feat(my-account): add pending email change state #3763
Conversation
chickenn00dle
added
the
[Status] Needs Review
| @@ -65,7 +67,8 @@ class="woocommerce-Input woocommerce-Input--text input-text" | |||
| <p class="woocommerce-form-row woocommerce-form-row--wide form-row form-row-wide mt0"> | |||
| <label for="account_email_display"><?php \esc_html_e( 'Email address', 'newspack-plugin' ); ?> | |||
| <?php if ( $is_email_change_enabled ) : ?> | |||
| <input type="email" class="woocommerce-Input woocommerce-Input--email input-text" name="account_email" id="account_email" autocomplete="email" value="<?php echo \esc_attr( $user->user_email ); ?>" /> | |||
| <input type="email" class="woocommerce-Input woocommerce-Input--email input-text" name="newspack_account_email" id="newspack_account_email" autocomplete="email" <?php echo \esc_attr( $is_pending_email_change ? 'disabled' : '' ); ?> value="<?php echo \esc_attr( $display_email ); ?>" /> | |||
| <input type="hidden" class="woocommerce-Input woocommerce-Input--email input-text" name="account_email" id="account_email" autocomplete="email" value="<?php echo \esc_attr( $user->user_email ); ?>" /> | |||
There was a problem hiding this comment.
This is an edge case for sure, but if you change the value of this hidden input via dev tools, you can change the email and bypass the entire verification flow.
There was a problem hiding this comment.
This may be true of trunk, too, but now's a good time to secure this better... 😅
There was a problem hiding this comment.
Thanks for the updates, @chickenn00dle! I've confirmed it's no longer possible to update the email address via the hidden field, and that invalid and preexisting email addresses are rejected.
github-actions
bot
added
[Status] Approved
|
Hey @chickenn00dle, good job getting this PR merged! 🎉 Now, the Please check if this PR needs to be included in the "Upcoming Changes" and "Release Notes" doc. If it doesn't, simply remove the label. If it does, please add an entry to our shared document, with screenshots and testing instructions if applicable, then remove the label. Thank you! ❤️ |
# [6.0.0-alpha.2](v6.0.0-alpha.1...v6.0.0-alpha.2) (2025-02-27) ### Bug Fixes * **memberships:** ensure user membership is linked to the correct subscription ([#3768](#3768)) ([a942616](a942616)) * undo forcing WC order attribution to off ([#3771](#3771)) ([c9cb52a](c9cb52a)) * **woo:** page template meta leaking to other types ([#3782](#3782)) ([325a21c](325a21c)) ### Features * add corrections customize settings ([#3751](#3751)) ([11dbc5e](11dbc5e)) * **corrections:** Unit tests for Corrections functionality ([#3776](#3776)) ([ae58933](ae58933)) * **my-account:** add change email template ([#3772](#3772)) ([32bef3c](32bef3c)) * **my-account:** add pending email change state ([#3763](#3763)) ([c9ba046](c9ba046)) * **my-account:** verify email change ([#3764](#3764)) ([b50c980](b50c980))
|
🎉 This PR is included in version 6.0.0-alpha.2 🎉 The release is available on GitHub release Your semantic-release bot 📦🚀 |
All Submissions:
Changes proposed in this Pull Request:
Closes https://app.asana.com/0/1208993180326452/1209215513701713/f
This PR adds a pending change state to email updates in my account:
How to test the changes in this Pull Request:
NEWSPACK_EMAIL_CHANGE_ENABLEDFF is set in wp-configwc_noticeappears asking you to check your new email to verify the changeNEWSPACK_EMAIL_CHANGE_ENABLEDFF in wp-configOther information: