Changes to user profile should send an email (where applicable)

silverstripe / silverstripe-framework

Silverstripe Framework, the MVC framework that powers Silverstripe CMS

https://www.silverstripe.org

BSD 3-Clause "New" or "Revised" License

722 stars 821 forks source link

Changes to user profile should send an email (where applicable) #8594

Open ScopeyNZ opened 5 years ago

ScopeyNZ commented 5 years ago

Description

It would be good for users to be informed when details about their user record changes. This would be considered a security enhancement as it reduces the discovery time on breaches where a user may have their details changed.

Some particular points of interest:

Password changes
Email change
~MFA added (future scope in another module - this needs some form of API)~ This has been implemented

/cc @clarkepaul

robbieaverill commented 5 years ago

MFA added (future scope in another module - this needs some form of API)

An example of a user defined point where you'd notify of a change - we can do this with an extension point e.g. $this->extend('updateNotifiableChanges', ...) then check an object for changes before notifying

robbieaverill commented 5 years ago

Just noticed that changing your password can already email the user to let them know, just not in dev environments which is why we probably haven't noticed it before. CWP enables this by default though for example:

https://github.com/silverstripe/silverstripe-framework/blob/4.3.0/src/Security/Member.php#L903-L922