent per the above specification. Nevertheless, after changing the email address, the admin gets the following success message: “We’ve sent an email to that address. Please follow the confirmation instructions”
#4 Why does the user not need to confirm their new email address? The pull request refers to this topic but it seems like there are many posts missing from it. But the topic does still mention " For a normal user, the only email address that has to be verified is the NEW email address" EDIT oh wait, see #6 / #7.
#5 This process where an admin changes the users email is typically used when the old email address is not accessible any more (I assume?) Why is there still a notification being sent to the old address?
#6 When this user tries to log in they get a popup
You can’t log in yet. We previously sent an activation email to you at old email address . Please follow the instructions in that email to activate your account.
- there has not been such an email
- the old email address is mentioned
Pressing the Resend button says
We sent another activation email to you at new email address. It might take a few minutes for it to arrive; be sure to check your spam folder.
#7 That activation email indeed arrives at the new email address and is titled “confirm your new account” (and not “confirm your new email address”)
Shouldn’t this just be :
One email is sent to the new email address, stating "your email address has been changed by [admin name]. Please click the following link to confirm [link].
Edit: #8 the email address can be changed by an admin from the users public profile (/u/username
) but not from the admin page for that user (/admin/users/id/username
). This is counterintuitive.