User can lock self out via `verify_change_login` feature

[1gor]

Problem

When user changes the email, the verify_change_login feature sets his account status as unverified. From then on the user needs access to the email message with the link to continue operating his account.

The problem is, the user may have entered the wrong email by accident when changing the login (possible when require_login_confirmation? set to false), or his new email address turns out to be not accessible (blocked by smap filters etc).

Without access to the email message the user becomes effectively locked out of the account without any way to undo the changes.

Possible fix

The pattern I see implemented elsewhere for changing account primary emails (logins) is:

• on login change by user save new login (email) in an account_pending_logins table
• leave account status active
• send a link to confirm the change to the new email address
• after user clicks the link, his login is changed, pending table is emptied.

With this implementation the actions 'resend login change email' or 'cancel pending login change' are not really necessary since nothing happens to the account until someone clicks the email message link.

[jeremyevans]

What you propose would work better, but it is not backwards compatible as it would require a new database table. For that reason, it would have to be implemented as an option off by default or separate feature, at least until Rodauth 2.

This would also require a lot of new code, instead of just piggybacking off the verify_account feature (verify_change_login is currently about 10 lines).

I do think this is a good idea and should be added, so I will work on it next week.