phpBB • Bug tracker - u_chgemail not properly checked - Activation email sent even when change email disabled

Bug tracker

This ticket has been moved to our new tracker. Open Ticket PHPBB3-9488 now.

u_chgemail not properly checked - Activation email sent even when change email disabled (fix completed in vcs)

When self-activation or admin-activation of user accounts is required, but email-changing is disabled: The email field does not appear on the UCP -> Profile -> Edit Account Settings. Suppose the user manually adds an 'email' field to the form (e.g. via Firebug) then submits it. While the email address does not get updated, an activation email is sent to the new address (if user-activation is enabled), or to admin email addresses (if admin-activation is enabled).

The bug is in includes/ucp/ucp_profile.php on line 136. It currently reads:

Code: Select all: if ($config['email_enable'] && $data['email'] != $user->data['user_email'] && $user->data['user_type'] != USER_FOUNDER && ($config['require_activation'] == USER_ACTIVATION_SELF || $config['require_activation'] == USER_ACTIVATION_ADMIN))

It should be (add $auth->acl_get('u_chgemail') && ):

Code: Select all: if ($auth->acl_get('u_chgemail') && $config['email_enable'] && $data['email'] != $user->data['user_email'] && $user->data['user_type'] != USER_FOUNDER && ($config['require_activation'] == USER_ACTIVATION_SELF || $config['require_activation'] == USER_ACTIVATION_ADMIN))