XF 2.3 Password reset required, but email is not valid. How to deal with this?

[Mr Lucky]

If a user whose email has bounced gets a security password reset lock, when they login they get a notice saying A password reset request has been emailed to you

Surely in this case there should be a different notice (different phrase) to tell them to use the contact form because no email would have been received..

Is there a way to do this? (Yes I can do it with a notice that displays to usergroup fitting both those criteria, but it is in addition to the default password reset notice instead of replacing it)

 

[FTL]

Interesting. Since a user needs a valid email address to register on the forum and activate the account, then they must have changed it later and either made a typo, or did it intentionally to prevent all alerts. This is pretty stupid and has now locked them out of their account. Presumably you have no other way of contacting them?

If you can't get a tidy solution to this, then I recommend doing the permission way that you suggested and putting up with the double messages for now, with the second one explaining that it's like this "due to temporary system issues". Depends on how valuable this user is to you if you wanna bother.

Tagging @AndyB in case he has an add-on for this.

 

[Mr Lucky]

or did it intentionally to prevent all alerts. This is pretty stupid

Not necessarily. We have plenty of members who joined years ago, gave up playing and left the forum. At some stage in their subsequent life they changed email address without necessarily updating all their various different account details on every forum they'd been a members of. But then get a renewed interest in the forum topic but forgot they signed up with whatever email 15 years ago.

I call that human behaviour rather than stupid. Yeh maybe some are stupid.

 

[FTL]

Oh yes that can happen and I've done sillies like that too. It's called the human condition. I was giving just one example as I've seen this done on my forum and it wasn't a mistake with less savoury users.

Other than this, would you consider my suggestion?

 

[Mr Lucky]

Other than this, would you consider my suggestion?

Yes I now have the double messages but not ideal.

The other things is, if they contact you saying I need to reset my password and can you please change my email address, how do you know they are not a scammer or account hijacker and they are the actual person who was the original member?

 

[FTL]

Oh, that's a good point. There's no secret embedded in their profile to verify themselves. I guess they've lost the account then. Without fallbacks providing proof of identity like secret words there's no way to know.

In the case of your forum, since it's not a security issue like it would be with a bank or work environment, say, you could take them at their word and fix the account to let them log in and then monitor their behaviour such as posting style, things they talk about etc, you know, things that tend to be particular to them. Grey area that one with the devil being very much in the details so I don't have a single answer for what I'd do in such a situation. Your call.

 

[Mr Lucky]

you could take them at their word and fix the account to let them log in and then monitor their behaviour such as posting style, things they talk about etc, you know, things that tend to be particular to them. Grey area that one with the devil being very much in the details so I don't have a single answer for what I'd do in such a situation. Your call.

I think if they used the contact form and (inc subsequent emailing) and I wasn't sure, then I'd probably recommend they open a new account which I could merge once I'm sure they are legit. An alternative would be to ask for photo ID proof I suppose but I can imagine issues there.

 

[FTL]

The merge option sounds like a good middle ground, yes.

 

[briansol]

happens all the time when people use their ISP email to sign up (eg, comcast.net) and later cancel comcast and switch to frontier. They are active members for 10 years but can't get to comcast.net email any more.

It's a manual effort to change the email on the account.

 

[Kirby]

How do you know they are not a scammer or account hijacker and they are the actual person who was the original member?

You can't. The account is essentially burned and I tell such users that I am sorry but I can't help them unless they are able to proof it's their account.

 

[Fraize_Websleuths]

You can't. The account is essentially burned and I tell such users that I am sorry but I can't help them unless they are able to proof it's their account.

I do this too. In fact, I had a user who lost access to their old email address, their account was locked out because their email bounced, and they were unable to recover it.

I told them that without that old email address to verify against, they literally could be anybody trying to steal a user's identity. All of those posts, and especially their DMs, could be open to somebody social-engineering their way into their account.

Once I framed it that way, they not only understood, but they thanked me for protecting their data. Win-win.

 

[Digital Doctor]

I have a weird one.



I want to update my email address, but I don't have permission.