If you visited a Discourse a long time ago, and no longer control the email address your account was originally created under – how can we get that user back into their account?
I guess there are two options here:
You don’t remember which email it was, and you don’t control that email address any more
You do remember which email it was, and you don’t control that email address any more
So you’d issue a standard forgot password request …
I guess the only option here is to contact staff out-of-band via the /about page email address and ask them to change the email on the account? This is extra tricky if you don’t remember the email address you signed up with – how does this other user prove that they are, in fact, the person who originally controlled the old email account?
I wonder how we can provide information / assistance to the user on these two dialogs to handle this rare, but highly unfortunate, scenario without it being TL;DR for everyone else.
Maybe a small link to the staff page on this dialog makes sense to handle that and other unusual login scenarios where staff intervention is inevitable and required. Or perhaps a “help” button on this dialog, so that way we’re not smacking every workaday “forgot my password again” user with a bunch of extraneous information that is only useful in these rare cases?
Do I understand correctly that if an admin changes a user’s email address, the user will have to confirm that new email address via the new email address but the old email address is not notified about the change?
One way of at least mitigating the impact of someone maliciously taking over another users account would be to inform the old emailaddress about the new email address whenever the email change is triggered by staff.
Finally, a quick question: when exactly does the new email address become effective in this case? Is it immediately or after the new email has been confirmed? I assume the latter but want to be sure.
I now noticed that in one of two address changes, a notify_old_email was indeed sent out. I couldn’t find the template corresponding to that mail but I suspect that this mail gets sent out after the fact, i.e. after the new email has been confirmed. Is that correct?
This is only true for staff accounts, due to heightened security, staff users must confirm both old and new email accounts.
(Which will be impossible if they have somehow lost control of the old email account. But since this rule only applies to staff, you’ll hopefully only rarely have to deal with that situation.)