I think a problem exists with only two options for handling email address changes: Allow or Disallow. In today's Internet world, email addresses will change, therefore users *need* the ability to change their email address, however, on large sites this seems to be too much of a risk to just allow a user to change their email address. Now you have a basic Anonymous user who you can't contact, with a name and rights to do things on your website.

In coding an app for work I allowed clients to create accounts, validate their account (via email) and change their email address. The catch was, when they change their email address they are warned that it will cause their account to go into a suspended status. The system would place them into a suspended status and send a validation email to their new email address. Until that was confirmed (by a unique code sent to them), they could not access the site. Once confirmed, all was good. If it was not confirmed and they tried to login, they recieved a message stating their account was suspended due to an email change and they recieved an input box with the email address they entered and a "resend" validation message button. Therefore, if they thought they were going to become anonymous by chaning their email address, they now have the option of setting it to something real.

I know this does not solve all the problems (people can create an account, sign up, remove their email account) but it does thwart quite a bit and seems to make more sense than just Allow or Disallow email address changes.

I was curious if there would be intrest in this type of functionality? I would be willing to make the coding changes (no database changes would be neccessary) *if* I knew that it would make it's way back into the core.

Anyway, I also wanted to bring up the suggestion to see what people thought, maybe it would be better coded internally, but I did want to 1. Make the problem known, 2. Make a suggestion as to it's solution, 3. Be willing to make the coding changes.

Thanks!

CoolPops

I like the idea and your method of revalidation. Most users use simply their ISP email address. If the change ISP or the ISP gets bought the email address changes.

The user should have a way of changing the email without full re-registration. But as you said this should be with restrictions, suspended account until verified sounds pretty standard to me, and I am sure most users would understand that as long as the validation took place immediately.

Great suggestion.

Only 1 comment and/or intrest on such an email change addition?

I think its a good idea.

I too would agree on a secure method of user changed email. I think that admin notification should be an option too.

While we're at it, a method of scheduled email verification and reporting would be nice too. Say perhaps once per year an email goes out stating that a test is being done (but please, not an Merry Chrstmas message that might go wonky. ). I know that I'm still nervous about system email so it might be time to explore that part of the core again.