Send informative email for already confirmed users #4228
Merged
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Objectives
When a user requests the confirmation email, a message appears indicating that they will receive an email. The same message appears if their account is already confirmed, but CONSUL doesn't send any email.
This PR maintains the behavior to don't resend confirmation instructions email for already confirmed users.
But, we will send an email to the user informing them that their account is now registered.
This way no one can know if someone else's account is confirmed and we don't have to worry about GDPR either.
Notes
One of the problems with adding this text could be that it provides information that the account already exists to a potential "hacker". But the application already gives this information when registering a new user if you enter an existing email "has already been taken".
Perhaps the more correct text would be:
"If your email address exists in our database and you have not received a confirmation email in the past, you will receive an email with instructions for how to confirm your email address in a few minutes." The problem with this text is that it is too long and not concise for a notification.
Conclusion: between the fact that the information disclosed with the proposed PR message ("You have already confirmed your email account.") is already available from the registration page, and that the more correct text in my opinion is too long and not concise, I think we can include this change.
Edit:
As the two previously proposed solutions had some drawbacks, a new commit has been added which directly sends an email to the user informing him that his account is now validated and a link to reset his password. This way we avoid a notice with too much information and unclear or a notice that could somehow breach the GDPR.