Send informative email for already confirmed users #4228
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
javierm
force-pushed
the
already_confirmed_user_emails
branch
from
4d3440e
to
d01b6a3
Compare
|
This one's tricky 🤔, since with these changes anyone could check whether a certain email is confirmed in the application. We need to check whether we're following data protection guidelines here. |
![github-actions[bot]](https://avatars.githubusercontent.com/in/15368?s=60&v=4){kind=small}
taitus
force-pushed
the
already_confirmed_user_emails
branch
from
d01b6a3
to
d5eb5f7
Compare
taitus
approved these changes
Mar 29, 2022
taitus
force-pushed
the
already_confirmed_user_emails
branch
from
d5eb5f7
to
44680d0
Compare
taitus
force-pushed
the
already_confirmed_user_emails
branch
from
5e70dca
to
b089a4f
Compare
taitus
force-pushed
the
already_confirmed_user_emails
branch
from
b089a4f
to
17a978e
Compare
taitus
changed the title
taitus
force-pushed
the
already_confirmed_user_emails
branch
from
17a978e
to
be1316f
Compare
Senen
approved these changes
Apr 13, 2022
javierm
reviewed
Apr 18, 2022
taitus
force-pushed
the
already_confirmed_user_emails
branch
from
be1316f
to
f5fb159
Compare
The texts for the confirmation instructions referred to "reset the password". We have updated the texts to refer to confirmation instructions.
Currently the application does not send any email to confirm the account for already confirmed users. But we show a notice message that may look like you will recive one: "If your email address exists in our database, you will receive an email with instructions for how to confirm your email address in a few minutes." In this commit we keep the original message, but send an email to the user informing them that their account is now registered. This way no one can know if someone else's account is confirmed and we don't have to worry about GDPR either. Co-Authored-By: taitus <[email protected]>
taitus
force-pushed
the
already_confirmed_user_emails
branch
from
f5fb159
to
ad018c6
Compare
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Objectives
When a user requests the confirmation email, a message appears indicating that they will receive an email. The same message appears if their account is already confirmed, but CONSUL doesn't send any email.
This PR maintains the behavior to don't resend confirmation instructions email for already confirmed users.
But, we will send an email to the user informing them that their account is now registered.
This way no one can know if someone else's account is confirmed and we don't have to worry about GDPR either.
Notes
One of the problems with adding this text could be that it provides information that the account already exists to a potential "hacker". But the application already gives this information when registering a new user if you enter an existing email "has already been taken".
Perhaps the more correct text would be:
"If your email address exists in our database and you have not received a confirmation email in the past, you will receive an email with instructions for how to confirm your email address in a few minutes." The problem with this text is that it is too long and not concise for a notification.
Conclusion: between the fact that the information disclosed with the proposed PR message ("You have already confirmed your email account.") is already available from the registration page, and that the more correct text in my opinion is too long and not concise, I think we can include this change.
Edit:
As the two previously proposed solutions had some drawbacks, a new commit has been added which directly sends an email to the user informing him that his account is now validated and a link to reset his password. This way we avoid a notice with too much information and unclear or a notice that could somehow breach the GDPR.