0021737: Users can't remove their real name from their account - MantisBT - Signup temporarily disabled due to spam

ID	Project	Category	View Status	Date Submitted	Last Update

0021737	mantisbt	other	public	2016-10-03 11:51	2016-10-30 23:22

Reporter	atrol	Assigned To	atrol
Priority	normal	Severity	minor	Reproducibility	always
Status	closed	Resolution	fixed
Target Version	1.3.3	Fixed in Version	1.3.3

Summary	0021737: Users can't remove their real name from their account
Description	Real name can't be removed by using the My Account page.
Tags	No tags attached.

atrol 2016-10-03 12:08 developer ~0054111	PR https://github.com/mantisbt/mantisbt/pull/911

dregad 2016-10-04 03:35 developer ~0054120	I didn't look at the PR, but do we really want to allow users to remove their email address ? A lot of functionality relies on being able to send emails (e.g. password reset).

atrol 2016-10-04 13:42 developer ~0054129	do we really want to allow users to remove their email address ? not complete sure, but is it that bad? changing to a wrong e-mail address (e.g. because of a typo) is even worse as it happens unintentional removing the e-mail address is an easy way to (temporarely) deactivate all notifications. removing the e-mail address is already possible for admins when using the manage user page.

dregad 2016-10-05 03:13 developer ~0054131	changing to a wrong e-mail address (e.g. because of a typo) is even worse as it happens unintentional That has always bothered me actually. IMO, we should ideally enforce a valid address, by only allowing the change after an activation e-mail has been actioned by the user (similar to new user account validation). But I guess that's outside the scope of this change. I still feel it's conceptually wrong to set the email to blank (whether it's done by admin or user, makes no difference). Using that as a trick to deactivate notifications, is also wrong. If this is a valid use case, then we should offer a "mute all notifications" option in the user profile, or something similar.

atrol 2016-10-05 05:15 developer ~0054134	Changed description and updated PR to deal just with real name. I still feel it's conceptually wrong to set the email to blank (whether it's done by admin or user, makes no difference). Changing by admin is still possible and not changed in this PR as it's outside the scope of the change

vboctor 2016-10-07 14:51 manager ~0054175	I still feel it's conceptually wrong to set the email to blank (whether it's done by admin or user, makes no difference). There are a couple of reasons where it makes sense for an admin to remove their email address: The emails are bouncing to such user affecting the reputation of the sending service or causing returned emails. System accounts that are used to report issues or add notes, but do not need email notifications. The admin should have the power to do this for whatever reason. At the end of the day, if a user wants to reset their password and their email is blank, they will contact the admin to help them. do we really want to allow users to remove their email address ? I think that users should be able to change their email address, however, to handle this properly we need to have the concept of email vs. pending_email (or a token for storing pending email). When user modifies their email address, we have it as pending until the user verifies it, and then it gets set as email.