Mail address can be changed without verification

[pwannenmacher]

Bug-Report

Via the profile I can enter any email address. This does not have to be confirmed by mail, but in the createdBy and updatedBy fields we only store mail addresses. So the following attack scenario is possible:

1. Log in as user.
2. Change my mail address to test@test.com
3. Delete/manipulate data
4. Change my mail address back to original mail address

As consequence it is not traceable who changed values since test@test.com is written to createdBy and updatedBy.

Steps to reproduce

see above

Expected behavior

Mail addresses should be verified before they are written to the user profile. Mail verification tokens should be time limited.

Additional information

[pwannenmacher]

• [ ] list of previous addresses
• [ ] verification request when changing own address
• [ ] verified-flag on updating another users address

[JelmenGuhlke]

After several discussions following functionality should be implemented:

• in the course of this ticket only a email validation process will be implemented. That means:
  • updating a users email address is for self updates and admin updates possible
  • if the email differs from the current email of the user, a verification token will be generated and a verification email to the new email address will be send.
  • the new email will not be saved as email of the user until the new one is verified via the token
  • the validation token expires after one month
  • after requesting an email change, a new change can only be triggered after 30 minutes
  • if a users tries too many times (maxFailedLogins from the configuration) to change the email to an already existing one, the login of the user will be blocked and all running sessions will be closed
  • regarding the tracing of data changes: a separate ticket will be opened, since this goes too far away from this ticket