It seems to take any other information, but while editing my profile to add an email address as a non-administrator user, the email address did not persist even though the message said it's updated. For a user in admin group, it works. I don't see any permission settings for editing 'my profile'. Did I miss something during setup? Thanks!
It seems that it is an intentional behavior and can be duplicated here and we found the code that screens out the change. So, once a user registers, he can't change the email address? Since I don't see any way that administrator can maintain others profile through the console, that means recreating a new account in the case of email address changes? What is the reason behind this design? Thanks! [originally posted on jforum.net by jshiau]
It will only update the email address if the password information is provided correctly. So you have to write down the current password in the user profile fields again. Otherwise the change to the email address will be ignored.
So all you need to do is provide the pwd and it will make the change correctly ^^
Note: this may be troublesome in case of SSO implementation, when users do not know the forum specific sso password [originally posted on jforum.net by Sid]
Yes, it did updated here. RTFM! I didn't know we need to provide password when changing email address. Re-prompting password even already login does provide better security. However, I thought I saw some code that it won't even look at the email field if user is not in admin group.
And Sid was right about SSO though, we do implement that and hide the password fields. But at least I am clear on the issue. Thank you very much, guys! [originally posted on jforum.net by jshiau]
Check out the userdao I think. That does the update command to the user. You simply can rewrite the code there .
I modified the code myself so that email updates can be written. I guess I linked this to the SSO setting - so that when sso I refuse to read the pwd info...
Fairly simple to make the change.
And yes, you are right about that it would not check for the password info when being admin. The reason is fairly simple: Admins may change ALL email addresses and ALL passwords. So it's useless to compare to the user specific password as the admin may not know the old one ;)
But that's still int he template. You have to look in the java file to make the magic happening.
Maybe Rapheal can add some config parameter that you can define wether or not the password should be necessary for updating the email field. [originally posted on jforum.net by Sid]
Yes, it is in UserDAO which check if it's admin or password is provided or not. We are making the change right now. Our first choice is still get to corporate AD and automatically update the email as long as we take care of the corporate policy hurdle.
thanks again! [originally posted on jforum.net by jshiau]