delight-im/PHP-Auth

User "verified" status does not change

ponasromas opened this issue · 4 comments

After user initialize e-mail change on existing account (part 1, when confirmation link is sent), user status in database "users" is "verified 1".

The flow should be like this:

  1. User initialize email change;
  2. Script marks current user account as "verified 0";
  3. User press confirmation link in email;
  4. Script sets new email and marks account as "verified 1".

Yes, I understand the fact that confirmation link may expire and user will stay unverified. But for that reason there is "resend confirmation".

ocram commented

Thanks!

  1. Script marks current user account as "verified 0";

Why is that?

The old (and thus far, current) email address is still verified. Both before and after the email address change, the user has a verified email address on record.

Just because the user expresses their intent to change their email address doesn’t mean the old address has just become invalid or of unclear ownership, does it?

Good point, but in some cases there should be an option to automatically "unverify" current email address if email change is in progress.

but in some cases there should be an option to automatically "unverify" current email address if email change is in progress.

User have to confirm the new Email on change, otherwise the Email don't change at all. It's almost the same process as registering a new User.

#changing-the-current-users-email-address

ocram commented

Yes, I don’t really see the need, and could only think of this as a feature request right now, which doesn’t seem to be connected to the address change at all, though. So one might have the need to un-verify an email address for whatever reason, but it’s not clear why this should regularly or even always happen on email address change.