Uploaded image for project: 'phpBB3'
  1. phpBB3
  2. PHPBB3-9488

u_chgemail not properly checked - Activation email sent even when change email disabled

    Details

    • Type: Bug
    • Status: Closed (View Workflow)
    • Resolution: Fixed
    • Affects Version/s: 3.0.x
    • Fix Version/s: 3.0.7
    • Component/s: Other
    • Labels:
      None
    • Environment:
      PHP Environment:
      Database:

      Description

      When self-activation or admin-activation of user accounts is required, but email-changing is disabled: The email field does not appear on the UCP -> Profile -> Edit Account Settings. Suppose the user manually adds an 'email' field to the form (e.g. via Firebug) then submits it. While the email address does not get updated, an activation email is sent to the new address (if user-activation is enabled), or to admin email addresses (if admin-activation is enabled).

      The bug is in includes/ucp/ucp_profile.php on line 136. It currently reads:

      if ($config['email_enable'] && $data['email'] != $user->data['user_email'] && $user->data['user_type'] != USER_FOUNDER && ($config['require_activation'] == USER_ACTIVATION_SELF || $config['require_activation'] == USER_ACTIVATION_ADMIN))

      It should be (add *$auth->acl_get('u_chgemail') && * ):

      if ($auth->acl_get('u_chgemail') && $config['email_enable'] && $data['email'] != $user->data['user_email'] && $user->data['user_type'] != USER_FOUNDER && ($config['require_activation'] == USER_ACTIVATION_SELF || $config['require_activation'] == USER_ACTIVATION_ADMIN))

        Attachments

          Activity

            People

            • Assignee:
              ckwalsh Cullen Walsh [X] (Inactive)
              Reporter:
              nrohler nrohler
            • Votes:
              0 Vote for this issue
              Watchers:
              1 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved: